Wicket
  1. Wicket
  2. WICKET-5327

CryptoMapper: insecure default encryption provider

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 6.10.0
    • Fix Version/s: 7.0.0-M1
    • Component/s: None
    • Labels:

      Description

      There is an unexpected and insecure default setting for the encryption provider.

      When CryptoMapper is enabled using

      setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this));

      or

      CompoundRequestMapper root = new CompoundRequestMapper();
      root.add(new CryptoMapper(getRootRequestMapper(), this));
      setRootRequestMapper(root);

      Wicket uses "new CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY)" as the CryptFactory, with ISecuritySettings.DEFAULT_ENCRYPTION_KEY being "WiCkEt-FRAMEwork". This generates always the same encrypted strings for each of the URLs and is possibly not a secure way to encrypt URLs even if the encryption key is unknown.

        Activity

        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        5d 21h 3m 1 Sven Meier 29/Aug/13 15:22
        Hide
        ASF subversion and git services added a comment -

        Commit b5307cc09f8ee4238b8e3d3b1f54a729ee88c740 in wicket's branch refs/heads/5756-improve-crypt from svenmeier
        [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=b5307cc ]

        WICKET-5327 write warning to stderr for insecure default crypt key

        (cherry picked from commit d7b13f72f418bb7f300bbc3ac14fdb6e094f20a6)

        Show
        ASF subversion and git services added a comment - Commit b5307cc09f8ee4238b8e3d3b1f54a729ee88c740 in wicket's branch refs/heads/5756-improve-crypt from svenmeier [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=b5307cc ] WICKET-5327 write warning to stderr for insecure default crypt key (cherry picked from commit d7b13f72f418bb7f300bbc3ac14fdb6e094f20a6)
        Martin Grigorov made changes -
        Fix Version/s 6.11.0 [ 12324874 ]
        Hide
        Sven Meier added a comment -

        And now SecuritySettings writes a warning to stderr for the default crypt key.

        Show
        Sven Meier added a comment - And now SecuritySettings writes a warning to stderr for the default crypt key.
        Sven Meier made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Assignee Sven Meier [ svenmeier ]
        Fix Version/s 7.0.0 [ 12322958 ]
        Fix Version/s 6.11.0 [ 12324874 ]
        Resolution Fixed [ 1 ]
        Hide
        Sven Meier added a comment -

        I've added a note to the CryptoMapper constructor.

        Show
        Sven Meier added a comment - I've added a note to the CryptoMapper constructor.
        Sven Meier made changes -
        Issue Type Bug [ 1 ] Improvement [ 4 ]
        Walter B. Rasmann made changes -
        Field Original Value New Value
        Description There is an unexpected and insecure default setting for the encryption provider.

        When CryptoMapper is enabled using

        setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this));

        or
                        
        CompoundRequestMapper root = new CompoundRequestMapper();
        root.add(new CryptoMapper(getRootRequestMapper(), this));
        setRootRequestMapper(root);

        Wicket uses "new CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY)" as the CryptFactory, with ISecuritySettings.DEFAULT_ENCRYPTION_KEY being "WiCkEt-FRAMEwork". This generates always the same encrypted strings for each of the URLs, which is an insecure default.
        There is an unexpected and insecure default setting for the encryption provider.

        When CryptoMapper is enabled using

        setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this));

        or
                        
        CompoundRequestMapper root = new CompoundRequestMapper();
        root.add(new CryptoMapper(getRootRequestMapper(), this));
        setRootRequestMapper(root);

        Wicket uses "new CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY)" as the CryptFactory, with ISecuritySettings.DEFAULT_ENCRYPTION_KEY being "WiCkEt-FRAMEwork". This generates always the same encrypted strings for each of the URLs and is possibly not a secure way to encrypt URLs even if the encryption key is unknown.
        Walter B. Rasmann created issue -

          People

          • Assignee:
            Sven Meier
            Reporter:
            Walter B. Rasmann
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development