[
https://issues.apache.org/jira/browse/GERONIMO-2925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Jencks reassigned GERONIMO-2925:
--------------------------------------
Assignee: David Jencks
> Key used for encryption same for all server instances
> -----------------------------------------------------
>
> Key: GERONIMO-2925
> URL: https://issues.apache.org/jira/browse/GERONIMO-2925
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 1.1.1, 1.1.2, 1.1.x, 1.2, 2.0-M5
> Reporter: Michael Malgeri
> Assignee: David Jencks
> Priority: Critical
>
> We understand that WASCE use AES to encrypt the password. You do
> javax.crypto.Cipher.getInstance("AES") and init() with a hard-coded key.
> This key is same for all the WASCE server instances. Anyone getting access
> to a downloaded version of the software can have the algorithm and decrypt
> the password. So we need your urgent help on the following:
> 1. provide a solution with key management that we can control
> 2. provide a pluggable encryption solution so that we can use our internal
> algorithms and key management
> At least,
> 3. the key should be dynamically generated in each of the installations that
> would reduce the ability to decrypt to someone who has access to the server.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
