You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <ji...@apache.org> on 2007/09/18 04:42:43 UTC
[jira] Closed: (GERONIMO-2925) Key used for encryption same for all
server instances
[ https://issues.apache.org/jira/browse/GERONIMO-2925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks closed GERONIMO-2925.
----------------------------------
Resolution: Fixed
Fix Version/s: 2.1
2.0.2
Patch (with cleanup and more comments) applied to trunk in rev 576651 and branches/2.0 in rev 576668
> Key used for encryption same for all server instances
> -----------------------------------------------------
>
> Key: GERONIMO-2925
> URL: https://issues.apache.org/jira/browse/GERONIMO-2925
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 1.1.1, 1.1.2, 1.1.x, 1.2, 2.0-M5
> Reporter: Michael Malgeri
> Assignee: David Jencks
> Priority: Critical
> Fix For: 2.0.2, 2.1
>
> Attachments: GERONIMO-2925.patch
>
>
> We understand that WASCE use AES to encrypt the password. You do
> javax.crypto.Cipher.getInstance("AES") and init() with a hard-coded key.
> This key is same for all the WASCE server instances. Anyone getting access to a downloaded version of the software can have the algorithm and decrypt the password. So we need your urgent help on the following:
> 1. provide a solution with key management that we can control
> 2. provide a pluggable encryption solution so that we can use our internal algorithms and key management
> At least,
> 3. the key should be dynamically generated in each of the installations that would reduce the ability to decrypt to someone who has access to the server.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.