dachuan9e commented on pull request #11440:
URL: https://github.com/apache/shardingsphere/pull/11440#issuecomment-884692807
> > > > I don't see any key to use to encrypt or decrypt. Does it mean that
there is no key for password encryption.
> > >
> > >
> > > the key is variable named secretBytes which generate by SecureRandom,
in 16 bytes.
> > > we use this key to encrypt password, and saved as base64 string in
encrypt function return; in decrypt, we first extract key and iv from
base64string and run aes to decrypt the password plaint text.
> >
> >
> > Where does the secretBytes stored?
>
> the secretBytes was return by encrypt string , if you want more security,
your can implentments new algorithm and save secretBytes to safe disk or
database.
> see code:
> @override
> public String encrypt(final byte[] content) throws Exception {
> byte[] ivBytes = getRandom();
> byte[] secretKeyBytes = getRandom();
> byte[] encryptBytes = runAesAlgorithm(content,
> ivBytes,
> secretKeyBytes,
> Cipher.ENCRYPT_MODE);
> byte[] results = mergeAllBytes(ivBytes, secretKeyBytes, encryptBytes);
> return Base64.getEncoder().encodeToString(results); -- the encrypt text
have iv and secretKey value
> }
I mean that if we don't provide the key which can be input by user. Anyone
can decrypt the password from the program.
This is meaningless for adding the feature.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
