JBoss Community

JBoss AS7: Password Masking and Encryption

created by Anil Saldhana in PicketBox Development - View the full document

This article will describe the strategies/design for both password masking and encryption.

Objective

The configuration/domain model needs one or more passwords. We do not want to specify the passwords in clear text.

 

 

Methods

There are 2 methods available to specify passwords without clear text visibility.

  1. Password based encryption (aka Masking)
  2. Password Encryption using AES, 3DES etc

 

Password Based Encryption (PBE) provides security by obsurity. It just masks the password. It does not provide any fool-proof security.

Password Encryption using AES or 3DES provides industry strength encryption.

Challenges

PBE uses the following:

  1. Salt
  2. Iteration Count
  3. Password  to mask.

 

Encryption uses a secret key to encrypt the password.  When you are ready to decrypt the password, you will need the secret key.

 

The biggest challenge is going to be managing the secret key.

Comment by going to Community

Create a new document in PicketBox Development at Community