Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 362824

Summary: Problem with password encryption in Eclipse Secure Storage
Product: [Eclipse Project] Equinox Reporter: Jonathan Garrison <jgarrison>
Component: SecurityAssignee: Security Inbox <equinox.security-inbox>
Status: RESOLVED INVALID QA Contact:
Severity: normal    
Priority: P3    
Version: 3.7   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard:

Description Jonathan Garrison CLA 2011-11-03 13:02:43 EDT 
Build Identifier: 3.6.2.r362_v20110210-9gF78Gs1FrIGnHDHWkEcopoN8AmxeZflGDGKQi Build id: M20110210-1200

Passwords for agent controllers are stored on the workbench  in Eclipse Secure Storage file /root/.eclipse/org.eclipse.equinox.security/secure_storage

[root@vhost0249 org.eclipse.equinox.security]# ll
total 4
-rw-r--r-- 1 root root 2156 Mar  8 02:28 secure_storage

Passwords inside the file are encrypted using JAVA encryption PBEWithMD5AndDES
PBEWithMD5AndDES is a password-based algorithm that uses the DES algorithm internally. The short (56-bit) key length makes this algorithm weak. If greater security is needed, use both a stronger algorithm and a longer password.
Recommend the use of PBEWithMD5AndTripleDES or AES algorithms.

Currently, there exist three Approved encryption algorithms (FIPS compliant) : AES, Triple DES, and Skipjack.
http://csrc.nist.gov/groups/ST/toolkit/block_ciphers.html#Approved%20Algorithms

Reproducible: Always
Comment 1 Oleg Besedin CLA 2011-11-03 16:01:17 EDT 
The support for encryption algorithms differs from VM to VM. The PBEWithMD5AndDES was selected as being both widely available and "good enough".

The default algorithm can be changed using preference page General -> Security -> Secure Storage | Advanced. On some VMs Triple DES will be available in that dropdown. Note that the change will only apply to the "new" secure storages and will not affect already created secure storage.