Menu
▾
▴
Re: [Ejbca-develop] Allow to modify the built-in password encryption key?
|
From: Jaime H. E. <hab...@gm...> - 2017-04-18 20:19:59
|
On Fri, Mar 24, 2017 at 9:03 PM, Jaime Hablutzel Egoavil < hab...@gm...> wrote: > > > On Mar 22, 2017 3:36 AM, "Tomas Gustavsson" <to...@pr...> wrote: > > > Hi, > > We don't call it encryption, but obfuscation, since we don't claim the > purpose is to encrypt data so it can not be recovered. > > > But note that it could provide *real encryption*, at least for the DBA > role, if the encryption key would be configurable. I say, given that the > DBA would't have access to the custom encryption key (stored in a property > file), he would be unable to decrypt auto-activation passwords stored in > the database, so, even when his has access to soft crypto tokens stored in > the database he would be unable to use them at all. > > > That said, making it into user configurable encryption is a good idea, I > agree. Patches would be very welcome. > > > I will try to work on this next time I come back to EJBCA related tasks. > I've created a feature request at https://jira.primekey.se/projects/COMMUNITY/issues/COMMUNITY-65 and it includes a proposed patch. Please take a look at it and let me know if you find it appropriate. Regards. > > > Regards, > Tomas > > On 2017-03-21 18:45, Jaime Hablutzel Egoavil wrote: > > I'm looking that EJBCA is currently hardcoding the password encryption > > key in org.cesecore.util.StringTools: > > > > ... > > private static final char[] p = > > deobfuscate("*OBF:1m0r1kmo1ioe1ia01j8z17y41l0q1abo1abm1abg1a > be1kyc17ya1j631i5y1ik01kjy1lxf*").toCharArray(); > > ... > > > > But, why don't you allow it to be overrided from configuration files?, > > this way, encrypted auto-activation passwords would be more secure for > > the ones aware of the possibility to override the default encryption key. > > > > Finally and just for reference, take a look at the following similar > > mechanism (where users are even forced to change the encryption > > key/password) in a completely different > > framework, https://www.playframework.com/documentation/2.5.x/Applicatio > nSecret (the > > first paragraph suffices). > > > > > > > > -- > > Jaime Hablutzel - RPC 994690880 > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > -- Jaime Hablutzel - RPC 994690880 |
