Key used for encryption same for all server instances
-----------------------------------------------------
Key: GERONIMO-2925
URL: https://issues.apache.org/jira/browse/GERONIMO-2925
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: security
Affects Versions: 1.1.1, 1.1.2, 1.1.x, 1.2, 2.0
Reporter: Michael Malgeri
Priority: Critical
We understand that WASCE use AES to encrypt the password. You do
javax.crypto.Cipher.getInstance("AES") and init() with a hard-coded key.
This key is same for all the WASCE server instances. Anyone getting access to
a downloaded version of the software can have the algorithm and decrypt the
password. So we need your urgent help on the following:
1. provide a solution with key management that we can control
2. provide a pluggable encryption solution so that we can use our internal
algorithms and key management
At least,
3. the key should be dynamically generated in each of the installations that
would reduce the ability to decrypt to someone who has access to the server.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
