Spring Security
  1. Spring Security
  2. SEC-1751

Encryptors.queryableText(String String) is not useable in present state

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.0.RC2
    • Fix Version/s: 3.1.0.RC3
    • Component/s: Crypto
    • Labels:
      None

      Description

      The role of Encryptors.queryableText(String, String) is to allow for data to be encrypted for storage, then for the data to be queried against in its encrypted form. A good example of the need for this is the storage of OAuth Consumer Keys. Such keys should be encrypted when stored, and need to be queried when applications request authorization.

      For this to work, the same message e.g. "6048b75ed560785c" must produce the same cipher text each time e.g. "5e37a66db5d48321050d17365d4f4e6fd217caade54d777bbecf6a458036e34b6fcbf0bebf2aa2a03ca5d5171ba5de7a"
      . Unfortunately, this is not happening beyond container restarts since the "shared" initialization vector is initialized each time a queryable TextEncryptor instance is constructed.

      The following simple test case demonstrates the issue:

      	@Test
      	public void test() {
      		TextEncryptor encryptor = Encryptors.queryableText("password", "salt");
      		System.out.println(encryptor.encrypt("6048b75ed560785c"));
      		System.out.println(encryptor.encrypt("6048b75ed560785c"));
      	}
      

      Each time this test case is run, across all VM instances, the cipher text should be the same. If you run it more than once, you'll see the cipher text change. This is not correct behavior.

      The fix is most likely to not apply an iV at all for a "queryable" TextEncryptor.

      1. PatchedAesBytesEncryptor.java
        3 kB
        Keith Donald
      2. PatchedEncryptors.java
        0.9 kB
        Keith Donald

        Activity

        Hide
        Keith Donald added a comment -

        Attached is a patch to AesBytesEncryptor that resolves this issue by making the iv optional. If a iv generator is not specified, no iv is appended to the cipher text.

        Show
        Keith Donald added a comment - Attached is a patch to AesBytesEncryptor that resolves this issue by making the iv optional. If a iv generator is not specified, no iv is appended to the cipher text.
        Hide
        Luke Taylor added a comment -

        Patch applied.

        Show
        Luke Taylor added a comment - Patch applied.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Keith Donald
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: