On 06/12/2014 11:08 AM, David M. Lloyd wrote:
On 06/12/2014 10:55 AM, Anil Saldhana wrote:
> I also want to highlight the difference between PBE and PBKDF2
> (
http://en.wikipedia.org/wiki/PBKDF2).
> Developers keep pushing for PBKDF2 which is essentially a one way
> process. You cannot get the password back.
> In the case of an application server, there is a need to get access to
> the configured database password to talk to
> a database or another EIS system. So it is a two way process. Not all
> databases can do a hashed/digest mechanism.
>
> I hope we can document this in Elytron documentation somewhere.
The Password SPI in fact has OneWayPassword and TwoWayPassword
sub-interfaces.
At present, the only TwoWayPassword implementation we have is "clear",
which, as the name says, is a clear password (and thus is trivially
"reversible"). We recently were discussing that there seem to be very
few (if any) good, reliable two-way password strategies (which do not
involve a keystore, which is *not* the same thing).
I've deliberately been referring to non-clear TwoWayPassword schemes as
"obfuscation" rather than "encryption" since few (if any) two-way
algorithms will actually make the password "secure" in the event of
theft. More likely this is for the "accidental printout" kind of case.
You are using the right term, David. I use obfuscation or masking for the
two way password feature. I remember around 2007, Jason and I had this
minor argument
with a JBoss author who kept insisting on using the word "Encryption for
the masking.
Unfortunately PBE is the only available mechanism to do the two way
password without
the low-user-experience usage of a keystore or other certificate mechanism.
That said, if anyone knows of any good two-way password obfuscation
algorithms they think should be supported, please comment here and/or
open an issue at
https://issues.jboss.org/browse/ELY describing the
algorithm (preferably with a link to a specification if possible).
I have seen a lot of usage and demand for this open source project - jasypt.
http://www.jasypt.org/
I have been planning on using it in PicketLink
(
http://www.picketlink.org) to get away from all
the PBE based mechanisms we have to mask passwords in configuration files.
Maybe Elytron can use this library as a dependency.