[jboss-jira] [JBoss JIRA] (ELY-1189) Create better way of masking passwords using modern PBE algorithm

Peter Skopek (JIRA) issues at jboss.org
Tue May 23 13:22:00 EDT 2017 

    [ https://issues.jboss.org/browse/ELY-1189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13410848#comment-13410848 ] 

Peter Skopek commented on ELY-1189:
-----------------------------------

 zregvart commented on 12 Jan

All good points, let me open up another can of worms 

Assuming that the goal of MaskedPassword is to prevent someone from glancing over and seeing the password in clear text I would argue that the current MaskedPassword could be split into two implementations PickBoxMaskedPassword and SimpleMaskedPassword (example name).

PickBoxMaskedPassword would remain for compatibility with PicketBox. While SimpleMaskedPassword would use simple algorithm to obfuscate the password (ROT13, XOR).

I think there is really little value from cryptography standpoint, form using an KDF for generating the key to transform (encrypt/decrypt) clear text password and exposing all the parameters for the KDF (in this case the initial secret, hardcoded "somearbitr...") and the transformation (salt, iteration count, IV) also in the clear.

I also think that it could be CredentialStore-s domain to pick if it wants to derive key for its protection from a Password (probably transformed to ClearPasswordSpec) by using a KDF of choice and so there should be no need for using a KDF in MaskedPassword.

Also using the KDF (SecretKeyFactory) in the current implementation with no with 0 iterations and no salt (default for PBEKeySpec if not specified) is not adding any security as the key would be used verbatim (check the getEncoded of the resulting SecretKey).

> Create better way of masking passwords using modern PBE algorithm
> -----------------------------------------------------------------
>
>                 Key: ELY-1189
>                 URL: https://issues.jboss.org/browse/ELY-1189
>             Project: WildFly Elytron
>          Issue Type: Task
>          Components: Credential Store
>            Reporter: Peter Skopek
>            Assignee: Peter Skopek
>
> Create better way of masking passwords using modern PBE algorithm.
> This bug contains discussion from PR: https://github.com/wildfly-security/wildfly-elytron/pull/619
> To have this documented and PR closed.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list