Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-926

Jboss AS 7.1.1 / Jboss EAP 6.0 Beta2 : Jboss use weakeness security cipher algorithm (Blowfish 56 bits)) to encrypted DataSource Password

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • None
    • Management, Security
    • None

    • Jboss EAP 6.0 Beta2
      Jboss AS 7.1.1
      Linux RHEL 5.4
      JDK 1.6.0_24

      In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, Jboss use weakeness cipher algorithm (Blowfish 56bits) to encrypted DataSource Password.

      http://middlewaremagic.com/jboss/?p=1026 said :
      "JBoss AS7 uses picketbox security implementations. In this example we will see how we can provide an Encrypted Password for our DataSources rather than using the ClearText Password. The picketbox provides us a class for encrypting the Cleartext passwords using class "org.picketbox.datasource.security.SecureIdentityLoginModule"."

      When you search about the org.picketbox.datasource.security.SecureIdentityLoginModule java class on the Internet, you find this source file
      http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/releases/org.picketbox/jbosssx-bare/4.0.9.Final/org/picketbox/datasource/security/SecureIdentityLoginModule.java#SecureIdentityLoginModule .

      In the file SecureIdentityLoginModule.java, we can see that this is the weakness Blowfish cipher algorithm (line Cipher cipher = Cipher.getInstance("Blowfish"); )
      that is used by the Cipher getInstance function :
      (http://docs.oracle.com/javase/6/docs/api/javax/crypto/Cipher.html#getInstance%28java.lang.String,%20java.security.Provider%29 )
      Blowfish info : http://en.wikipedia.org/wiki/Blowfish_%28cipher%29
      Weakness because, by default, the JDK use Blowfish with 56 bits key :
      Source : http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppB
      Extract : The SunJCE provider uses the following default keysizes: KeyGenerator : Blowfish: 56 bits

      org.picketbox.datasource.security.SecureIdentityLoginModule class use javax.crypto.Cipher class.
      As you can see at : http://docs.oracle.com/javase/6/docs/api/javax/crypto/Cipher.html#getInstance%28java.lang.String,%20java.security.Provider%29,
      getInstance function can use several cipher Algorithms.
      The cipher Algorithms available are :
      http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA (part Cipher)
      http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA

      Then can you replace the weakness Blowfish Cipher Algorithm used to encrypted DataSource Password by
      AES-256 ?

      Note : The security team in my big company want now that all the application servers used in the company use strong
      cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic 11.

              sguilhen Stefan Guilhen
              yannick92 Yannick LE NY (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: