{ "WorkItem": { "AffectedComponent": { "Name": "", "DisplayName": "" }, "ClosedComment": "", "ClosedDate": null, "CommentCount": 0, "Custom": null, "Description": "The function WinZipAesCipherStream() in WinZipAes.cs uses a cryptographic encryption algorithm with an insecure mode of operation (ECB) on line 414.\n\n```\ninternal WinZipAesCipherStream(System.IO.Stream s, WinZipAesCrypto cryptoParams, CryptoMode mode) {\n...\n _aesCipher.Mode = CipherMode.ECB;\n```\n \nExplanation:\n\nA mode of operation of a block cipher is an algorithm that describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block. Some of the modes of operation include Electronic Codebook (ECB), Cipher Block Chaining (CBC), and Cipher Feedback (CFB).\n\n ECB mode is inherently weak because it results in the same ciphertext for identical blocks of plaintext. CBC mode is the superior choice as it does not have this weakness.\n\n\nRecommendation:\n\nAvoid using ECB mode of operation when encrypting data larger than a block. CBC mode is superior because it does not produce identical blocks of ciphertext for identical blocks of plaintext. However, CBC mode is somewhat inefficient and poses serious risk if used with SSL. Instead, use Counter with CBC-MAC Mode (CCM), or, if performance is a concern, Galois/Counter Mode (GCM) where they are available.", "LastUpdatedDate": "2015-10-01T07:29:16.147-07:00", "PlannedForRelease": "", "ReleaseVisibleToPublic": false, "Priority": { "Name": "Unassigned", "Severity": 0, "Id": 0 }, "ProjectName": "DotNetZip", "ReportedDate": "2015-09-02T23:09:13.033-07:00", "Status": { "Name": "Proposed", "Id": 1 }, "ReasonClosed": { "Name": "Unassigned" }, "Summary": "Winzip AES uses an insecure mode of operation", "Type": { "Name": "Unassigned", "Id": 5 }, "VoteCount": 2, "Id": 17508 }, "FileAttachments": [], "Comments": [] }