Menu
▾
▴
Re: [Ejbca-develop] Allow to modify the built-in password encryption key?
|
From: Jaime H. E. <hab...@gm...> - 2017-03-25 02:04:19
|
On Mar 22, 2017 3:36 AM, "Tomas Gustavsson" <to...@pr...> wrote:
Hi,
We don't call it encryption, but obfuscation, since we don't claim the
purpose is to encrypt data so it can not be recovered.
But note that it could provide *real encryption*, at least for the DBA
role, if the encryption key would be configurable. I say, given that the
DBA would't have access to the custom encryption key (stored in a property
file), he would be unable to decrypt auto-activation passwords stored in
the database, so, even when his has access to soft crypto tokens stored in
the database he would be unable to use them at all.
That said, making it into user configurable encryption is a good idea, I
agree. Patches would be very welcome.
I will try to work on this next time I come back to EJBCA related tasks.
Regards,
Tomas
On 2017-03-21 18:45, Jaime Hablutzel Egoavil wrote:
> I'm looking that EJBCA is currently hardcoding the password encryption
> key in org.cesecore.util.StringTools:
>
> ...
> private static final char[] p =
> deobfuscate("*OBF:1m0r1kmo1ioe1ia01j8z17y41l0q1abo1abm1abg1a
be1kyc17ya1j631i5y1ik01kjy1lxf*").toCharArray();
> ...
>
> But, why don't you allow it to be overrided from configuration files?,
> this way, encrypted auto-activation passwords would be more secure for
> the ones aware of the possibility to override the default encryption key.
>
> Finally and just for reference, take a look at the following similar
> mechanism (where users are even forced to change the encryption
> key/password) in a completely different
> framework, https://www.playframework.com/documentation/2.5.x/Applicatio
nSecret (the
> first paragraph suffices).
>
>
>
> --
> Jaime Hablutzel - RPC 994690880
>
>
> ------------------------------------------------------------
------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
Ejb...@li...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
|
