Hi Mark, As I'm working lately quite a lot with security and encryption, I was interested in your implementation.
I don't have the time today to look into details, but I already have some questions - Why hashing with SHA-1 (not a secure hashing algorithm anymore). Why the additional hashing (before AES encryption) as you mention that we try only to 'obscure'. - When I use AES, I always use an Initialization Vector (IV) and specify the Block mode and padding. I'll try to find some time this weekend to study the code in detail. best regards Rudy On 11 May 2017 at 19:05, Mark Struberg (JIRA) <j...@apache.org> wrote: > > [ https://issues.apache.org/jira/browse/DELTASPIKE-1250? > page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel& > focusedCommentId=16006784#comment-16006784 ] > > Mark Struberg commented on DELTASPIKE-1250: > ------------------------------------------- > > A first design proposal can be found on my github repo > https://github.com/struberg/deltaspike/tree/DELTASPIKE-1250 > > Will now add a main method to generate the master password and encrypt > content > > > create a master/client encryption handling > > ------------------------------------------ > > > > Key: DELTASPIKE-1250 > > URL: https://issues.apache.org/ > jira/browse/DELTASPIKE-1250 > > Project: DeltaSpike > > Issue Type: New Feature > > Components: Configuration > > Affects Versions: 1.7.2 > > Reporter: Mark Struberg > > Assignee: Mark Struberg > > Fix For: 1.8.0 > > > > > > For storing passwords in our configuration I'd like to implement a 2 > stage approach to symmetric encryption. > > The current ideas is to have an encrypted has derived from a master > password and box-locale information (MAC, IP, expiry date, etc). > > This encrypted sequence is different on every box. But the decrypted > hash is not. > > > > With this hash we can encode a user password, which is then ofc the same > on different boxes. > > Of course all that is just security by obscurity, but it's still much > better than plaintext and even close to vault. > > After all, the only really secure way is using a hardware crypto box > plus the user has to manually provide a password and not using static > passwords but 1-time consumable tokens. > > > > -- > This message was sent by Atlassian JIRA > (v6.3.15#6346) >
