What crypto does the Encrypted Plugin for Jira use?

This plugin is terrific for how simple it is, and I've confirmed that files at rest are indeed encrypted, but how is it encrypted? What's the algorithm and the strength?

I get a Iv value and a key when I first encrypt the data, I think that gives some indication?

1 answer

Hi Alex, 

This plugin uses DesKeySpec for attachments, and AES for fields. 

To satisfy the decision makers that we can figure out how to reverse the decryption having backed up the keys and filesystem, can you give an openssl enc commandline to decrypt a file? It should be something like:

openssl enc -<cipher> -d -K <key> -iv <IV> -in <infile> -o <outfile>

So far I've had no success trying various combinations of DES ciphers and options.

Try only with Key (without IV)

Hang on, I had to generate a key and IV within Jira; how can it decrypt without an IV? And what cipher should I be using? There are lots of DES variants supported by openssl:

  • des
  • des3
  • des-cbc
  • des-cfb
  • des-ecb
  • des-ede
  • des-ede3
  • des-ede3-cbc
  • des-ede3-cfb
  • des-ede3-ofb
  • des-ede-cbc
  • des-ede-cfb
  • des-ede-ofb
  • des-ofb
  • desx

Also, are there any padding or salt options I should be passing?

Currently, we are working in order to change DES for AES method. 

In this case (DES), is only necessary the key, because we are using DESKeySpec class (provided by java) .Maybe, this page can help you. (https://www.programcreek.com/java-api-examples/?api=javax.crypto.spec.DESKeySpec)

On the other hand, I think that is not possible decrypt if you don't use JIRA. 

When you do the Cipher.getInstance(), what are you passing it? Can you post the scrap of code you're actually using?

Hi Gregory,

 I have similar questions to yours, If we were to do this we have a requirement to be able to decrypt the data independently of JIRA. Did you ever work out how to do this?

Glenn.

Nope, we gave up on this vendor. Single DES uses a 56-bit key, which is insufficient . I stopped working on trying to decrypt manually when I realized how insecure it was. I might take another look if/when they manage to support AES (really, how hard do they think it is? it's just a slightly different Java API).

Thanks for the info. Yes that is not sufficient. We would need it to be AES 256 to look at seriously.

Addon works with AES  (AES/CBC/PKCS5Padding) even for attachments since 1.6.3 plugin version. 

About decrypt the data independently of JIRA, I think that is not possible at the moment, but we are going to create a ticket. 

Thanks for the update Alberto, good to hear about AES support. Let us know if there are developments with decrypt the data independently of JIRA in the future.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Oct 11, 2018 in Marketplace Apps

You + one app + a desert island...

Hi all! My name is Miles and I work on the Marketplace team. We’re looking for better ways to recommend and suggest apps that are truly crowd favorites, so of course we wanted to poll the Community. ...

3,551 views 6 6
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you