[jboss-jira] [JBoss JIRA] (AS7-4982) add-user.sh script (to pre-hash password used in domain security realms for use with HTTP and SASL Digest) use weakeness hashing security algorithm (MD5) that is broken for a long time

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Tue Nov 27 04:48:22 EST 2012 

     [ https://issues.jboss.org/browse/AS7-4982?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse resolved AS7-4982.
-----------------------------------

    Resolution: Deferred


I am marking this specific issue as deferred as it is something we are working to address at a higher level.

The reason that we use hashed passwords is because we are using Digest based authentication by default in AS7 for the HTTP management interface and the Remoting connectors - to achieve this we either need to store the password in a recoverable form or we need to pre-hashed to match the authentication mechanism in use.

For any immediate problems this proves to migrations end users can now deploy their own plug-in using their own backing store of passwords with whatever restrictions they wish to place on the storage.

>From an AS perspective our first task is to enhance the Digest mechanisms themselves to support stronger hashes and then the passwords we store can be hashed using these mechanisms.

                
> add-user.sh script (to pre-hash password used in domain security realms for use with HTTP and SASL Digest) use weakeness hashing security algorithm (MD5) that is broken for a long time
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AS7-4982
>                 URL: https://issues.jboss.org/browse/AS7-4982
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Domain Management, Security
>    Affects Versions: 7.1.2.Final (EAP)
>         Environment: Jboss EAP 6.0 Beta2
> Jboss AS 7.1.1
> Linux RHEL 5.4
> JDK 1.6.0_24
>            Reporter: Yannick LE NY
>            Assignee: Darran Lofthouse
>
> In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, we need to use the bin/add-user.sh script to add user access to the Jboss console.
> And in the the bin/add-user.sh script, you can find that the org.jboss.as.domain-add-user java class is used to :
> 1) add the login in the files standalone/configuration/mgmt-users.properties and domain/configuration/mgmt-users.properties
> 2) first hash the password with MD5 hash algorithm and then copy it hashed in the files standalone/configuration/mgmt-users.properties and domain/configuration/mgmt-users.properties
> When you search about the org.jboss.as.domain-add-user java class on the Internet, you find this source file
> http://grepcode.com/file/repo1.maven.org/maven2/org.jboss.as/jboss-as-domain-management/7.1.1.Final/org/jboss/as/domain/management/security/AddPropertiesUser.java#AddPropertiesUser
> and this file use an import of the org.jboss.sasl.util.UsernamePasswordHashUtil class that is in the file
> http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/releases/org.jboss.sasl/jboss-sasl/1.0.1.Final/org/jboss/sasl/util/UsernamePasswordHashUtil.java
> In the file UsernamePasswordHashUtil.java, we can see that this is the weakness MD5 hash algorithm that is used and that is broken for a long time :
> At http://en.wikipedia.org/wiki/MD5, the wikipedia article said :
> "In 1996, a flaw was found with the design of MD5, and while it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1—which has since been found also to be vulnerable. In 2004, more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable...In December 2008, a group of researchers used this technique to fake SSL certificate validity,[7][8] and 
> US-CERT now says that MD5 "should be considered cryptographically broken and unsuitable for further use."[9] 
> and most U.S. government applications now require the SHA-2 family of hash functions."
>    org.jboss.sasl.util.UsernamePasswordHashUtil class use java.security.MessageDigest class.
> As you can see at : http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html,
> getAlgorithm function can use several hash or Message Digest Algorithms.
>    The hash or Message Digest Algorithms available are :
> MD2 (weak), MD5 (weak), SHA-1 (weak), SHA-256, SHA-384, and SHA-512
> http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA
> http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA
> Then can you replace the weakness MD5 Message Digest Algorithm used by add-user.sh by
> SHA-256 or AES-256 ?
> Note : The security team in my big company want now that all the application servers used in the company use strong 
> cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic 11.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list