Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some cryptographic suggestions #6202

Open
Gax-c opened this issue Apr 30, 2024 · 5 comments
Open

Some cryptographic suggestions #6202

Gax-c opened this issue Apr 30, 2024 · 5 comments

Comments

@Gax-c
Copy link

Gax-c commented Apr 30, 2024

No description provided.

@Gax-c
Copy link
Author

Gax-c commented Apr 30, 2024

  1. Hardcoded Key and IV
    We've found that the key and IV is hardcoded in the code here, but it seems they have been abandoned according to another issue here.
    But in the file AesEncryptUtil.java the key and IV are still used here, so I wonder if there is any problem.
    private static String KEY = EncryptedString.key;
    private static String IV = EncryptedString.iv;

@Gax-c
Copy link
Author

Gax-c commented Apr 30, 2024

  1. Broken algorithm
    The algorithm used in file PasswordUtil.java here is PBEWithMD5AndDES. But this algorithm is regarded as insecure because both MD5 and DES are considered to be weak.
	public static final String ALGORITHM = "PBEWithMD5AndDES";

@Gax-c
Copy link
Author

Gax-c commented Apr 30, 2024

  1. SHA1withRSA and AES/ECB insecure
    These two algorithms are used in file SecurityTools.java here and here.
public class SecurityTools {
    public static final String ALGORITHM = "AES/ECB/PKCS5Padding";

    public static SecurityResp valid(SecurityReq req) {
        SecurityResp resp=new SecurityResp();
        String pubKey=req.getPubKey();
        String aesKey=req.getAesKey();
        String data=req.getData();
        String signData=req.getSignData();
        RSA rsa=new RSA(null, Base64Decoder.decode(pubKey));
        Sign sign= new Sign(SignAlgorithm.SHA1withRSA,null,pubKey);

The code uses SHA1withRSA for the signature verification, which is an outdated algorithm with known weaknesses and no longer recommended for use.
AES encryption in ECB mode is not recommended for use in cryptographic protocols because it does not provide serious message confidentiality.

@zhangdaiscott
Copy link
Member

zhangdaiscott commented May 11, 2024
edited

zj

@EightMonth
Copy link
Contributor

What you said is very instructive, but unfortunately, the Jeecg open source team is not good at security engineering, so we can only provide basic security protection. Also, because Jeecg is an open source project, and when it comes to using security algorithms, we have achieved a small amount of changes to complete security algorithm changes, so we more advocate that you can modify the algorithm and choose a security algorithm that fits your field.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zhangdaiscott @EightMonth @Gax-c