[jboss-jira] [JBoss JIRA] (WFLY-926) Jboss AS 7.1.1 / Jboss EAP 6.0 Beta2 : Jboss use weakeness security cipher algorithm (Blowfish 56 bits)) to encrypted DataSource Password

Brian Stansberry (JIRA) issues at jboss.org
Wed Nov 4 20:35:01 EST 2015 

     [ https://issues.jboss.org/browse/WFLY-926?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brian Stansberry resolved WFLY-926.
-----------------------------------
    Resolution: Rejected


Resolving based on Arun's comment.

> Jboss AS 7.1.1 / Jboss EAP 6.0 Beta2 : Jboss use weakeness security cipher algorithm (Blowfish 56 bits)) to encrypted DataSource Password
> -----------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-926
>                 URL: https://issues.jboss.org/browse/WFLY-926
>             Project: WildFly
>          Issue Type: Bug
>          Components: Domain Management, Security
>         Environment: Jboss EAP 6.0 Beta2
> Jboss AS 7.1.1
> Linux RHEL 5.4
> JDK 1.6.0_24 
>            Reporter: Yannick LE NY
>            Assignee: Stefan Guilhen
>
> In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, Jboss use weakeness cipher algorithm (Blowfish 56bits) to encrypted DataSource Password.
> http://middlewaremagic.com/jboss/?p=1026 said :
> "JBoss AS7 uses picketbox security implementations. In this example we will see how we can provide an Encrypted Password for our DataSources rather than using the ClearText Password. The picketbox provides us a class for encrypting the Cleartext passwords using class "org.picketbox.datasource.security.SecureIdentityLoginModule"."
> When you search about the org.picketbox.datasource.security.SecureIdentityLoginModule java class on the Internet, you find this source file
> http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/releases/org.picketbox/jbosssx-bare/4.0.9.Final/org/picketbox/datasource/security/SecureIdentityLoginModule.java#SecureIdentityLoginModule .
> In the file SecureIdentityLoginModule.java, we can see that this is the weakness Blowfish cipher algorithm (line Cipher cipher = Cipher.getInstance("Blowfish"); ) 
> that is used by the Cipher getInstance function :
> (http://docs.oracle.com/javase/6/docs/api/javax/crypto/Cipher.html#getInstance%28java.lang.String,%20java.security.Provider%29 )
> Blowfish info : http://en.wikipedia.org/wiki/Blowfish_%28cipher%29
> Weakness because, by default, the JDK use Blowfish with 56 bits key :
> Source : http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppB
> Extract : The SunJCE provider uses the following default keysizes:  KeyGenerator : Blowfish: 56 bits 
> org.picketbox.datasource.security.SecureIdentityLoginModule class use javax.crypto.Cipher class.
> As you can see at : http://docs.oracle.com/javase/6/docs/api/javax/crypto/Cipher.html#getInstance%28java.lang.String,%20java.security.Provider%29,
> getInstance function can use several cipher Algorithms.
> The cipher Algorithms available are :
> http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA (part Cipher)
> http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA
> Then can you replace the weakness Blowfish Cipher Algorithm used to encrypted DataSource Password by
> AES-256 ?
> Note : The security team in my big company want now that all the application servers used in the company use strong
> cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic 11.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list