[guardian-dev] ### Two Open Source Apps for data protection ###

Michael Rogers michael at briarproject.org
Wed May 7 09:32:58 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/05/14 01:27, Jose Damico wrote:
> Symetric encryption:
> 
> AES (CBC/PKCS5Padding) Blowfish (CFB/NoPadding) The Initialization
> Vectors are generated based on unique data from the smartphone.

Hi Jose,

This isn't secure. CryptoUtils.enc() uses the same IV every time it's
called. Also, the IV is based on Utils.getDeviceData(), which will
return the same value on phones of the same model.

It would be better to generate a unique random IV each time, and store
the IV alongside the ciphertext.

Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJTajYKAAoJEBEET9GfxSfMVLMH/2m+7+7ecgFTK5kPsNvL9E9Q
MOldc4aV3UYsxN+723ZxBfSJ3IuBKZBdezvi1J5swZca0phsJyODrNuhiQe2d06e
I/Mezn+rpQAggNdx2jVo4EQfVz6bDCy0ch4M+jMkcgWkJINHLrPmWk1Lvm7SkTfQ
kIdcxJ0/gfkL+ugnDBZHYKhSPTE7BJDy7Y0vSxV1Zfu8UPdwSGzfLupMAxjwv65f
SF+MCi+FX3M1jcirH6u0ZlLmPWt4LPeUkvddQWxpRr/VxBAwxdg+vd7wsLuSyU+J
IJM9XXTxgdXzQtI80+c/gvS05VlysL1NCGLLqDFd0lIjzQ1h9ltKrAIPxre7SwI=
=yPx1
-----END PGP SIGNATURE-----


More information about the Guardian-dev mailing list