stefano81 / dcpabe Goto Github PK

I discovered this bug while running the test case of your library.

Element M = pairing.getGT().newRandomElement().getImmutable();
message.m = M.toBytes();

I understand that you want to associate the message byte array with the element M that is generated randomly but surely this won't allow if we set the message by ourselves. Also the bug itself will actually passes the test but also the test should be wrong as in the test case there isn't any byte assigned to it then suddenly after encryption the byte is then filled with random element M, which is wrong.

What I suggest for fix of this bug is something like this:

Element M = pairing.getGT().newZeroElement();
M.setFromBytes(message.m)

As Per the Lewko Waters Paper "Decentralized ABE" ,in decrypt algorithm , the decryptor need to choose constants cx such that Σ cx Ax = (1,0,...0) . In the of DCPABE.java file , how the statement "t.mul(c1x.mul(p1).mul(p2.invert()));" in loop i.e. the product of the statement satisfies the condition. There is no algorithm for choosing constants in package sg.edu.ntu.sce.sands.crypto.dcpabe.ac

Please reply

where can I check the corresponding papers?

While the project is not yet in maven central, it can still be used leveraging services like https://jitpack.io .
Add some sentences to the README on how to leverage these services.

Vulnerable versions: >= 2.0.0, < 2.9.9
Patched version: 2.9.9

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Could you tell me how do you define the structure for the policy? In the test case you wrote something like this
AccessStructure as = AccessStructure.buildFromPolicy("and a or d and b c");
and the attributes that fulfill the policy is a and d. How is that possible? Also what if I would like to make simple policy like a or b? How do I define it?

When I try to encrypt the specified file, the decrypted data is always a fixed length byte stream, resulting in decryption failure. Could you give me some guidance。

// Message message = DCPABE.generateRandomMessage(gp);
Path path = Paths.get("src/test/java/textTest/test.txt");
byte[] ss = Files.readAllBytes(path);
Message msg = new Message(ss);

Create a new release and increment version number.

See https://maven.apache.org/repository/guide-central-repository-upload.html

Could you explain what the lambda input for global setup represents? In the Testing.java you put 160 as the input parameter of the global setup, is it the length of the keys later will be generated or the security level?