Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IV should be randomness and unpredictable #789

Open
wwwwwwill opened this issue Feb 18, 2019 · 1 comment
Open

IV should be randomness and unpredictable #789

wwwwwwill opened this issue Feb 18, 2019 · 1 comment

Comments

@wwwwwwill
Copy link

When using client-side encryption, for one encrypted library, the IV is stored and the client program always uses this one IV to encrypt and decrypt different files. IV reused is unsafe and should not be used, the IV should be randomness and unpredictable. (CWE-329: https://cwe.mitre.org/data/definitions/329.html)

These are Debug details for three different files when decrypting them in the client (Android) side:
File1: Cipher@7029
2019-02-18 12 45 04
File2: Cipher@7074
2019-02-18 12 46 06
File3: Cipher@7097
2019-02-18 12 47 07
@freeplant
Copy link
Member

After releasing version 7.0, we will use different IV for different libraries. But for a single library, the same IV will be used for different libraries as it requires too much effort to use different IV for every file.

As a single library can only be accessed by shared and trusted users, it should be safe enough.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@freeplant @wwwwwwill