geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Malgeri (JIRA)" <j...@apache.org>
Subject [jira] Commented: (GERONIMO-2925) Key used for encryption same for all server instances
Date Fri, 02 Mar 2007 23:06:51 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-2925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12477541
] 

Michael Malgeri commented on GERONIMO-2925:
-------------------------------------------

It refers to WAS CE because it comes from a customer using WAS CE not Geronimo. I assumed
the fix would be applied in Geronimo and WAS CE would pick it up. The customer is "we" in
the message and I did a cut and paste.  We'll get more info from the customer and post when
available.





> Key used for encryption same for all server instances
> -----------------------------------------------------
>
>                 Key: GERONIMO-2925
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-2925
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 1.1.1, 1.1.2, 1.1.x, 1.2, 2.0
>            Reporter: Michael Malgeri
>            Priority: Critical
>
> We understand that WASCE use AES to encrypt the password.  You do 
> javax.crypto.Cipher.getInstance("AES") and init() with a hard-coded key.
> This key is same for all the WASCE server instances.  Anyone getting access to a downloaded
version of the software can have the algorithm and decrypt the password.  So we need your
urgent help on the following:
> 1. provide a solution with key management that we can control
> 2. provide a pluggable encryption solution so that we can use our internal algorithms
and key management
> At least,
> 3. the key should be dynamically generated in each of the installations that would reduce
the ability to decrypt to someone who has access to the server.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message