Wicket
  1. Wicket
  2. WICKET-5327

CryptoMapper: insecure default encryption provider

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 6.10.0
    • Fix Version/s: 6.11.0, 7.0.0
    • Component/s: None
    • Labels:

      Description

      There is an unexpected and insecure default setting for the encryption provider.

      When CryptoMapper is enabled using

      setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this));

      or

      CompoundRequestMapper root = new CompoundRequestMapper();
      root.add(new CryptoMapper(getRootRequestMapper(), this));
      setRootRequestMapper(root);

      Wicket uses "new CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY)" as the CryptFactory, with ISecuritySettings.DEFAULT_ENCRYPTION_KEY being "WiCkEt-FRAMEwork". This generates always the same encrypted strings for each of the URLs and is possibly not a secure way to encrypt URLs even if the encryption key is unknown.

        Activity

        Hide
        Sven Meier added a comment -

        And now SecuritySettings writes a warning to stderr for the default crypt key.

        Show
        Sven Meier added a comment - And now SecuritySettings writes a warning to stderr for the default crypt key.
        Sven Meier made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Assignee Sven Meier [ svenmeier ]
        Fix Version/s 7.0.0 [ 12322958 ]
        Fix Version/s 6.11.0 [ 12324874 ]
        Resolution Fixed [ 1 ]
        Hide
        Sven Meier added a comment -

        I've added a note to the CryptoMapper constructor.

        Show
        Sven Meier added a comment - I've added a note to the CryptoMapper constructor.
        Sven Meier made changes -
        Issue Type Bug [ 1 ] Improvement [ 4 ]
        Walter B. Rasmann made changes -
        Field Original Value New Value
        Description There is an unexpected and insecure default setting for the encryption provider.

        When CryptoMapper is enabled using

        setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this));

        or
                        
        CompoundRequestMapper root = new CompoundRequestMapper();
        root.add(new CryptoMapper(getRootRequestMapper(), this));
        setRootRequestMapper(root);

        Wicket uses "new CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY)" as the CryptFactory, with ISecuritySettings.DEFAULT_ENCRYPTION_KEY being "WiCkEt-FRAMEwork". This generates always the same encrypted strings for each of the URLs, which is an insecure default.
        There is an unexpected and insecure default setting for the encryption provider.

        When CryptoMapper is enabled using

        setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this));

        or
                        
        CompoundRequestMapper root = new CompoundRequestMapper();
        root.add(new CryptoMapper(getRootRequestMapper(), this));
        setRootRequestMapper(root);

        Wicket uses "new CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY)" as the CryptFactory, with ISecuritySettings.DEFAULT_ENCRYPTION_KEY being "WiCkEt-FRAMEwork". This generates always the same encrypted strings for each of the URLs and is possibly not a secure way to encrypt URLs even if the encryption key is unknown.
        Walter B. Rasmann created issue -

          People

          • Assignee:
            Sven Meier
            Reporter:
            Walter B. Rasmann
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development