Encrypt JNDI resource password

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Encrypt JNDI resource password

Víctor Martínez
Hi,

I have created a JNDI resource to be able to connect to PostgreSQL with SSL. Is it possible to encrypt the password for a JNDI resource defined in the jetty-env.xml file, instead of just using obfuscation? I'm talking about this: http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html.

Regards,
vtez

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt JNDI resource password

Joakim Erdfelt-8
The org.eclipse.jetty.util.security.Password is for password obfuscation (OBF:) and verification (MD5: CRYPT:).
Its meant to prevent casual discovery of the password.

If an undesired user has access the XML, then they have the means to deobfuscate / decrypt the password too.
This fundamental truth remains unchanged no matter how complicated you make the obfuscation. (the org.eclipse.jetty.util.security.Password is present and must be able to deobfuscate for it to work)

We have no feature in Jetty itself to encrypt/decrypt a password during XML usage.
But that doesn't prevent you from creating your own class to do that.

You can call an arbitrary class/method in the XML and have it return the String form, just like you see in the linked documentation you provided.

Aka ...

<New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource">
     <Arg></Arg>
     <Arg>jdbc/DSTest</Arg>
     <Arg>
       <New class="com.jolbox.bonecp.BoneCPDataSource">
         <Set name="driverClass">com.mysql.jdbc.Driver</Set>
         <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set>
         <Set name="username">dbuser</Set>
         <Set name="password">
            <Call class="org.eclipse.jetty.util.security.Password" name="deobfuscate">
                  <Arg>OBF:1ri71v1r1v2n1ri71shq1ri71shs1ri71v1r1v2n1ri7</Arg>
            </Call>
         </Set>
         <Set name="minConnectionsPerPartition">5</Set>
         <Set name="maxConnectionsPerPartition">50</Set>
         <Set name="acquireIncrement">5</Set>
         <Set name="idleConnectionTestPeriod">30</Set>
      </New>
    </Arg>
  </New>

The org.eclipse.jetty.util.security.Password.deobfuscate(String) static method exists here ...

So, create your own class/static method.
Put it in the server classpath, and you should be able to use it from the XML for your own purposes.

Eg:

<New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource">
     <Arg></Arg>
     <Arg>jdbc/DSTest</Arg>
     <Arg>
       <New class="com.jolbox.bonecp.BoneCPDataSource">
         <Set name="driverClass">com.mysql.jdbc.Driver</Set>
         <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set>
         <Set name="username">dbuser</Set>
         <Set name="password">
            <Call class="net.vmartinez.util.SecurePassword" name="localDecrypt">
                  <Arg>VGhpcyBpcyB3aGVyZSB5b3VyIGVuY3J5cHRlZCBwYXNzd29yZCBzaG91bGQgYmU=</Arg>
            </Call>
         </Set>
         <Set name="minConnectionsPerPartition">5</Set>
         <Set name="maxConnectionsPerPartition">50</Set>
         <Set name="acquireIncrement">5</Set>
         <Set name="idleConnectionTestPeriod">30</Set>
      </New>
    </Arg>
  </New>

Things to consider:
  • The decryption routines should use some information from the machine / os / install for a successful decrypt.
  • A unsuccessful decrypt should throw a RuntimeException indicating a failed decrypt, but with as little detail information as you can get away with (don't want to help nefarious folks in your logs).
  • Consider including the cipher algorithm in the arguments to localDecrypt()
  • Perhaps the arguments should only reference a needed password by id, and the local install knows which one to return (useful for differences in DEV/TEST/CI/QA/PROD)


Joakim Erdfelt / [hidden email]

On Fri, Dec 29, 2017 at 6:39 AM, Víctor Martínez <[hidden email]> wrote:
Hi,

I have created a JNDI resource to be able to connect to PostgreSQL with SSL. Is it possible to encrypt the password for a JNDI resource defined in the jetty-env.xml file, instead of just using obfuscation? I'm talking about this: http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html.

Regards,
vtez

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt JNDI resource password

Víctor Martínez
Hi Joakim,

Yes I'll try that avenue. In fact, which algorithm should I used to decrypt the CRYPT string outputted with "java -cp lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password me blah" previously encrypted by me?

Thanks ,
vtez

On Fri, 29 Dec 2017 at 14:21 Joakim Erdfelt <[hidden email]> wrote:
The org.eclipse.jetty.util.security.Password is for password obfuscation (OBF:) and verification (MD5: CRYPT:).
Its meant to prevent casual discovery of the password.

If an undesired user has access the XML, then they have the means to deobfuscate / decrypt the password too.
This fundamental truth remains unchanged no matter how complicated you make the obfuscation. (the org.eclipse.jetty.util.security.Password is present and must be able to deobfuscate for it to work)

We have no feature in Jetty itself to encrypt/decrypt a password during XML usage.
But that doesn't prevent you from creating your own class to do that.

You can call an arbitrary class/method in the XML and have it return the String form, just like you see in the linked documentation you provided.

Aka ...

<New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource">
     <Arg></Arg>
     <Arg>jdbc/DSTest</Arg>
     <Arg>
       <New class="com.jolbox.bonecp.BoneCPDataSource">
         <Set name="driverClass">com.mysql.jdbc.Driver</Set>
         <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set>
         <Set name="username">dbuser</Set>
         <Set name="password">
            <Call class="org.eclipse.jetty.util.security.Password" name="deobfuscate">
                  <Arg>OBF:1ri71v1r1v2n1ri71shq1ri71shs1ri71v1r1v2n1ri7</Arg>
            </Call>
         </Set>
         <Set name="minConnectionsPerPartition">5</Set>
         <Set name="maxConnectionsPerPartition">50</Set>
         <Set name="acquireIncrement">5</Set>
         <Set name="idleConnectionTestPeriod">30</Set>
      </New>
    </Arg>
  </New>

The org.eclipse.jetty.util.security.Password.deobfuscate(String) static method exists here ...

So, create your own class/static method.
Put it in the server classpath, and you should be able to use it from the XML for your own purposes.

Eg:

<New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource">
     <Arg></Arg>
     <Arg>jdbc/DSTest</Arg>
     <Arg>
       <New class="com.jolbox.bonecp.BoneCPDataSource">
         <Set name="driverClass">com.mysql.jdbc.Driver</Set>
         <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set>
         <Set name="username">dbuser</Set>
         <Set name="password">
            <Call class="net.vmartinez.util.SecurePassword" name="localDecrypt">
                  <Arg>VGhpcyBpcyB3aGVyZSB5b3VyIGVuY3J5cHRlZCBwYXNzd29yZCBzaG91bGQgYmU=</Arg>
            </Call>
         </Set>
         <Set name="minConnectionsPerPartition">5</Set>
         <Set name="maxConnectionsPerPartition">50</Set>
         <Set name="acquireIncrement">5</Set>
         <Set name="idleConnectionTestPeriod">30</Set>
      </New>
    </Arg>
  </New>

Things to consider:
  • The decryption routines should use some information from the machine / os / install for a successful decrypt.
  • A unsuccessful decrypt should throw a RuntimeException indicating a failed decrypt, but with as little detail information as you can get away with (don't want to help nefarious folks in your logs).
  • Consider including the cipher algorithm in the arguments to localDecrypt()
  • Perhaps the arguments should only reference a needed password by id, and the local install knows which one to return (useful for differences in DEV/TEST/CI/QA/PROD)


Joakim Erdfelt / [hidden email]

On Fri, Dec 29, 2017 at 6:39 AM, Víctor Martínez <[hidden email]> wrote:
Hi,

I have created a JNDI resource to be able to connect to PostgreSQL with SSL. Is it possible to encrypt the password for a JNDI resource defined in the jetty-env.xml file, instead of just using obfuscation? I'm talking about this: http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html.

Regards,
vtez

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt JNDI resource password

Greg Wilkins

Victor,

CRYPT uses the Unix Crypt algorithm, which like MD5 is a one way hash. So there is no specific algorithm available that will provide the original password.  When using these encryptions, jetty takes newly provided credentials from the request and re-applies the hash to see if the same encrypted result is obtained.   It cannot recover the original password.

However both MD5 and UnixCrypt are not strong encryptions and brute force algorithms can be applied to recover a "password" in a short period of time.  Note however that I say "password", as it may not actually be the original password, but another one that just happens to generate the same hash.

In order to store strongly encrypted passwords in the XML, you will need access to a private key in order to decrypt them at start up time.  This could be in a file, but would then be no more secure than the XML.  The other alternative is to prompt the user for a passphrase at startup, but this will make automatic start impossible.

In short, either the XML has the credentials, in which case it is protected only be file/user privileges, or you need to come up with some other mechanism to provide the credentials at runtime that meets your operational requirements.

regards



On 2 January 2018 at 08:00, Víctor Martínez <[hidden email]> wrote:
Hi Joakim,

Yes I'll try that avenue. In fact, which algorithm should I used to decrypt the CRYPT string outputted with "java -cp lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password me blah" previously encrypted by me?

Thanks ,
vtez

On Fri, 29 Dec 2017 at 14:21 Joakim Erdfelt <[hidden email]> wrote:
The org.eclipse.jetty.util.security.Password is for password obfuscation (OBF:) and verification (MD5: CRYPT:).
Its meant to prevent casual discovery of the password.

If an undesired user has access the XML, then they have the means to deobfuscate / decrypt the password too.
This fundamental truth remains unchanged no matter how complicated you make the obfuscation. (the org.eclipse.jetty.util.security.Password is present and must be able to deobfuscate for it to work)

We have no feature in Jetty itself to encrypt/decrypt a password during XML usage.
But that doesn't prevent you from creating your own class to do that.

You can call an arbitrary class/method in the XML and have it return the String form, just like you see in the linked documentation you provided.

Aka ...

<New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource">
     <Arg></Arg>
     <Arg>jdbc/DSTest</Arg>
     <Arg>
       <New class="com.jolbox.bonecp.BoneCPDataSource">
         <Set name="driverClass">com.mysql.jdbc.Driver</Set>
         <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set>
         <Set name="username">dbuser</Set>
         <Set name="password">
            <Call class="org.eclipse.jetty.util.security.Password" name="deobfuscate">
                  <Arg>OBF:1ri71v1r1v2n1ri71shq1ri71shs1ri71v1r1v2n1ri7</Arg>
            </Call>
         </Set>
         <Set name="minConnectionsPerPartition">5</Set>
         <Set name="maxConnectionsPerPartition">50</Set>
         <Set name="acquireIncrement">5</Set>
         <Set name="idleConnectionTestPeriod">30</Set>
      </New>
    </Arg>
  </New>

The org.eclipse.jetty.util.security.Password.deobfuscate(String) static method exists here ...

So, create your own class/static method.
Put it in the server classpath, and you should be able to use it from the XML for your own purposes.

Eg:

<New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource">
     <Arg></Arg>
     <Arg>jdbc/DSTest</Arg>
     <Arg>
       <New class="com.jolbox.bonecp.BoneCPDataSource">
         <Set name="driverClass">com.mysql.jdbc.Driver</Set>
         <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set>
         <Set name="username">dbuser</Set>
         <Set name="password">
            <Call class="net.vmartinez.util.SecurePassword" name="localDecrypt">
                  <Arg>VGhpcyBpcyB3aGVyZSB5b3VyIGVuY3J5cHRlZCBwYXNzd29yZCBzaG91bGQgYmU=</Arg>
            </Call>
         </Set>
         <Set name="minConnectionsPerPartition">5</Set>
         <Set name="maxConnectionsPerPartition">50</Set>
         <Set name="acquireIncrement">5</Set>
         <Set name="idleConnectionTestPeriod">30</Set>
      </New>
    </Arg>
  </New>

Things to consider:
  • The decryption routines should use some information from the machine / os / install for a successful decrypt.
  • A unsuccessful decrypt should throw a RuntimeException indicating a failed decrypt, but with as little detail information as you can get away with (don't want to help nefarious folks in your logs).
  • Consider including the cipher algorithm in the arguments to localDecrypt()
  • Perhaps the arguments should only reference a needed password by id, and the local install knows which one to return (useful for differences in DEV/TEST/CI/QA/PROD)


Joakim Erdfelt / [hidden email]

On Fri, Dec 29, 2017 at 6:39 AM, Víctor Martínez <[hidden email]> wrote:
Hi,

I have created a JNDI resource to be able to connect to PostgreSQL with SSL. Is it possible to encrypt the password for a JNDI resource defined in the jetty-env.xml file, instead of just using obfuscation? I'm talking about this: http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html.

Regards,
vtez

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt JNDI resource password

Víctor Martínez
Understood. Thanks for the information.

Regards.

On Tue, 2 Jan 2018 at 09:41 Greg Wilkins <[hidden email]> wrote:

Victor,

CRYPT uses the Unix Crypt algorithm, which like MD5 is a one way hash. So there is no specific algorithm available that will provide the original password.  When using these encryptions, jetty takes newly provided credentials from the request and re-applies the hash to see if the same encrypted result is obtained.   It cannot recover the original password.

However both MD5 and UnixCrypt are not strong encryptions and brute force algorithms can be applied to recover a "password" in a short period of time.  Note however that I say "password", as it may not actually be the original password, but another one that just happens to generate the same hash.

In order to store strongly encrypted passwords in the XML, you will need access to a private key in order to decrypt them at start up time.  This could be in a file, but would then be no more secure than the XML.  The other alternative is to prompt the user for a passphrase at startup, but this will make automatic start impossible.

In short, either the XML has the credentials, in which case it is protected only be file/user privileges, or you need to come up with some other mechanism to provide the credentials at runtime that meets your operational requirements.

regards



On 2 January 2018 at 08:00, Víctor Martínez <[hidden email]> wrote:
Hi Joakim,

Yes I'll try that avenue. In fact, which algorithm should I used to decrypt the CRYPT string outputted with "java -cp lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password me blah" previously encrypted by me?

Thanks ,
vtez

On Fri, 29 Dec 2017 at 14:21 Joakim Erdfelt <[hidden email]> wrote:
The org.eclipse.jetty.util.security.Password is for password obfuscation (OBF:) and verification (MD5: CRYPT:).
Its meant to prevent casual discovery of the password.

If an undesired user has access the XML, then they have the means to deobfuscate / decrypt the password too.
This fundamental truth remains unchanged no matter how complicated you make the obfuscation. (the org.eclipse.jetty.util.security.Password is present and must be able to deobfuscate for it to work)

We have no feature in Jetty itself to encrypt/decrypt a password during XML usage.
But that doesn't prevent you from creating your own class to do that.

You can call an arbitrary class/method in the XML and have it return the String form, just like you see in the linked documentation you provided.

Aka ...

<New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource">
     <Arg></Arg>
     <Arg>jdbc/DSTest</Arg>
     <Arg>
       <New class="com.jolbox.bonecp.BoneCPDataSource">
         <Set name="driverClass">com.mysql.jdbc.Driver</Set>
         <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set>
         <Set name="username">dbuser</Set>
         <Set name="password">
            <Call class="org.eclipse.jetty.util.security.Password" name="deobfuscate">
                  <Arg>OBF:1ri71v1r1v2n1ri71shq1ri71shs1ri71v1r1v2n1ri7</Arg>
            </Call>
         </Set>
         <Set name="minConnectionsPerPartition">5</Set>
         <Set name="maxConnectionsPerPartition">50</Set>
         <Set name="acquireIncrement">5</Set>
         <Set name="idleConnectionTestPeriod">30</Set>
      </New>
    </Arg>
  </New>

The org.eclipse.jetty.util.security.Password.deobfuscate(String) static method exists here ...

So, create your own class/static method.
Put it in the server classpath, and you should be able to use it from the XML for your own purposes.

Eg:

<New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource">
     <Arg></Arg>
     <Arg>jdbc/DSTest</Arg>
     <Arg>
       <New class="com.jolbox.bonecp.BoneCPDataSource">
         <Set name="driverClass">com.mysql.jdbc.Driver</Set>
         <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set>
         <Set name="username">dbuser</Set>
         <Set name="password">
            <Call class="net.vmartinez.util.SecurePassword" name="localDecrypt">
                  <Arg>VGhpcyBpcyB3aGVyZSB5b3VyIGVuY3J5cHRlZCBwYXNzd29yZCBzaG91bGQgYmU=</Arg>
            </Call>
         </Set>
         <Set name="minConnectionsPerPartition">5</Set>
         <Set name="maxConnectionsPerPartition">50</Set>
         <Set name="acquireIncrement">5</Set>
         <Set name="idleConnectionTestPeriod">30</Set>
      </New>
    </Arg>
  </New>

Things to consider:
  • The decryption routines should use some information from the machine / os / install for a successful decrypt.
  • A unsuccessful decrypt should throw a RuntimeException indicating a failed decrypt, but with as little detail information as you can get away with (don't want to help nefarious folks in your logs).
  • Consider including the cipher algorithm in the arguments to localDecrypt()
  • Perhaps the arguments should only reference a needed password by id, and the local install knows which one to return (useful for differences in DEV/TEST/CI/QA/PROD)


Joakim Erdfelt / [hidden email]

On Fri, Dec 29, 2017 at 6:39 AM, Víctor Martínez <[hidden email]> wrote:
Hi,

I have created a JNDI resource to be able to connect to PostgreSQL with SSL. Is it possible to encrypt the password for a JNDI resource defined in the jetty-env.xml file, instead of just using obfuscation? I'm talking about this: http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html.

Regards,
vtez

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users