papegaaij commented on pull request #462: URL: https://github.com/apache/wicket/pull/462#issuecomment-775786142
I think this `SunJceCrypt` requires a lot more work to get it up to date. For example, `PBEWithMD5AndDES` is hopelessly outdated. For the cipher we should definitely not use DES, but AES, like `AES/CBC/PKCS5Padding`. If we want to use PBE, we should switch to PBKDF2 and use PBKDF2WithHmacSHA512 with a key-length of 256 bits and a lot of iterations (way more than 1000, probably 100.000), but actually I fail to see why this class uses password based encryption and not a key directly. IMHO the key should not be a string, but a SecretKey built from 256 bits of secure random. Note we already have `UnlimitedStrenghtJurisdictionPolicyCrypt` in a test in `wicket-util`. This implementation already is much better and this unlimited strength jce-restriction is not a real issue anymore. I don't know about the latest Oracle JVMs, but OpenJDK does not limit the strength of JCE. IMHO it's better to deprecate the whole class and replace it with a more secure version. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
