codesqueak / jackson-json-crypto Goto Github PK
View Code? Open in Web Editor NEWJackson Crypto Extension Module
License: MIT License
Jackson Crypto Extension Module
License: MIT License
Hi!
I have a class which has some properties annotated with @Encrypt.
Also I want to use @JsonIdentityInfo(generator = JSOGGenerator.class) annotation on classes to handle potential circular references and also minimising JSON output.
However the conjunction may result in Objects whcih have id X to be decrypted, and later be referenced by another cleartext property as "@ref":X. This reference cannot be resolved until deserialized.
Since the encrypted part should not be accesible /manipulatable in the frontend (e.g. a browser) but the visible properties of the response should be visible this is an issue.
{
"@id" : "1",
"somEncryptedProperty" : {
"iv" : "OgEe3ag[....]sbQ==",
"salt" : "gHnRbP[....]41MpFOgA=",
"value" : "m/Xw9/hMG4[....]WO58LYVrDsmU="
},
"broken_visibleProperty" : {
"@ref" : "5"
},
"somOtherEncryptedThing" : {
"iv" : "OgEe[....]EnsbQ==",
"salt" : "H8N[....]pFOgA=",
"value" : "ltDDA/RnYT9szpCZklXYwA8XbQ0Rcvtxy1sV[....]3PzVXs"
},
"somthing_visible" : {
"@id" : "7",
"event" : null,
"id" : "_eeClIR47EemIFYn30KSx0A",
"inputs" : { }
}
}
Hey , awesome library could you release the JAVA 8 build for this library would be super helpful.
Hi,
I want to use DES algo but only AES algo with 256 bit keyLength is hardcoded into createSecretKeySpec method of BaseCryptoContext class.
I would suggest to allow changing these values with parameters just like salt and password.
Also in same method iterationCount should also be allowed to change using parameter.
I am using Jackson Json Crypto module v 1.1.0 for encryption as it is compatible with JDK 8. Encryption is working fine and data is getting saved in encrypted form but while deserializing, data is not getting back converted to actual data. I believe the @Encrypt annotation which is used and defined on the field is not getting triggered before the object mapper does deserializing. I have downloaded the decompiled library code as well and tried debugging, where i found deserializing module constructors are getting called initially but later the @OverRide deserialize function is not getting triggered.
Encrypted O/P
"order_id": { "salt": "Bf53VhtWMF95Cp7wLb8EJ9tRfIc=", "iv": "X83bkmfrvHk4SGCTJ+zx/g==", "value": "L8VEVKkEp0j7KG0cG2IFjHdNmMKcIxnLIb0+fiNqnDr2AXRrFgwJaaR6E8f5n7DI" }
Post-decryption it should be
"order_id": "abcd_!234"
But the O/P is coming the encrypted value as it is
"order_id": { "salt": "Bf53VhtWMF95Cp7wLb8EJ9tRfIc=", "iv": "X83bkmfrvHk4SGCTJ+zx/g==", "value": "L8VEVKkEp0j7KG0cG2IFjHdNmMKcIxnLIb0+fiNqnDr2AXRrFgwJaaR6E8f5n7DI" }
Hey @codesqueak,
Awesome library, but I have noticed that you do not mention anything about the usage of this library. Since the AES/CBC is used, it does not offer any integrity protection of the ciphertext like MAC (malleable). If the library is wrongly used, e.g.
someone trust it to keep the integrity of the data, it might lead to the security issue in their application.
For the simplicity, I can show the simple example when someone was encrypting Social Security Number (SSN) when serializing to JSON. The developer took the false assumption that since the value is encrypted it cannot be tampered and trusted it for authentication or authorizing some actions in the system. Now, let's say that the IV, salt and Value (cipher text) are in the control of the user/attacker (e.g. those values are encoded and stored in the Cookie for keeping user's session).
The attacker can change the IV, so that the cipher-text will be decrypted to the plain-text of the attacker's choice.
Below you can see the Java code:
ObjectMapper objectMapper = EncryptionService.getInstance("Password1");
// Sample Good SSN: 790714615 - attacker knows that cause he has set up the account
String json1 = "{\"ssn\":{\"salt\":\"uzaYY1PaEpWS6SC9lUWKWw==\",\"iv\":\"6mCYbjLB2mEk1gsWRqiWiw==\",\"value\":\"JZpjE/JqkrdOi1JcGAtP9w==\"}}";
SSNGetterPoJo pojo1 = objectMapper.readValue(json1, SSNGetterPoJo.class);
System.out.println(pojo1.getSSN());
// IV changed which would result in fake SSN after decryption: 111111111
String json2 = "{\"ssn\":{\"salt\":\"uzaYY1PaEpWS6SC9lUWKWw==\",\"iv\":\"6maQbzTB32Yk0gsWRqiWiw==\",\"value\":\"JZpjE/JqkrdOi1JcGAtP9w==\"}}";
SSNGetterPoJo pojo2 = objectMapper.readValue(json2, SSNGetterPoJo.class);
System.out.println(pojo2.getSSN());
SSNGetterPoJo.java is almost the same as SecureGetterPojo.java
Here is the python3 code that I have used to generate the IV which changes the plain-text after decryption:
import base64
def xors(s1, s2):
return bytes(ord(a) ^ ord(b) for a, b in zip(s1,s2))
def xorb (s1, s2):
return bytes(a^b for a,b in zip(s1,s2))
a1 = xors("790714615", "111111111")
iv = "6mCYbjLB2mEk1gsWRqiWiw=="
b1 = base64.b64decode(iv)
new_iv = b1[0:1] + xorb(b1[1:],a1) + b1[10:]
print(base64.b64encode(new_iv))
It would be worth to mention that in the description of this library or if you want to offer the integrity protection change the cipher to the one offering MAC like AES/GCM. If you decide to change the cipher to AES/GCM, then it would be cool to create the Security Advisory and assign CVE-ID for that issue to me as the reporter.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.