It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Follow this question
Question details

×452
×18

question asked: May 29 '19, 3:18 a.m.
question was seen: 1,164 times
last updated: Jun 05 '19, 5:37 a.m.

Related questions

FAQ - How this Forum works

Encryption Strength of Password Caching

0
Christian Schröder (111) | asked May 29 '19, 3:18 a.m.
Hello,

in a previous question (https://jazz.net/forum/questions/65727/using-quotscm-loginquot-command-with-c-option-cache-pw) I read that the password cached by lscm.bat is stored encrypted on disk (~/.jazz-scm/repositories.txt). May I ask about the encryption strength (cryptographic algorithm and key length) to verify whether this satisfies the IT-security demands of my company?

Thank you for your answer
Christian

One answer

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
David Lafreniere (4.8k7) | answered May 29 '19, 10:07 a.m.
FORUM MODERATOR / JAZZ DEVELOPER
The password file on disk is really just obfuscated and should not be considered fully secure (i.e. The initial requirements/feature was simply to prevent the casual reader from reading the file to see the password in plain-text). The solution uses symmetric encryption and decryption (in base 64), however the key used for encryption 'can' be 'attacked' (without going into too much detail as to how...).

I did not check for any existing Enhancements or RFEs, but if there are none, you may want to open one to request a more secure solution.
Comments
Christian Schröder commented Jun 05 '19, 1:40 a.m. | edited Jun 05 '19, 5:30 a.m.
As "Base 64" is more a "presentation format" than an encryption algorithm, may you provide some more information on the symmetric algorithm (e.g. AES-128 or AES-256)? The algorithm name is required to check with our IT-security demands.
Thank you very much.
Ralph Schoon commented Jun 05 '19, 5:37 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Christian, we will approach you to talk about this directly.


As David mentions the intent of the "encryption" is to obfuscate the password, so that casually reading it does not reveal the password. Usually you have to make sure that users that should not be able to get at the password must not have access to the file location of the password file.  Regardless how encrypted the password file is, being able to read the password file would allow a user to use it.

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.