Red Hat Bugzilla – Bug 880279
plexus-cipher: improper use of SecureRandom in PBECipher
Last modified: 2012-12-06 02:27:06 EST
Description of problem:
src/main/java/org/sonatype/plexus/components/cipher/PBECipher.java contains this code (slightly abbreviated):
protected SecureRandom _secureRandom;
public PBECipher() throws PlexusCipherException
_digester = MessageDigest.getInstance( DIGEST_ALG );
if( System.getProperty( "os.name", "blah" ).toLowerCase().indexOf( "linux" ) != -1 )
_onLinux = true;
if( _onLinux )
System.setProperty( "securerandom.source", "file:/dev/./urandom");
_secureRandom = new SecureRandom();
catch ( NoSuchAlgorithmException e )
throw new PlexusCipherException(e);
So the constructor sets a system property (bad), and does not initialize _secureRandom (worse). Because of this, getSalt() falls back to Random (seeded by the current time) instead of SecureRandom:
private byte getSalt( final int sz )
throws NoSuchAlgorithmException, NoSuchProviderException
byte  res = null;
if( _secureRandom != null )
_secureRandom.setSeed( System.currentTimeMillis() );
res = _secureRandom.generateSeed( sz );
res = new byte[ sz ];
Random r = new Random( System.currentTimeMillis() );
r.nextBytes( res );
The if branch is not executed, but neither SecureRandom#setSeed(long) nor SecureRandom#generateSeed(int) are appropriate methods to call in this context. You should allocate a byte array and call SecureRandom#nextBytes(byte).
getSalt() is called from here:
public String encrypt64( final String clearText, final String password )
byte clearBytes = clearText.getBytes();
byte salt = getSalt( SALT_SIZE );
// spin it :)
if( _secureRandom != null )
new SecureRandom().nextBytes( salt );
Constructing a short-lived SecureRandom object is not a good idea because it is a very costly operation.
To fix this, no system properties should be examined or set, and a static SecureRandom instance should be used to generate the salts, using SecureRandom#nextBytes(byte). This should simplify the code considerably. The default SecureRandom implementation used to block on older/proprietary JDKs (and that's probably reason for this convoluted code), but that workaround should no longer be needed.
These bugs just decreases the randomness of the salt/IV, so they may not actually result in an exploitable security vulnerability. But that depends on how this class is used.
Note that I haven't verified if this class actually implements a strong encryption scheme.
Version-Release number of selected component (if applicable):
Created attachment 652787 [details]
I have replaced multiple generator objects with a single static SecureRandom which relies on Java to properly seed it. I removed OS detection as the new code should work properly on all OSes supported by Java. There should be no problems because of API/ABI changes. SecureRandom#nextBytes(byte) is thread safe.
Does this patch satisfy you?
(In reply to comment #1)
> Created attachment 652787 [details]
> Proposed patch
> I have replaced multiple generator objects with a single static SecureRandom
> which relies on Java to properly seed it. I removed OS detection as the new
> code should work properly on all OSes supported by Java. There should be no
> problems because of API/ABI changes. SecureRandom#nextBytes(byte) is
> thread safe.
> Does this patch satisfy you?
Looks good, thanks.
Fixed in plexus-cipher-1.5-11
plexus-cipher-1.5-11.fc16 has been submitted as an update for Fedora 16.
plexus-cipher-1.5-11.fc17 has been submitted as an update for Fedora 17.
plexus-cipher-1.5-11.fc18 has been submitted as an update for Fedora 18.
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing plexus-cipher-1.5-11.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
plexus-cipher-1.5-11.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
plexus-cipher-1.5-11.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
plexus-cipher-1.5-11.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.