Bug 573118 - Secure Storage uses weak PBE with MD5/DES as default algorithm
Summary: Secure Storage uses weak PBE with MD5/DES as default algorithm
Status: NEW
Alias: None
Product: Equinox
Classification: Eclipse Project
Component: Security (show other bugs)
Version: 4.19   Edit
Hardware: All All
: P3 major (vote)
Target Milestone: ---   Edit
Assignee: Security Inbox CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-04-23 15:14 EDT by Eric Simpson CLA
Modified: 2023-02-21 14:58 EST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Simpson CLA 2021-04-23 15:14:33 EDT 
The Eclipse Secure Storage Advanced preference page defaults to 56-bit DES algorithm.
This is too weak for encryption.
A stronger algorithm should be the default to avoid sensitive user data being exposed.

From the documentation:
https://help.eclipse.org/2021-03/index.jsp?topic=%2Forg.eclipse.platform.doc.user%2Freference%2Fref-securestorage-start.htm&cp%3D0_4_3

> By default, the 56-bit DES algorithm is requested from the Java virtual machine.
Comment 1 Thomas Watson CLA 2021-05-12 09:10:07 EDT 
What is the suggested new default?
Comment 2 Rolf Theunissen CLA 2021-06-15 03:19:07 EDT 
(In reply to Thomas Watson from comment #1)
> What is the suggested new default?

According to Wikipedia:
"56-bit DES encryption is now obsolete, having been replaced as a standard in 2002 by the 128-bit (and stronger) Advanced Encryption Standard."

Please ask a security advisor for a sane default.
Comment 3 Eric Simpson CLA 2023-02-21 14:58:23 EST 
PBEwithHmacSHA512and256BitAES is the suggested new default from our security team