What crypto does the Encrypted Plugin for Jira use?

Alex van Vucht (GLiNTECH)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 30, 2017

This plugin is terrific for how simple it is, and I've confirmed that files at rest are indeed encrypted, but how is it encrypted? What's the algorithm and the strength?

I get a Iv value and a key when I first encrypt the data, I think that gives some indication?

1 answer

0 votes
Alberto Exposito May 4, 2018

Hi Alex, 

This plugin uses DesKeySpec for attachments, and AES for fields. 

Gregory Seidman May 22, 2018

To satisfy the decision makers that we can figure out how to reverse the decryption having backed up the keys and filesystem, can you give an openssl enc commandline to decrypt a file? It should be something like:

openssl enc -<cipher> -d -K <key> -iv <IV> -in <infile> -o <outfile>

So far I've had no success trying various combinations of DES ciphers and options.

Alberto Exposito May 23, 2018

Try only with Key (without IV)

Gregory Seidman May 23, 2018

Hang on, I had to generate a key and IV within Jira; how can it decrypt without an IV? And what cipher should I be using? There are lots of DES variants supported by openssl:

  • des
  • des3
  • des-cbc
  • des-cfb
  • des-ecb
  • des-ede
  • des-ede3
  • des-ede3-cbc
  • des-ede3-cfb
  • des-ede3-ofb
  • des-ede-cbc
  • des-ede-cfb
  • des-ede-ofb
  • des-ofb
  • desx

Also, are there any padding or salt options I should be passing?

Alberto Exposito May 23, 2018

Currently, we are working in order to change DES for AES method. 

In this case (DES), is only necessary the key, because we are using DESKeySpec class (provided by java) .Maybe, this page can help you. (https://www.programcreek.com/java-api-examples/?api=javax.crypto.spec.DESKeySpec)

On the other hand, I think that is not possible decrypt if you don't use JIRA. 

Gregory Seidman May 23, 2018

When you do the Cipher.getInstance(), what are you passing it? Can you post the scrap of code you're actually using?

glennrees September 12, 2018

Hi Gregory,

 I have similar questions to yours, If we were to do this we have a requirement to be able to decrypt the data independently of JIRA. Did you ever work out how to do this?

Glenn.

Gregory Seidman September 13, 2018

Nope, we gave up on this vendor. Single DES uses a 56-bit key, which is insufficient . I stopped working on trying to decrypt manually when I realized how insecure it was. I might take another look if/when they manage to support AES (really, how hard do they think it is? it's just a slightly different Java API).

glennrees September 13, 2018

Thanks for the info. Yes that is not sufficient. We would need it to be AES 256 to look at seriously.

Alberto Expósito September 14, 2018

Addon works with AES  (AES/CBC/PKCS5Padding) even for attachments since 1.6.3 plugin version. 

About decrypt the data independently of JIRA, I think that is not possible at the moment, but we are going to create a ticket. 

glennrees September 16, 2018

Thanks for the update Alberto, good to hear about AES support. Let us know if there are developments with decrypt the data independently of JIRA in the future.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events