OFBiz OFBiz - Dev

kek(key-encrypting-key), PCI compliance

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Adam Heath-2
Reply | Threaded
Open this post in threaded view
|

kek(key-encrypting-key), PCI compliance

Adam Heath-2
I came in like a storm, but then got quiet for a short while.  I'm
back to announce that I just had a successful first-run load-demo,
with key-encrypting-key working.  I've got 28(or so) changes upto
today.  Splitting this last little bit will add another 10(I got
sidetracked on making GenericDelegator's constructors final, and they
no longer leak 'this').  I should finally have this ready by the weekend.

entityengine.xml has a <delegator key-encrypting-key="$base64_des"/>,
there is a TenantKeyEncryptingKey table(fetched from the base
delegator once during construction).

We might be able to finally fixed the unprotected jdbcPassword in
TenantDatasource, but my patchset doesn't deal with that.

I should have my code rebased and split by the end of the weekend.
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: kek(key-encrypting-key), PCI compliance

Jacques Le Roux
Administrator
This is really great news Adam, thanks for the effort!

How did you finally handle the length of the salt (if it's related/integrated in those changes)?

Jacques

From: "Adam Heath" <[hidden email]>

>I came in like a storm, but then got quiet for a short while.  I'm
> back to announce that I just had a successful first-run load-demo,
> with key-encrypting-key working.  I've got 28(or so) changes upto
> today.  Splitting this last little bit will add another 10(I got
> sidetracked on making GenericDelegator's constructors final, and they
> no longer leak 'this').  I should finally have this ready by the weekend.
>
> entityengine.xml has a <delegator key-encrypting-key="$base64_des"/>,
> there is a TenantKeyEncryptingKey table(fetched from the base
> delegator once during construction).
>
> We might be able to finally fixed the unprotected jdbcPassword in
> TenantDatasource, but my patchset doesn't deal with that.
>
> I should have my code rebased and split by the end of the weekend.
Adam Heath-2
Reply | Threaded
Open this post in threaded view
|

Re: kek(key-encrypting-key), PCI compliance

Adam Heath-2
On 05/02/2012 04:48 PM, Jacques Le Roux wrote:
> This is really great news Adam, thanks for the effort!

I still have a ton of testing to do; I need to clone some oldish-type
ofbiz installs that have credit cards, apply my patch(s), then see
what happens.

> How did you finally handle the length of the salt (if it's
> related/integrated in those changes)?

That's separate; I'm aware of the discussions.  I've got some major
tweaking to HashCrypt, deprecating some stuff, and fixing all cases in
the codebase.  I'll be committing those separately before the kek
stuff; that'll include an increase to the default salt length, and
probably a way to specify min/max salt length in security.properties.

Padmalaya
Reply | Threaded
Open this post in threaded view
|

Re: kek(key-encrypting-key), PCI compliance

Padmalaya
In reply to this post by Adam Heath-2
Hi Adam,

I have a similar requirement for PCI DSS compliance.This being storing the jdbc username and password in the entityengine in an encrypted format. Can u please share how u encrypted sensitive details in entityengine.

Thanks in advance
Padmalaya
Free forum by Nabble Edit this page