[AAA-49] Tokens stored in MDSAL are not encrypted Created: 14/Jul/15  Updated: 21/Mar/19  Resolved: 23/Jul/15

Status: Resolved
Project: aaa
Component/s: General
Affects Version/s: None
Fix Version/s: None

Type: Bug
Reporter: Sharon Aicler Assignee: Sharon Aicler
Resolution: Cannot Reproduce Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

External issue ID: 3992

 Description   

If you switch the AAA token store to the MD-SAL store for clustering, tokens are in plain text in the data store, hence you have a security issue.

 Comments   
Comment by Ryan Goulding [ 21/Jul/15 ]

Is this a duplicate of AAA-21? They seem similar but I'm not 100% positive. Thanks!

Comment by Sharon Aicler [ 21/Jul/15 ]

No, The RestConf bug is for passing back and forward user/password in clean text while this bug is for storing token inside the MDSAL data store in a non encrypted way. I guess the same encrypting/decrypting mechanism can be used for different kind of places where encryption is needed, maybe it will be a good idea to place a comment in AAA-21 stating to be aware of this bug encryption solution.

Comment by Wojciech Dec [ 23/Jul/15 ]

Tokens are not in plain text since dcb210ba960fd61c4bd8b8509fe3eb05ac095efd

Comment by Sharon Aicler [ 23/Jul/15 ]

Correct, I have not notice that... because my DataEncrypter utility was used, I though I added that...:o) I will junk this bug.

Generated at Wed Feb 07 19:08:30 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.