starred/Bark
1
0
Fork 0
mirror of https://github.com/Finb/Bark.git synced 2026-04-26 06:25:55 +03:00
Code Issues 3 Projects Releases Packages Wiki Activity

[GH-ISSUE #188] Security issue with the new encryption support #169

New issue
Closed
opened 2026-03-03 11:37:41 +03:00 by kerem · 0 comments
kerem commented 2026-03-03 11:37:41 +03:00
Owner
Copy link

Originally created by @harryzcy on GitHub (Mar 15, 2023).
Original GitHub issue: https://github.com/Finb/Bark/issues/188

Initialization vector shouldn't be fixed in the setting, as it is vulnerable to chosen plaintext attacks. IV is not secret and is ok to be public. The important thing is not to reuse IV in multiple requests.

The correct practice is to have IV generated by crypto-secure random generator by the client, and to be included in payload along with other data.

From Wikipedia:

An initialization vector has different security requirements than a key, so the IV usually does not need to be secret. For most block cipher modes it is important that an initialization vector is never reused under the same key, i.e. it must be a cryptographic nonce. Many block cipher modes have stronger requirements, such as the IV must be random or pseudorandom.

More links:

Originally created by @harryzcy on GitHub (Mar 15, 2023). Original GitHub issue: https://github.com/Finb/Bark/issues/188 Initialization vector shouldn't be fixed in the setting, as it is vulnerable to chosen plaintext attacks. IV is not secret and is ok to be public. The important thing is not to reuse IV in multiple requests. The correct practice is to have IV generated by crypto-secure random generator by the client, and to be included in payload along with other data. From [Wikipedia](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation): > An initialization vector has different security requirements than a key, so the IV usually does not need to be secret. For most block cipher modes it is important that an initialization vector is never reused under the same key, i.e. it must be a [cryptographic nonce](https://en.wikipedia.org/wiki/Cryptographic_nonce). Many block cipher modes have stronger requirements, such as the IV must be [random](https://en.wikipedia.org/wiki/Random) or [pseudorandom](https://en.wikipedia.org/wiki/Pseudorandom). More links: - [Why is using a Non-Random IV with CBC Mode a vulnerability?](https://stackoverflow.com/questions/3008139/why-is-using-a-non-random-iv-with-cbc-mode-a-vulnerability) - [CBC with a fixed or random IV](https://crypto.stackexchange.com/questions/22260/cbc-with-a-fixed-or-random-iv)
kerem closed this issue 2026-03-03 11:37:42 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
feature/ttl
1.1.4
1.1.3
1.0.0
Labels
Clear labels   
bug

   
enhancement

   
in progress

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
enhancement
in progress
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/Bark#169
No description provided.