Task #1600
closedChange of algorithm mode in local confidential storage
0%
Description
In order to increase security it's need to change algorithm mode in local confidential storage from CBC to CCM. With this change is also need to be implemented some kind of re-encrypt tool that will re-encrypt current data. And also create deployment plan for it.
Encryption algorithm of Confidential storage must be changed from AES/CBC/PKCS5Padding to AES/CCM/PKCS5Padding.
Tasks:
- Change encryption mode in IdM
- Create tool re-encrypt already used confidential storage
- Create deploy guide
Updated by Luděk Urban almost 4 years ago
- Due date set to 09/07/2020
- Assignee set to Luděk Urban
- Start date deleted (
04/10/2019)
CCM can be used for confidental storege. CCM algorithm is CBC-MAC and CTR modes merged together. CBC-MAC is there for authentication and for CTR the encryption. CTR uses key to encrypt random nonse and counter(position of data block). Than it use XOR to merge it with message data block and the tag from CBC-MAC.
CCM mode isn't in java standard. That mean that in different java version can be this mode missing. Now it CCM is not in standard of java 8 and java 11.
java 8 wiki
https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html
java 11 wiki
https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/crypto/Cipher.html
Check again in september if something changed. Because CBC cifer is still good for confidental storege there is no meaning to change encryption to CCM now.
Updated by Petr Fišer almost 4 years ago
Also useful source to check (updated 24/3/2020). Didn't read through, though.
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile&v=10
Updated by Luděk Urban over 3 years ago
- Status changed from New to In Progress
CCM mode can be implemented in Cipther class but it isn't in java standard yet.
Updated by Luděk Urban over 3 years ago
- Status changed from In Progress to Closed
Because implementation of CCM mode is not even in road map and CBC cipher is sufficient for IdM I am closing this ticket.