You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are security researchers at Digit Institute in Germany. While reviewing [chat2db-server/chat2db-server-web/chat2db-server-web-api/src/main/java/ai/chat2db/server/web/api/controller/ncx/cipher/Navicat12Cipher.java] code, we identified two security issues:
1. Hardcoded Key (line 20)
AES_KEY = new SecretKeySpec("libcckeylibcckey".getBytes(StandardCharsets.UTF_8), "AES");
The key is hardcoded. Anyone with access to the code or documentation knows the key.
No password, no salt, no dynamic derivation or key strengthening (e.g., PBKDF2).
Security Risk: Compromising the key compromises all encrypted data.
2. Hardcoded IV & CBC Mode (line 21)
AES_IV = new IvParameterSpec("libcciv libcciv ".getBytes(StandardCharsets.UTF_8));
The IV is also static and reused for all encryption.
In AES/CBC/PKCS5Padding, a random IV per encryption is required for security.
Security Risk: Using a static IV undermines CBC security, leaks patterns, and permits chosen-plaintext attacks.
Recommendations:
For all new code, never use hardcoded keys or IVs.
Use secure key derivation (PBKDF2, scrypt, Argon2) from user input, with salt and high iteration count.
Always generate and store a random IV per encryption operation.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
We are security researchers at Digit Institute in Germany. While reviewing [chat2db-server/chat2db-server-web/chat2db-server-web-api/src/main/java/ai/chat2db/server/web/api/controller/ncx/cipher/Navicat12Cipher.java] code, we identified two security issues:
1. Hardcoded Key (line 20)
AES_KEY = new SecretKeySpec("libcckeylibcckey".getBytes(StandardCharsets.UTF_8), "AES");The key is hardcoded. Anyone with access to the code or documentation knows the key.
No password, no salt, no dynamic derivation or key strengthening (e.g., PBKDF2).
Security Risk: Compromising the key compromises all encrypted data.
2. Hardcoded IV & CBC Mode (line 21)
AES_IV = new IvParameterSpec("libcciv libcciv ".getBytes(StandardCharsets.UTF_8));The IV is also static and reused for all encryption.
In AES/CBC/PKCS5Padding, a random IV per encryption is required for security.
Security Risk: Using a static IV undermines CBC security, leaks patterns, and permits chosen-plaintext attacks.
Recommendations:
For all new code, never use hardcoded keys or IVs.
Use secure key derivation (PBKDF2, scrypt, Argon2) from user input, with salt and high iteration count.
Always generate and store a random IV per encryption operation.
Beta Was this translation helpful? Give feedback.
All reactions