| <?xml version="1.0"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| |
| <document> |
| <properties> |
| <title>Fulcrum PBE Service</title> |
| <author email="siegfried.goeschl@it20one.at">Siegfried Goeschl</author> |
| </properties> |
| <body> |
| <section name="Overview"> |
| <p> |
| The PBEService (Password Based Encryption Service) supports encryption |
| and decryption of resources using JCA (Java Crypto Architecture) providing |
| <ul> |
| <li>method to create more or less secure passwords</li> |
| <li>creation of cipher streams for transparent encryption/decryption</li> |
| <li>generic encryption/decryption methods</li> |
| </ul> |
| </p> |
| <p> |
| The implementation uses PBEWithMD5AndDES and was inspired |
| by Pankaj Kumar and his excellent book |
| <a href="http://www.j2ee-security.net/">J2EE Security</a>. |
| </p> |
| </section> |
| <section name="What is Password Based Encryption"> |
| <p> |
| Encryption is most of the time only as good as the password being used. And the |
| password can be guessed using a dictionary attack. PBE tries to avoid the problem |
| by mangling the user-provided password through various rounds of SHA-1 invocation |
| and only this mangled result is used for encryption/decryption. |
| </p> |
| <p> |
| So the simple password "mysecret" would be mangled to "62cc-bf14-1814-672da" which |
| is much harder to guess therefore avoiding a simple dictionary attack. Using this |
| approach makes storing passwords in configuration files slightly more secure. |
| </p> |
| </section> |
| </body> |
| </document> |