Initialization vectors should be randomly generated

Description

In AesEncryptor.cipher you’re initializing a Cipher instance with a static IV2 which is insecure.

One possible solution would be to generate the initialization vector using SecureRandom:

Environment

None

Activity

Show:
Greg Thomas
July 9, 2018, 7:16 PM

On reflection, each property should have it's own IV, so the PR adds a column to the DB to save it.

Greg Thomas
July 9, 2018, 11:47 AM

Unfortunately, it is not quite as simple as the ticket suggests; the IV is required to decrypt the text, too - which means it must be persisted, presumably in `conf/security.xml`.

wroot
April 15, 2018, 6:56 AM

Assigned this to gdt as he is usually checking security issues. Feel free to reassign to Dave or leave it unassigned.

Fixed