Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1751: Encryptors.queryableText(String String) is not useable in present state #1985

spring-issuemaster opened this Issue May 21, 2011 · 2 comments


None yet
1 participant

Keith Donald (Migrated from SEC-1751) said:

The role of Encryptors.queryableText(String, String) is to allow for data to be encrypted for storage, then for the data to be queried against in its encrypted form. A good example of the need for this is the storage of OAuth Consumer Keys. Such keys should be encrypted when stored, and need to be queried when applications request authorization.

For this to work, the same message e.g. "6048b75ed560785c" must produce the same cipher text each time e.g. "5e37a66db5d48321050d17365d4f4e6fd217caade54d777bbecf6a458036e34b6fcbf0bebf2aa2a03ca5d5171ba5de7a"
. Unfortunately, this is not happening beyond container restarts since the "shared" initialization vector is initialized each time a queryable TextEncryptor instance is constructed.

The following simple test case demonstrates the issue:

    public void test() {
        TextEncryptor encryptor = Encryptors.queryableText("password", "salt");

Each time this test case is run, across all VM instances, the cipher text should be the same. If you run it more than once, you'll see the cipher text change. This is not correct behavior.

The fix is most likely to not apply an iV at all for a "queryable" TextEncryptor.

Keith Donald said:

Attached is a patch to AesBytesEncryptor that resolves this issue by making the iv optional. If a iv generator is not specified, no iv is appended to the cipher text.

Luke Taylor said:

Patch applied.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment