cancel
Showing results for 
Search instead for 
Did you mean: 

Weak Encryption Insecure Mode of Operation (MCRYPT_MODE_ECB)

0 Kudos

Weak Encryption Insecure Mode of Operation (MCRYPT_MODE_ECB)

A mode of operation of a block cipher is an algorithm that describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block. Some of the modes of operation include Electronic Codebook (ECB), Cipher Block Chaining (CBC), and Cipher Feedback (CFB). ECB mode is inherently weak, as it results in the same ciphertext for identical blocks of plaintext. CBC mode is the superior choice as it does not have this weakness.Messaege encrypted with weak cryptography algorithm can be decrypted via brute-force attacks.

1. Use a strong mode of operation like CBC instead of ECB.

2. Use any authenticated encryption mode, such as GCM, EAX or OCB.

For more information refer: https://www.owasp.org/index.php/Testing_for_Weak_Encryption_(OTG-CRYPST-004) Ex :

 

$mode = MCRYPT_MODE_ECB

 

$mode = MCRYPT_MODE_ECB, $initVector = false ) {

if (true === $initVector) { // @codingStandardsIgnoreStart $handle = @mcrypt_module_open($cipher, '', $mode, '');

}

traced in vendor\magento\framework\Encryption\Crypt.php Line: 57 and few other vendor files.

CWE Code : CWE-327