8000
Encryption algorithm AES/ECB/NoPadding is broken and not secure · Issue #1 · zx63/TronWallet · GitHub
More Web Proxy on the site http://driver.im/
You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for sharing the repository and it's a nice one.
I noticed one issue - the src/main/java/org/tron/common/crypto/SymmEncoder.java class uses AES/ECB/NoPadding as the AES encryption/decryption algorithm. However, the ECB mode is not secure since it's vulnerable to reply attacks.
A modern algorithm like AES/GCM/NoPadding is preferred as shown in the Java 11 JSEE Guide.
Please consider to replace the broken crypto algorithm with a stronger one.
Hi @zx63,
Thanks for sharing the repository and it's a nice one.
I noticed one issue - the
src/main/java/org/tron/common/crypto/SymmEncoder.javaclass usesAES/ECB/NoPaddingas the AES encryption/decryption algorithm. However, the ECB mode is not secure since it's vulnerable to reply attacks.A modern algorithm like
AES/GCM/NoPaddingis preferred as shown in the Java 11 JSEE Guide.Please consider to replace the broken crypto algorithm with a stronger one.
Thanks,
@luchua-bc
The text was updated successfully, but these errors were encountered: