Hi It is in the wiki page. See org.apache.myfaces.ALGORITHM.IV web config param for details.
If you want to take a look at the class where the encryption happens, see org.apache.myfaces.shared.util.StateUtils in http://svn.apache.org/repos/asf/myfaces/core/trunk/shared/src/main/java/org/apache/myfaces/shared/util/StateUtils.java regards, Leonardo Uribe 2017-01-29 23:39 GMT-05:00 karthik kn <keyan...@gmail.com>: > Any thoughts on the below ? > > On Fri, Jan 27, 2017 at 10:57 AM, karthik kn <keyan...@gmail.com> wrote: > > > Hi All, > > We were able to update the jsf version to the lates and randomly generate > > the enc key as mentioned in > > https://wiki.apache.org/myfaces/Secure_Your_Application > > > > However, the Initialization vector for CBC needs to be mentioned. Can we > > not generate it randomly ? > > > > Is this a bug in JSF ? > > > > If i could generate the Enc key, then the IV should have been generated > > randomly. > > > > Please let know > > > > On Fri, Dec 23, 2016 at 3:54 PM, Thomas Andraschko < > > andraschko.tho...@gmail.com> wrote: > > > >> Hi, > >> > >> i don't think there is any other way to configure it but you can still > >> check the sources: http://svn.apache.org/viewvc/m > >> yfaces/core/branches/1.1.x/ > >> > >> Regards, > >> Thomas > >> > >> 2016-12-23 11:21 GMT+01:00 karthik kn <keyan...@gmail.com>: > >> > >> > Hi All, > >> > Any thoughts on the below ? > >> > > >> > On Wed, Dec 21, 2016 at 10:22 AM, karthik kn <keyan...@gmail.com> > >> wrote: > >> > > >> > > Hi, > >> > > If i use a new key in web.xml as SECRET, it could be still exposed > to > >> > the > >> > > Administrator on accessing the system. > >> > > > >> > > Wont this cause a vulnerability ? Is there any other mechanism of > >> storing > >> > > the secret ? > >> > > > >> > > On Tue, Dec 20, 2016 at 6:52 PM, Moritz Bechler <bech...@agno3.eu> > >> > wrote: > >> > > > >> > >> Hi, > >> > >> > >> > >> > Thank you for clarification. Using the secret mentioned in the > >> below > >> > >> page > >> > >> > would suffice or there is some mechanism to generate the SECRET ? > >> > >> > > >> > >> > >> > >> You must not use the keys specified on this page but generate your > >> own > >> > >> secret ones. An attacker using the same key can then produce a > valid > >> > >> ViewState token containing an exploit. Also, as noted on the > security > >> > >> page and by Leonardo, version up to and including 1.1.7, 1.2.8, > 2.0.0 > >> > >> are vulnerable to padding oracle attacks (I haven't had a close > look > >> but > >> > >> I would be pretty sure that also applies to server side state > >> saving). > >> > >> That means that an attacker may be able to create such tokens > without > >> > >> the knowledge of the key - again allowing for the same exploits. > >> > >> > >> > >> So I guess there is no way to be really safe without upgrading. > >> > >> > >> > >> > >> > >> Moritz > >> > >> > >> > >> PS: you also might want to consider using something stronger than > >> DES. > >> > >> > >> > >> > >> > >> -- > >> > >> AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA > 728731 > >> > >> Persönlich haftend: > >> > >> Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB > >> 744820, > >> > >> Vertreten durch Joachim Keltsch > >> > >> > >> > > > >> > > > >> > > > >> > > -- > >> > > ------------------------- > >> > > Thanks & Regards > >> > > > >> > > Karthik.K.N > >> > > > >> > > >> > > >> > > >> > -- > >> > ------------------------- > >> > Thanks & Regards > >> > > >> > Karthik.K.N > >> > > >> > > > > > > > > -- > > ------------------------- > > Thanks & Regards > > > > Karthik.K.N > > > > > > -- > ------------------------- > Thanks & Regards > > Karthik.K.N >