Insecure encryption algorithms

A product is not automagically secure if it uses publicly known and reviewed “AES-256”, “RSA-4096” or “military-grade encryption” algorithms. The implementation of algorithms is also very important.

Some known (and common) vulnerabilities in messaging applications:

  • Key and Initialisation Vector for the symmetric-key encryption are derived from a group-shared key and public information from the sender.

  • No key confirmation in the client-to-client key exchange phase.

  • In the message encryption phase, the integrity of the elements of associated data in a packet (sender key ID and recipient key ID) is not guaranteed.

  • Some intermediate value is computable without any secret information.

  • Using the same key in distinctively different contexts (modes).