Re: [jetty-users] Encrypt JNDI resource password

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Encrypt JNDI resource password

From: Greg Wilkins <gregw@xxxxxxxxxxx>
Date: Tue, 2 Jan 2018 09:40:56 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Victor,

CRYPT uses the Unix Crypt algorithm, which like MD5 is a one way hash. So there is no specific algorithm available that will provide the original password. When using these encryptions, jetty takes newly provided credentials from the request and re-applies the hash to see if the same encrypted result is obtained. It cannot recover the original password.

However both MD5 and UnixCrypt are not strong encryptions and brute force algorithms can be applied to recover a "password" in a short period of time. Note however that I say "password", as it may not actually be the original password, but another one that just happens to generate the same hash.

In order to store strongly encrypted passwords in the XML, you will need access to a private key in order to decrypt them at start up time. This could be in a file, but would then be no more secure than the XML. The other alternative is to prompt the user for a passphrase at startup, but this will make automatic start impossible.

In short, either the XML has the credentials, in which case it is protected only be file/user privileges, or you need to come up with some other mechanism to provide the credentials at runtime that meets your operational requirements.

regards

On 2 January 2018 at 08:00, Víctor Martínez <vicmarbev@xxxxxxxxx> wrote:

Hi Joakim,

Yes I'll try that avenue. In fact, which algorithm should I used to decrypt the CRYPT string outputted with "java -cp lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password me blah" previously encrypted by me?

Thanks ,
vtez

On Fri, 29 Dec 2017 at 14:21 Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
The org.eclipse.jetty.util.security.Password is for password obfuscation (OBF:) and verification (MD5: CRYPT:).
Its meant to prevent casual discovery of the password.

If an undesired user has access the XML, then they have the means to deobfuscate / decrypt the password too.
This fundamental truth remains unchanged no matter how complicated you make the obfuscation. (the org.eclipse.jetty.util.security.Password is present and must be able to deobfuscate for it to work)

We have no feature in Jetty itself to encrypt/decrypt a password during XML usage.
But that doesn't prevent you from creating your own class to do that.

You can call an arbitrary class/method in the XML and have it return the String form, just like you see in the linked documentation you provided.

Aka ...

<New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource">
<Arg></Arg>
<Arg>jdbc/DSTest</Arg>
<Arg>
<New class="com.jolbox.bonecp.BoneCPDataSource">
<Set name="driverClass">com.mysql.jdbc.Driver</Set>
<Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set>
<Set name="username">dbuser</Set>
<Set name="password">
<Call class="org.eclipse.jetty.util.security.Password" name="deobfuscate">
<Arg>OBF:1ri71v1r1v2n1ri71shq1ri71shs1ri71v1r1v2n1ri7</Arg>
</Call>
</Set>
<Set name="minConnectionsPerPartition">5</Set>
<Set name="maxConnectionsPerPartition">50</Set>
<Set name="acquireIncrement">5</Set>
<Set name="idleConnectionTestPeriod">30</Set>
</New>
</Arg>
</New>

The org.eclipse.jetty.util.security.Password.deobfuscate(String) static method exists here ...
https://github.com/eclipse/jetty.project/blob/jetty-9.4.8.v20171121/jetty-util/src/main/java/org/eclipse/jetty/util/security/Password.java#L181-L209

So, create your own class/static method.
Put it in the server classpath, and you should be able to use it from the XML for your own purposes.

Eg:

<New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource">
<Arg></Arg>
<Arg>jdbc/DSTest</Arg>
<Arg>
<New class="com.jolbox.bonecp.BoneCPDataSource">
<Set name="driverClass">com.mysql.jdbc.Driver</Set>
<Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set>
<Set name="username">dbuser</Set>
<Set name="password">
<Call class="net.vmartinez.util.SecurePassword" name="localDecrypt">
<Arg>VGhpcyBpcyB3aGVyZSB5b3VyIGVuY3J5cHRlZCBwYXNzd29yZCBzaG91bGQgYmU=</Arg>
</Call>
</Set>
<Set name="minConnectionsPerPartition">5</Set>
<Set name="maxConnectionsPerPartition">50</Set>
<Set name="acquireIncrement">5</Set>
<Set name="idleConnectionTestPeriod">30</Set>
</New>
</Arg>
</New>

Things to consider:
The decryption routines should use some information from the machine / os / install for a successful decrypt.
A unsuccessful decrypt should throw a RuntimeException indicating a failed decrypt, but with as little detail information as you can get away with (don't want to help nefarious folks in your logs).
Consider including the cipher algorithm in the arguments to localDecrypt()
Perhaps the arguments should only reference a needed password by id, and the local install knows which one to return (useful for differences in DEV/TEST/CI/QA/PROD)

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Fri, Dec 29, 2017 at 6:39 AM, Víctor Martínez <vicmarbev@xxxxxxxxx> wrote:
Hi,

I have created a JNDI resource to be able to connect to PostgreSQL with SSL. Is it possible to encrypt the password for a JNDI resource defined in the jetty-env.xml file, instead of just using obfuscation? I'm talking about this: http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html.

Regards,
vtez

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Greg Wilkins <gregw@xxxxxxxxxxx> CTO http://webtide.com

Follow-Ups:
- Re: [jetty-users] Encrypt JNDI resource password
  - From: Víctor Martínez

References:
- [jetty-users] Encrypt JNDI resource password
  - From: Víctor Martínez
- Re: [jetty-users] Encrypt JNDI resource password
  - From: Joakim Erdfelt
- Re: [jetty-users] Encrypt JNDI resource password
  - From: Víctor Martínez

Prev by Date: Re: [jetty-users] Encrypt JNDI resource password
Next by Date: Re: [jetty-users] Encrypt JNDI resource password
Previous by thread: Re: [jetty-users] Encrypt JNDI resource password
Next by thread: Re: [jetty-users] Encrypt JNDI resource password
Index(es):
- Date
- Thread

Breadcrumbs