Static IV used in AES-GCM

[choseogyeong]

Hi, I found a potential security issue in your encryption code.

The AES-GCM mode uses a static IV (b"0" * 16) when no IV is provided:
iv = iv or b"0" * BLOCK_SIZE

Using a fixed IV in AES-GCM is insecure. It breaks the guarantees of confidentiality and integrity if reused with the same key.

Please consider generating a random IV (e.g., os.urandom(12)) for each encryption to follow best practices.

Thanks.

[localstack-bot]

Welcome to LocalStack! Thanks for reporting your first issue and our team will be working towards fixing the issue for you or reach out for more background information. We recommend joining our Slack Community for real-time help and drop a message to LocalStack Support if you are a licensed user! If you are willing to contribute towards fixing this issue, please have a look at our contributing guidelines.

[viren-nadkarni]

Duplicate of #10602

[HarshCasper]

Due to the forthcoming changes in our distribution and development model (read more), this issue tracker is no longer being maintained, and this issue is now being closed. If you'd like us to take a look or need further support, please reach out through one of our support channels:

• 💬 GitHub Discussions
• 📖 Help & Support