[jboss-jira] [JBoss JIRA] (AS7-4983) Jboss AS 7.1.1 / Jboss EAP 6.0 Beta2 : Jboss use weakeness cipher algorithm (Blowfish 56 bits) to encrypted DataSource Password
Yannick LE NY (JIRA)
jira-events at lists.jboss.org
Tue Jun 12 12:58:04 EDT 2012
[ https://issues.jboss.org/browse/AS7-4983?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Yannick LE NY updated AS7-4983:
-------------------------------
Summary: Jboss AS 7.1.1 / Jboss EAP 6.0 Beta2 : Jboss use weakeness cipher algorithm (Blowfish 56 bits) to encrypted DataSource Password (was: Jboss AS 7.1.1 / Jboss EAP 6.0 Beta2 : Jboss use weakeness cipher algorithm (Blowfish 56 bits)) to encrypted DataSource Password)
> Jboss AS 7.1.1 / Jboss EAP 6.0 Beta2 : Jboss use weakeness cipher algorithm (Blowfish 56 bits) to encrypted DataSource Password
> -------------------------------------------------------------------------------------------------------------------------------
>
> Key: AS7-4983
> URL: https://issues.jboss.org/browse/AS7-4983
> Project: Application Server 7
> Issue Type: Bug
> Components: Domain Management, Security
> Affects Versions: 7.1.2.Final (EAP)
> Environment: Jboss EAP 6.0 Beta2
> Jboss AS 7.1.1
> Linux RHEL 5.4
> JDK 1.6.0_24
> Reporter: Yannick LE NY
> Assignee: Brian Stansberry
> Fix For: 7.1.3.Final (EAP)
>
>
> In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, Jboss use weakeness cipher algorithm (Blowfish 56bits) to encrypted DataSource Password.
> http://middlewaremagic.com/jboss/?p=1026 said :
> "JBoss AS7 uses picketbox security implementations. In this example we will see how we can provide an Encrypted Password for our DataSources rather than using the ClearText Password. The picketbox provides us a class for encrypting the Cleartext passwords using class "org.picketbox.datasource.security.SecureIdentityLoginModule"."
> When you search about the org.picketbox.datasource.security.SecureIdentityLoginModule java class on the Internet, you find this source file
> http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/releases/org.picketbox/jbosssx-bare/4.0.9.Final/org/picketbox/datasource/security/SecureIdentityLoginModule.java#SecureIdentityLoginModule .
> In the file SecureIdentityLoginModule.java, we can see that this is the weakness Blowfish cipher algorithm (line Cipher cipher = Cipher.getInstance("Blowfish"); )
> that is used by the Cipher getInstance function :
> (http://docs.oracle.com/javase/6/docs/api/javax/crypto/Cipher.html#getInstance%28java.lang.String,%20java.security.Provider%29 )
> Blowfish info : http://en.wikipedia.org/wiki/Blowfish_%28cipher%29
> Weakness because, by default, the JDK use Blowfish with 56 bits key :
> Source : http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppB
> Extract : The SunJCE provider uses the following default keysizes: KeyGenerator : Blowfish: 56 bits
> org.picketbox.datasource.security.SecureIdentityLoginModule class use javax.crypto.Cipher class.
> As you can see at : http://docs.oracle.com/javase/6/docs/api/javax/crypto/Cipher.html#getInstance%28java.lang.String,%20java.security.Provider%29,
> getInstance function can use several cipher Algorithms.
> The cipher Algorithms available are :
> http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA (part Cipher)
> http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA
> Then can you replace the weakness Blowfish Cipher Algorithm used to encrypted DataSource Password by
> AES-256 ?
> Note : The security team in my big company want now that all the application servers used in the company use strong
> cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic 11.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list