<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="https://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
JBoss AS7 Securing Passwords
</h3>
<span style="margin-bottom: 10px;">
new comment by <a href="https://community.jboss.org/people/anil.saldhana">Anil Saldhana</a> <a href="https://community.jboss.org/docs/DOC-17248#comment-11315">View all comments on this document</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><blockquote class="jive-quote"><p>mentallurg wrote:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p>
                        <p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><div class="jive-rendered-content"><h2 id="Frequently_Asked_Questions">Frequently Asked Questions<span style="color: #0000ff;"> - now with correct answers</span>:</h2><ul><li><h5 id="How_secure_is_this">How secure is this?</h5></li></ul><p><span style="color: #ff0000;"><strong style="font-size: 12pt;">It is NOT secure at all!</strong></span></p><p><span style="color: #0000ff;">You <strong>disclose the password</strong> via <code class="jive-code">KEYSTORE_PASSWORD. </code>No matter how complex the implementation is. No matter if it uses Java KeyStore, RSA, DES, other algorithms. No matter how long RSA key is. No matter if any 3rd party vault implementation is used. You <strong>disclose the password</strong> to access the vault. Everyone who has access to the config can easily decrypt all the passowrds you have encrypted. This approach in JBoss is highly <strong>vulneruble</strong>! Unfortunately the Red Hat architect misleads all the users.</span></p><p><span style="color: #0000ff;">Compare it to following. You have a sofisticated locker in your house door. But you leave the key hanging on the door. Will you expect any safety? Or you have highly secure alarm system in your car. But you leave a key on the hood of your car. What will you expect? Everyone can open your home door and use your car. The same is here with JBoss vault.</span></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><ul><li><h5 id="Can_I_really_secure_the_keystore">Can I really secure the keystore?</h5><ul><li>You can store the keystore on an USB or an encrypted secure usb or such. </li><li>When the server starts, insert the USB. On successful start, you can remove the USB.</li></ul></li></ul><p style="padding-left: 60px;"><span style="color: #ff0000;"><strong style="font-size: 12pt;">Wrong.</strong></span></p><p><span style="color: #0000ff;">You can use USB of your developer's computer only. But you cannot use USB of your production servers. Because normally there is no physical access to it: it may be in a secured room you have no access to, or at your customer hundreads miles away, or it may be at your hoster, or in a cloud at Amazon, Rackspace, you name it.</span></p><p><span style="color: #0000ff;">The JBoss server must start automatically each time the system starts. For instance the system was upgraded, or a patch was applied, or hardware was replaced, or system was restored from a back up. The whole system is restarted. The JBoss server must automatically start, too. If the vault is missing, your application on JBoss will NOT start.</span></p><p><span style="color: #0000ff;">One might suggest to put the vault on another disk, mount it temporary during system start up, then unmount automatically after JBoss started. But this only reduces the probability. It does not solve the problem. As long as a disk is mounted, it is available to all system processes. A hacker or a process started by a hacker can access the mounted disk, too.</span></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><span style="color: #0000ff;">The worst thing is that a Red Hat architect who designed and implemented it does not warn the users. Users have <strong>false feeling of safety</strong>. Wake up! You are in a big trouble if you use JBoss vault.</span></p></div><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p>
                    </blockquote><p>Can you stop spreading FUD around?</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Read,  it says it uses "Password based Encryption" which is security by obscurity.  It is not 100% security.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>To really get foolproof security of passwords, you either:</p><p>a) use FIPS 140-2 certified keystore or</p><p>b) use a 3rd party ISV implementation of the vault.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The default implementation provided allows masking of passwords and not ENCRYPTION of passwords.</p></div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>