[jboss-jira] [JBoss JIRA] (JGRP-1487) AUTH: X509Token Authentication is vulnerable to replay attacks
Bela Ban (JIRA)
issues at jboss.org
Tue Jul 22 06:55:33 EDT 2014
[ https://issues.jboss.org/browse/JGRP-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12986962#comment-12986962 ]
Bela Ban commented on JGRP-1487:
--------------------------------
Can this issue be marked as resolved ? Otherwise I'll push it into 3.6
> AUTH: X509Token Authentication is vulnerable to replay attacks
> --------------------------------------------------------------
>
> Key: JGRP-1487
> URL: https://issues.jboss.org/browse/JGRP-1487
> Project: JGroups
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: 3.0.9
> Reporter: sreenivas chinimilli
> Assignee: Tristan Tarrant
> Fix For: 3.5
>
>
> In the implementation of X509Token Authentication
> The auth_value is enrypted with the certificate within the keystore and
> during verification encrypted auth value is decrypted with the private key
> compared against the orignial auth value.
> This implementation is prone to replay attacks, that is
> any user with out having any knowledge of the auth value can join the group
> by replaying the enrypted auth value captured in earlier sessions.
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
More information about the jboss-jira
mailing list