[jboss-dev-forums] [PicketBox Development] - JBoss AS7: Password Masking and Encryption

[Anil Saldhana]

Anil Saldhana [http://community.jboss.org/people/anil.saldhana] created the document:

"JBoss AS7: Password Masking and Encryption"

To view the document, visit: http://community.jboss.org/docs/DOC-16845

--------------------------------------------------------------
This article will describe the strategies/design for both password masking and encryption.
h2. 
h2. Objective
The configuration/domain model needs one or more passwords. We do not want to specify the passwords in clear text. 


h2. Methods
There are 2 methods available to specify passwords without clear text visibility.
1. Password based encryption (aka Masking)
2. Password Encryption using AES, 3DES etc

Password Based Encryption (PBE) provides security by obsurity. It just masks the password. It does not provide any fool-proof security.
Password Encryption using AES or 3DES provides industry strength encryption.
h2. 
h2. Challenges
PBE uses the following:
1. Salt
2. Iteration Count
3. Password  to mask.

Encryption uses a secret key to encrypt the password.  When you are ready to decrypt the password, you will need the secret key.

The biggest challenge is going to be +managing the secret key+.
--------------------------------------------------------------

Comment by going to Community
[http://community.jboss.org/docs/DOC-16845]

Create a new document in PicketBox Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2088]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20110527/ffaa486f/attachment.html