Encryptor + AES + key size

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Encryptor + AES + key size

Colm O hEigeartaigh
Hi all,

When AES is used as the cipher algorithm, and if the supplied secret key
length is < 16, Encryptor prints the debug message:

"actualKey too short, adding some random characters"

However the random characters are just 0s. I think instead we should be
using some random bytes instead! Optionally we could also impose a minimum
acceptable size on the secret key length, and throw an exception if it does
not match this.

WDYT?

Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Encryptor + AES + key size

ilgrosso
Administrator
On 17/07/2017 16:32, Colm O hEigeartaigh wrote:

> Hi all,
>
> When AES is used as the cipher algorithm, and if the supplied secret key
> length is < 16, Encryptor prints the debug message:
>
> "actualKey too short, adding some random characters"
>
> However the random characters are just 0s. I think instead we should be
> using some random bytes instead! Optionally we could also impose a minimum
> acceptable size on the secret key length, and throw an exception if it does
> not match this.
>
> WDYT?


+1

Shall we fix this also on 1_2_X (besides 2_0_X and master)?

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Encryptor + AES + key size

Colm O hEigeartaigh
Yes why not. I will take care of it. What do you think about imposing a
size constraint on the secret key length as well?

Colm.

On Mon, Jul 17, 2017 at 3:34 PM, Francesco Chicchiriccò <[hidden email]
> wrote:

> On 17/07/2017 16:32, Colm O hEigeartaigh wrote:
>
>> Hi all,
>>
>> When AES is used as the cipher algorithm, and if the supplied secret key
>> length is < 16, Encryptor prints the debug message:
>>
>> "actualKey too short, adding some random characters"
>>
>> However the random characters are just 0s. I think instead we should be
>> using some random bytes instead! Optionally we could also impose a minimum
>> acceptable size on the secret key length, and throw an exception if it
>> does
>> not match this.
>>
>> WDYT?
>>
>
>
> +1
>
> Shall we fix this also on 1_2_X (besides 2_0_X and master)?
>
> Regards.
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Encryptor + AES + key size

ilgrosso
Administrator
On 17/07/2017 16:38, Colm O hEigeartaigh wrote:
> Yes why not. I will take care of it. What do you think about imposing a
> size constraint on the secret key length as well?

I don't have any strong opinion WRT this, I'll trust your experience,
then :-)

Regards.

> On Mon, Jul 17, 2017 at 3:34 PM, Francesco Chicchiriccò <[hidden email]> wrote:
>
>> On 17/07/2017 16:32, Colm O hEigeartaigh wrote:
>>
>>> Hi all,
>>>
>>> When AES is used as the cipher algorithm, and if the supplied secret key
>>> length is < 16, Encryptor prints the debug message:
>>>
>>> "actualKey too short, adding some random characters"
>>>
>>> However the random characters are just 0s. I think instead we should be
>>> using some random bytes instead! Optionally we could also impose a minimum
>>> acceptable size on the secret key length, and throw an exception if it
>>> does
>>> not match this.
>>>
>>> WDYT?
>> +1
>>
>> Shall we fix this also on 1_2_X (besides 2_0_X and master)?
>>
>> Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Loading...