]
Darran Lofthouse resolved AS7-4982.
-----------------------------------
Resolution: Deferred
I am marking this specific issue as deferred as it is something we are working to address
at a higher level.
The reason that we use hashed passwords is because we are using Digest based
authentication by default in AS7 for the HTTP management interface and the Remoting
connectors - to achieve this we either need to store the password in a recoverable form or
we need to pre-hashed to match the authentication mechanism in use.
For any immediate problems this proves to migrations end users can now deploy their own
plug-in using their own backing store of passwords with whatever restrictions they wish to
place on the storage.
From an AS perspective our first task is to enhance the Digest
mechanisms themselves to support stronger hashes and then the passwords we store can be
hashed using these mechanisms.
add-user.sh script (to pre-hash password used in domain security
realms for use with HTTP and SASL Digest) use weakeness hashing security algorithm (MD5)
that is broken for a long time
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Key: AS7-4982
URL:
https://issues.jboss.org/browse/AS7-4982
Project: Application Server 7
Issue Type: Bug
Components: Domain Management, Security
Affects Versions: 7.1.2.Final (EAP)
Environment: Jboss EAP 6.0 Beta2
Jboss AS 7.1.1
Linux RHEL 5.4
JDK 1.6.0_24
Reporter: Yannick LE NY
Assignee: Darran Lofthouse
In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, we need to use the bin/add-user.sh script to
add user access to the Jboss console.
And in the the bin/add-user.sh script, you can find that the org.jboss.as.domain-add-user
java class is used to :
1) add the login in the files standalone/configuration/mgmt-users.properties and
domain/configuration/mgmt-users.properties
2) first hash the password with MD5 hash algorithm and then copy it hashed in the files
standalone/configuration/mgmt-users.properties and
domain/configuration/mgmt-users.properties
When you search about the org.jboss.as.domain-add-user java class on the Internet, you
find this source file
http://grepcode.com/file/repo1.maven.org/maven2/org.jboss.as/jboss-as-dom...
and this file use an import of the org.jboss.sasl.util.UsernamePasswordHashUtil class
that is in the file
http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/...
In the file UsernamePasswordHashUtil.java, we can see that this is the weakness MD5 hash
algorithm that is used and that is broken for a long time :
At
http://en.wikipedia.org/wiki/MD5, the wikipedia article said :
"In 1996, a flaw was found with the design of MD5, and while it was not a clearly
fatal weakness, cryptographers began recommending the use of other algorithms, such as
SHA-1—which has since been found also to be vulnerable. In 2004, more serious flaws were
discovered in MD5, making further use of the algorithm for security purposes
questionable...In December 2008, a group of researchers used this technique to fake SSL
certificate validity,[7][8] and
US-CERT now says that MD5 "should be considered cryptographically broken and
unsuitable for further use."[9]
and most U.S. government applications now require the SHA-2 family of hash
functions."
org.jboss.sasl.util.UsernamePasswordHashUtil class use java.security.MessageDigest
class.
As you can see at :
http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html,
getAlgorithm function can use several hash or Message Digest Algorithms.
The hash or Message Digest Algorithms available are :
MD2 (weak), MD5 (weak), SHA-1 (weak), SHA-256, SHA-384, and SHA-512
http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA
http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/Cry...
Then can you replace the weakness MD5 Message Digest Algorithm used by add-user.sh by
SHA-256 or AES-256 ?
Note : The security team in my big company want now that all the application servers used
in the company use strong
cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic
11.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: