Yannick LE NY created AS7-4983: ---------------------------------- Summary: Jboss AS 7.1.1 / Jboss EAP 6.0 Beta2 : Jboss use weakeness cipher algorithm (Blowfish 56 bits)) to encrypted DataSource Password Key: AS7-4983 URL: https://issues.jboss.org/browse/AS7-4983 Project: Application Server 7 Issue Type: Bug Components: Domain Management, Security Affects Versions: 7.1.2.Final (EAP) Environment: Jboss EAP 6.0 Beta2 Jboss AS 7.1.1 Linux RHEL 5.4 JDK 1.6.0_24 Reporter: Yannick LE NY Assignee: Brian Stansberry Fix For: 7.1.3.Final (EAP) In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, Jboss use weakeness cipher algorithm (Blowfish 56bits) to encrypted DataSource Password. http://middlewaremagic.com/jboss/?p=1026 said : "JBoss AS7 uses picketbox security implementations. In this example we will see how we can provide an Encrypted Password for our DataSources rather than using the ClearText Password. The picketbox provides us a class for encrypting the Cleartext passwords using class "org.picketbox.datasource.security.SecureIdentityLoginModule"." When you search about the org.picketbox.datasource.security.SecureIdentityLoginModule java class on the Internet, you find this source file http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/... . In the file SecureIdentityLoginModule.java, we can see that this is the weakness Blowfish cipher algorithm (line Cipher cipher = Cipher.getInstance("Blowfish"); ) that is used by the Cipher getInstance function : (http://docs.oracle.com/javase/6/docs/api/javax/crypto/Cipher.html#getInst... ) Blowfish info : http://en.wikipedia.org/wiki/Blowfish_%28cipher%29 Weakness because, by default, the JDK use Blowfish with 56 bits key : Source : http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppB Extract : The SunJCE provider uses the following default keysizes: KeyGenerator : Blowfish: 56 bits org.picketbox.datasource.security.SecureIdentityLoginModule class use javax.crypto.Cipher class. As you can see at : http://docs.oracle.com/javase/6/docs/api/javax/crypto/Cipher.html#getInst..., getInstance function can use several cipher Algorithms. The cipher Algorithms available are : http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA (part Cipher) http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/Cry... Then can you replace the weakness Blowfish Cipher Algorithm used to encrypted DataSource Password by AES-256 ? Note : The security team in my big company want now that all the application servers used in the company use strong cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic 11. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira