powered by Jive Software

Initialization vectors should be randomly generated for proper security guarantees


#1

As part of some research about the common crypto mistakes that developers make, I noticed that your application has one of them.

In AesEncryptor.cipher you’re initializing a Cipher instance with a static IV which is insecure.

One possible solution would be to generate the initialization vector using SecureRandom:

byte[] iv = new byte[16];
new SecureRandom().nextBytes(iv);

#2

I don’t know this stuff, but i have filed this so it won’t get overlooked. Maybe someone will take a look at it. https://issues.igniterealtime.org/browse/OF-1533