Hard-Coded Salt Which is Now Public Knowledge

[sarciszewski]

I took a quick glance at your AES_Crypto class and discovered the following:

Fido/Fido_Support/Crypto/AES_Crypto.cs

Line 28 in 2001671

private static readonly byte[] Salt = Encoding.ASCII.GetBytes("o6806642kbM7c5");

[dakre18]

Reminds me of Uber. Back on topic, what's funny is this is the same code that's on stackoverflow > https://stackoverflow.com/questions/202011/encrypt-and-decrypt-a-string/10366194 (except FIDO's seems to be updated a bit more) scroll down to the first answer and compare the 2.

Also notice the salt is the same, so they could have changed the salt in their production code. It may be safer to change the salt, but considering the encryption I can't say if it honestly matters. AES shouldn't be that easily breakable just because you have the salt. I would say someone with a lot more experience would need to answer that for better information. I just wanted to reply mainly because i just saw this on StackOverflow last friday (question was asked 6 years ago w/ last edit in Oct 2013).

[robfry]

@sarciszewski Thanks for the heads up, this missed my checklist. In a different branch I was using a simple algorithm to create a salt based on local attributes. I'll get that merged back in.

@dakre18, you are correct. The attribution inside this file is missing. Because we don't have a UI I ended up removing much of the encrypt/decrypt functionality, so this class currently is sparsely used. But the intention in the future is to encrypt/decrypt with this class, or something similar, when it comes to sensitive values.

Both points are valid and will be updated, thank you for your feedback.

[ghost]

why did you copy code from stackoverflow into your "security product" in the first place
moreover, this makes me wonder where else you have copied code that is used in some of your products from

[dakre18]

Kind of a late response, but @Blackwat3r I would check what his response was to me. That would show he was planning on using it at some point, but currently is not. Normally when you copy and paste code from the internet, you change it to meet your needs (if needed).

The best way i can put it is why reinvite the wheel? It's fairly common for me to hear that about a lot of things, but this works very well in programming. Why recreate a class that someone else has made and works great?

Also you need to remember when it comes to security, it's best to get working code that's been tested, since you don't want to open up holes in your security because you don't know what you are doing or haven't tested it thoroughly enough.

I hope that clarifies it a bit, even if this response it a bit late.

[sarciszewski]

This appears unfixed, six months later.