Hi Ryan, Blowfish is a symmetric cipher algorithm - the same key that is used to encrypt must be the same as the one used to decrypt.
But note that if you do not disseminate the key to anyone (i.e. it is always held privately in your project and not shared with anyone else), symmetric ciphers are still good to use - they won't suffer from a 'man in the middle attack' because there is never a 'man in the middle' that could see the key since it is not disseminated. Asymmetric ciphers are only really recommended if any 3rd party needs to perform encryption or decryption. Anyway, Shiro doesn't yet have a default implementation for RSA public/private key encryption as we don't need it in the framework directly (yet). The way to do this would be to create an AssymetricCipherService implementation (similar to the existing AbstractSymmetricCipherService) using a configured algorithm (e.g. RSA). I just created this issue: https://issues.apache.org/jira/browse/SHIRO-289 Please watch the issue for updates. Finally, if anyone would like to help do this, it'd be much appreciated! Cheers, -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com
