SEC-1751: Encryptors.queryableText(String String) is not useable in present state #1985

Closed
spring-issuemaster opened this Issue May 21, 2011 · 2 comments

1 participant

@spring-issuemaster

Keith Donald (Migrated from SEC-1751) said:

The role of Encryptors.queryableText(String, String) is to allow for data to be encrypted for storage, then for the data to be queried against in its encrypted form. A good example of the need for this is the storage of OAuth Consumer Keys. Such keys should be encrypted when stored, and need to be queried when applications request authorization.

For this to work, the same message e.g. "6048b75ed560785c" must produce the same cipher text each time e.g. "5e37a66db5d48321050d17365d4f4e6fd217caade54d777bbecf6a458036e34b6fcbf0bebf2aa2a03ca5d5171ba5de7a"
. Unfortunately, this is not happening beyond container restarts since the "shared" initialization vector is initialized each time a queryable TextEncryptor instance is constructed.

The following simple test case demonstrates the issue:

    @Test
    public void test() {
        TextEncryptor encryptor = Encryptors.queryableText("password", "salt");
        System.out.println(encryptor.encrypt("6048b75ed560785c"));
        System.out.println(encryptor.encrypt("6048b75ed560785c"));
    }

Each time this test case is run, across all VM instances, the cipher text should be the same. If you run it more than once, you'll see the cipher text change. This is not correct behavior.

The fix is most likely to not apply an iV at all for a "queryable" TextEncryptor.

@spring-issuemaster

Keith Donald said:

Attached is a patch to AesBytesEncryptor that resolves this issue by making the iv optional. If a iv generator is not specified, no iv is appended to the cipher text.

@spring-issuemaster

Luke Taylor said:

Patch applied.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment