[ https://issues.jboss.org/browse/AS7-4982?page=com.atlassian.jira.plugin.s... ] Yannick LE NY updated AS7-4982: ------------------------------- Summary: Jboss AS 7.1.1 / Jboss EAP 6.0 Beta2 : add-user.sh script use weakeness hashing algorithm (MD5) that is broken for a long time (was: add-user.sh script use weakeness hashing algorithm (MD5) that is broken for a long time) -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/AS7-4982?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated AS7-4982: ---------------------------------- Fix Version/s: (was: 7.1.3.Final (EAP)) Component/s: Domain Management (was: Console) -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/AS7-4982?page=com.atlassian.jira.plugin.s... ] Yannick LE NY updated AS7-4982: ------------------------------- Description: In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, we need to use the bin/add-user.sh script to add user access to the Jboss console. And in the the bin/add-user.sh script, you can find that the org.jboss.as.domain-add-user java class is used to : 1) add the login in the files standalone/configuration/mgmt-users.properties and domain/configuration/mgmt-users.properties 2) first hash the password with MD5 hash algorithm and then copy it hashed in the files standalone/configuration/mgmt-users.properties and domain/configuration/mgmt-users.properties When you search about the org.jboss.as.domain-add-user java class on the Internet, you find this source file http://grepcode.com/file/repo1.maven.org/maven2/org.jboss.as/jboss-as-dom... and this file use an import of the org.jboss.sasl.util.UsernamePasswordHashUtil class that is in the file http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/... In the file UsernamePasswordHashUtil.java, we can see that this is the weakness MD5 hash algorithm that is used and that is broken for a long time : At http://en.wikipedia.org/wiki/MD5, the wikipedia article said : "In 1996, a flaw was found with the design of MD5, and while it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1—which has since been found also to be vulnerable. In 2004, more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable...In December 2008, a group of researchers used this technique to fake SSL certificate validity,[7][8] and US-CERT now says that MD5 "should be considered cryptographically broken and unsuitable for further use."[9] and most U.S. government applications now require the SHA-2 family of hash functions." org.jboss.sasl.util.UsernamePasswordHashUtil class use java.security.MessageDigest class. As you can see at : http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html, getAlgorithm function can use several hash or Message Digest Algorithms. The hash or Message Digest Algorithms available are : MD2 (weak), MD5 (weak), SHA-1 (weak), SHA-256, SHA-384, and SHA-512 http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/Cry... Then can you replace the weakness MD5 Message Digest Algorithm used by add-user.sh by SHA-256 or AES-256 ? Note : The security team in my big company want now that all the application servers used in the company use strong cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic 11. was: In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, we need to use the bin/add-user.sh script to add user access to the Jboss console. And in the the bin/add-user.sh script, you can find that the org.jboss.as.domain-add-user java class is used to : 1) add the login in the files standalone/configuration/mgmt-users.properties and domain/configuration/mgmt-users.properties 2) first hash the password with MD5 hash algorithm and then copy it hashed in the files standalone/configuration/mgmt-users.properties and domain/configuration/mgmt-users.properties When you search about the org.jboss.as.domain-add-user java class on the Internet, you find this source file http://grepcode.com/file/repo1.maven.org/maven2/org.jboss.as/jboss-as-dom... and this file use an import of the org.jboss.sasl.util.UsernamePasswordHashUtil class that is in the file http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/... In the file UsernamePasswordHashUtil.java, we can see that this is the weakness MD5 hash algorithm that is used and that is broken for a long time : At http://en.wikipedia.org/wiki/MD5, the wikipedia article said : "In 1996, a flaw was found with the design of MD5, and while it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1—which has since been found also to be vulnerable. In 2004, more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable...In December 2008, a group of researchers used this technique to fake SSL certificate validity,[7][8] and US-CERT now says that MD5 "should be considered cryptographically broken and unsuitable for further use."[9] and most U.S. government applications now require the SHA-2 family of hash functions." org.jboss.sasl.util.UsernamePasswordHashUtil class use java.security.MessageDigest class. As you can see at : http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html, getAlgorithm function can use several hash or Message Digest Algorithms. The hash or Message Digest Algorithms available are : MD2 (weak), MD5 (weak), SHA-1 (weak), SHA-256, SHA-384, and SHA-512 http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/Cry... Then can you replace the weakness MD5 Message Digest Algorithm used by add-user.sh by SHA-256 or AES-256. The security team in my big company want now that all the application servers used in the company use strong cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic 11. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/AS7-4982?page=com.atlassian.jira.plugin.s... ] Yannick LE NY updated AS7-4982: ------------------------------- Summary: add-user.sh script use weakeness hashing security algorithm (MD5) that is broken for a long time (was: add-user.sh script use weakeness hashing algorithm (MD5) that is broken for a long time) -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/AS7-4982?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated AS7-4982: ---------------------------------- Summary: add-user.sh script (to pre-hash password used in domain security realms for use with HTTP and SASL Digest) use weakeness hashing security algorithm (MD5) that is broken for a long time (was: add-user.sh script (to crypt password for admin console) use weakeness hashing security algorithm (MD5) that is broken for a long time) -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira