Project

General

Profile

Actions

Task #1600

closed

Change of algorithm mode in local confidential storage

Added by Luděk Urban almost 5 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Luděk Urban
Category:
-
Target version:
-
Start date:
Due date:
09/07/2020
% Done:

0%

Estimated time:
Owner:

Description

In order to increase security it's need to change algorithm mode in local confidential storage from CBC to CCM. With this change is also need to be implemented some kind of re-encrypt tool that will re-encrypt current data. And also create deployment plan for it.

Encryption algorithm of Confidential storage must be changed from AES/CBC/PKCS5Padding to AES/CCM/PKCS5Padding.

Tasks:

  • Change encryption mode in IdM
  • Create tool re-encrypt already used confidential storage
  • Create deploy guide
Actions #1

Updated by Luděk Urban almost 4 years ago

  • Description updated (diff)
Actions #2

Updated by Luděk Urban almost 4 years ago

  • Description updated (diff)
Actions #3

Updated by Luděk Urban almost 4 years ago

  • Description updated (diff)
Actions #4

Updated by Luděk Urban almost 4 years ago

  • Due date set to 09/07/2020
  • Assignee set to Luděk Urban
  • Start date deleted (04/10/2019)

CCM can be used for confidental storege. CCM algorithm is CBC-MAC and CTR modes merged together. CBC-MAC is there for authentication and for CTR the encryption. CTR uses key to encrypt random nonse and counter(position of data block). Than it use XOR to merge it with message data block and the tag from CBC-MAC.

CCM mode isn't in java standard. That mean that in different java version can be this mode missing. Now it CCM is not in standard of java 8 and java 11.

java 8 wiki
https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html
java 11 wiki
https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/crypto/Cipher.html

Check again in september if something changed. Because CBC cifer is still good for confidental storege there is no meaning to change encryption to CCM now.

Actions #5

Updated by Petr Fišer almost 4 years ago

Actions #6

Updated by Luděk Urban over 3 years ago

  • Status changed from New to In Progress

CCM mode can be implemented in Cipther class but it isn't in java standard yet.

Actions #7

Updated by Luděk Urban over 3 years ago

  • Status changed from In Progress to Closed

Because implementation of CCM mode is not even in road map and CBC cipher is sufficient for IdM I am closing this ticket.

Actions

Also available in: Atom PDF