Fixed insecure cryptography in PBECipher.java

[gL1nt]

By default (with the default constants and settings) the DefaultPlexusCipher object takes a plaintext and a human-readable password that I will refer to as “pwd”. It then generates a key and an IV to be used with AES/CBC/PKCS5Padding. The encrypt64 method generates a random 8 byte salt, computes SHA256(pwd|salt), and then uses the first 16 bytes of the hash as the AES key and the last 16 bytes of the hash as the IV. The salt is then prepended to the ciphertext and the result is base64 encoded and outputted.
 
This key derivation algorithm is extremely insecure and ciphertexts produced by plexus-cipher are currently easy to brute force. SHA256 is meant to be fast. During a brute force attempt, identifying the correct key and IV is fairly easy: the correct key and IV will yield a decryption with significantly less Shannon entropy than all of the failed decryption attempts, which will produce outputs indistinguishable from random bytes (which will have high Shannon entropy). Data that needs to be encrypted tends to have some sort of structure, and is often times composed of ASCII characters.

An ideal fix here is to just use a well-established key derivation function such as PBKDF2 (as I have done). OWASP recommends to use 310000+ iterations with PBKDF2.

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

This fix is not backwards compatible and will will cause people using Plexus Cipher to have to re-encrypt their information. The existing cryptography provides little protection in its current state though.

[michael-o]

I am not an expect on this, therefore I will not make a qualified statement, though I think this must be removed from Maven because it does not provide any security at all.

[slachiewicz]

we use it here: https://github.com/apache/maven/blob/b2ee29e03e8f1188ed32a5d719ce67e96c1541c6/maven-embedder/src/main/java/org/apache/maven/cli/MavenCli.java#L848