...
The password hash will be set before the AES encrypted content (bas64 encoded length 344)
The password hash will be used and it will be encrypted using RSA (due to javascripts readability of code this is the only solution so the CB can decrypt that hashed password and nobody else)
Using RSA allows to provide every CB with its own secure key while attaching the public key to the CB data in CARA
RSA is efficiently secure
If the password has to be changed a new private/public key pare will be generated
New public password will be distributed by a CARA minor update
The CB will use the new private password and has a fallback for the old one (He has to test against all old passwords because of possible older files)
The public key for encrypting the password will be selected by the chosen CB for the report
The attachment of the password is only activated by request of the CB
...