Uploaded image for project: 'Commons'
  1. Commons
  2. COMMONS-293

Upgrade inefficient encryption algorithms in CAF AbstractJwtSessionModule

    Details

    • Type: Improvement
    • Status: Resolved
    • Resolution: Fixed
    • Fix Version/s: 26.0.0
    • Component/s: None
    • Labels:
      None

      Description

      The CAF AbstractJwtSessionModule hardcodes the use of RSA encryption with PKCS#1 v1.5 padding, followed by HMAC signing using a symmetric key. This is less than ideal as RSA decryption is particularly expensive and does not need to be used as the JWTs are only decrypted by the same module that encrypted them, so a symmetric key would be sufficient. As we are using HMAC with a symmetric key for signing, we already assume all parties share a secret key.

      Direct encryption with AES using a symmetric key would be orders of magnitude faster than RSA and result in more compact JWTs. As such modes already include HMAC (or equivalent) we can also drop the separate signing step, further reducing the size of the JWT and simplifying the key requirements.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                neil.madden Neil Madden
                Reporter:
                neil.madden Neil Madden
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: