-
Bug
-
Resolution: Won't Fix
-
P4
-
None
-
1.4.0
-
generic
-
generic
getPassword method should be removed from this class
a) It is not necessary to offer this method to user.
Normally, user don't need to know the underlying password of any
specific PBEKey for the operation of encryption/decryption
b) It could be harmful to offer this method to user.
We should not allow any user to get password out from PBEKey
otherwise
--- it seems to violate the design spirit of PKCS #5
as we know, one way hash function was the foundation of key derivation
algorithm (KDF). Using of one way hash function will make it very
difficult to recover password even the attacker reveal the key, salt
and iteration.
Apparently, with our design, this attribute was not preserved.
--- There might be some security implication when user try to reuse their
password for different session/application.
a) It is not necessary to offer this method to user.
Normally, user don't need to know the underlying password of any
specific PBEKey for the operation of encryption/decryption
b) It could be harmful to offer this method to user.
We should not allow any user to get password out from PBEKey
otherwise
--- it seems to violate the design spirit of PKCS #5
as we know, one way hash function was the foundation of key derivation
algorithm (KDF). Using of one way hash function will make it very
difficult to recover password even the attacker reveal the key, salt
and iteration.
Apparently, with our design, this attribute was not preserved.
--- There might be some security implication when user try to reuse their
password for different session/application.