Enhanced hashing and encryption algorithms

SHA-512 as Hashing Algorithm

Platform has upgraded its password hashing mechanism to SHA-512. Each hashing process combines plain-text password with random salt generated using cryptographically secure pseudo-random number generator (CSPRNG). Existing passwords will be re-hashed using SHA-512 after user login.

Encryption Algorithm Private Key

Platform supports encryption for text, phone, and email fields, and contents of file upload fields. All these data are by default encrypted using AES (Advanced Encryption Standard) with 128 bit key size.

When the system restarts after upgrading to 4.4.4, a private.key file that contains the secret key unique to your Platform instance is generated and saved in your Platform config folder on your master machine at <ROLLBASE_HOME>/config/security.

Note: Store a copy of the generated key in a secure place so that it is available for situations such as disaster recovery, or machine changes. This file is created and managed by Platform and should not be edited locally.

All fields currently encrypted using default encryption algorithm (AES-128) will continue to function correctly. They will be decrypted and then re-encrypted using your preferred algorithm and generated secret key the next time they are edited and saved.

AES-256 Encryption Algorithm Support

Platform now also supports encrypting data using AES with 256-bit key size. This is a system wide choice and managed through the jar file - 'rb_util.jar'.

To make use of AES-256 on a Platform Private Cloud:

  1. Navigate to the 'rb_util.jar' file in <ROLLBASE_HOME>/lib folder.
  2. Enter the following command via cmd line.
    Command for Windows Machine:

    java -cp jackson-core-#.#.#.jar;jackson-databind-#.#.#.jar;jackson-annotations-#.#.#.jar;commons-io-#.#.#.jar;commons-codec-#.#.#.jar;rb_util.jar com.rb.util.system.SystemKeyGenerator <param1> <param2>

    Command for a Linux machine:

    java -cp jackson-core-#.#.#.jar:jackson-databind-#.#.#.jar:jackson-annotations-#.#.#.jar:commons-io-#.#.#.jar:commons-codec-#.#.#.jar:rb_util.jar: com.rb.util.system.SystemKeyGenerator <param1> <param2>

    • param1 is the path of the directory where existing private.key file has been uploaded or new private.key file should be generated. If the file location mentioned in this parameter contains an existing private.key file, it converts the encryption type as defined in param2, else a new private.key file is generated.
    • param2 is encryption type (default value is 0). If you wish to set AES-128 as default encryption algorithm for Platform instance, use 0. For AES-256, use 1. Currently, Platform only supports AES-128 or 256.

    • #.#.# denotes the version number of the corresponding jar.

    Sample usage for Windows:

    java -cp jackson-core-#.#.#.jar;jackson-databind-#.#.#.jar;jackson-annotations-#.#.#.jar;commons-io-#.#.#.jar;commons-codec-#.#.#.jar;rb_util.jar com.rb.util.system.SystemKeyGenerator C:\Users\username\Desktop 1

    The above sample contains a set of the dependent jars required to run this utility. Running this utility from the lib folder ensures all required jars are available in current directory. In case, you do not have commons-codec-#.#.#.jar present in the working directory, ClassNotFoundException: at org.apache.commons.codec.binaryStringUtils exception is thrown. To fix this, you must pull all referenced jars into the current directory, from where commands are being executed.

  3. Based on whether a new file was created or an existing file was updated, the utility returns a final success message.
Important: Support for unique constraint validation on encrypted fields has been deprecated. Thus, unique checks on encrypted fields will not work. Encrypted fields cannot be audited, marked unique or indexed as part of the search engine. Once set, this option cannot be removed.