Uploaded image for project: 'Geronimo'
  1. Geronimo
  2. GERONIMO-2925

Key used for encryption same for all server instances

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 1.1.1, 1.1.2, 1.1.x, 1.2, 2.0-M5
    • 2.0.2, 2.1
    • security
    • Security Level: public (Regular issues)
    • None

    Description

      We understand that WASCE use AES to encrypt the password. You do
      javax.crypto.Cipher.getInstance("AES") and init() with a hard-coded key.
      This key is same for all the WASCE server instances. Anyone getting access to a downloaded version of the software can have the algorithm and decrypt the password. So we need your urgent help on the following:
      1. provide a solution with key management that we can control
      2. provide a pluggable encryption solution so that we can use our internal algorithms and key management
      At least,
      3. the key should be dynamically generated in each of the installations that would reduce the ability to decrypt to someone who has access to the server.

      Attachments

        1. GERONIMO-2925.patch
          28 kB
          David Jencks

        Activity

          People

            djencks David Jencks
            mmalgeri Michael Malgeri
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: