Thanks -- this confirms my understanding, but wanted to make sure I am not missing somethign. Searching for "shiro private key" leads to: http://shiro-user.582556.n2.nabble.com/public-key-private-key-authetication-td4446010.html
For this app, i think a symmetric cipher that is kept secret is sufficient. In the future, it would be awesome to have access to asymetric ciphers with the same ease and clarity shiro brings to everything else! Thanks ryan On Wed, May 4, 2011 at 1:50 PM, Les Hazlewood <[email protected]> wrote: > Hi Ryan, > > Blowfish is a symmetric cipher algorithm - the same key that is used > to encrypt must be the same as the one used to decrypt. > > But note that if you do not disseminate the key to anyone (i.e. it is > always held privately in your project and not shared with anyone > else), symmetric ciphers are still good to use - they won't suffer > from a 'man in the middle attack' because there is never a 'man in the > middle' that could see the key since it is not disseminated. > Asymmetric ciphers are only really recommended if any 3rd party needs > to perform encryption or decryption. > > Anyway, Shiro doesn't yet have a default implementation for RSA > public/private key encryption as we don't need it in the framework > directly (yet). > > The way to do this would be to create an AssymetricCipherService > implementation (similar to the existing > AbstractSymmetricCipherService) using a configured algorithm (e.g. > RSA). I just created this issue: > > https://issues.apache.org/jira/browse/SHIRO-289 > > Please watch the issue for updates. > > Finally, if anyone would like to help do this, it'd be much appreciated! > > Cheers, > > -- > Les Hazlewood > Founder, Katasoft, Inc. > Application Security Products & Professional Apache Shiro Support and > Training: > http://www.katasoft.com >
