[jboss-jira] [JBoss JIRA] (ELY-1189) Create better way of masking passwords using modern PBE algorithm
Peter Skopek (JIRA)
issues at jboss.org
Tue May 23 13:16:00 EDT 2017
[ https://issues.jboss.org/browse/ELY-1189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13410837#comment-13410837 ]
Peter Skopek commented on ELY-1189:
-----------------------------------
pskopek commented on 11 Jan
We need this new type of credential store to properly define decrypt "facility" of masked passwords.
https://issues.jboss.org/browse/ELY-868
Example of usage:
{code:xml}
<credential-stores>
<credential-store name="test" relative-to="jboss.server.data.dir">
<uri>cr-store://test?create.storage=true</uri>
<credential-reference store="masked-cs" alias="MASK-OCwoJ1d1RyGXVkUEuVCouA=="/>
</credential-store>
<credential-store name="masked-cs" type="PasswordBasedEncryptionCredentialStore">
<uri>cr-store://masked-cs?salt=SALTsalt;iteration=234;keyAlgoritm=PBEWithHmacSHA1andAES_128;encodedIV=WzVT5uUpEoXAPihMYzAIhQ==</uri>
<credential-reference clear-text="ThisIsStrangeInitialKey"/>
</credential-store>
</credential-stores>
{code}
dmlloyd commented on 11 Jan
I disagree with this change; using a whole credential store for one password format seems wrong. Instead we should be using "MaskedPassword" in a regular credential store, or even in places where regular passwords are allowed as a special expression (I believe previously we used "MASK-" for this purpose).
pskopek commented on 11 Jan
This change will allow several credential-references to use one set of parameters to PBE algorithm.
credential-reference can be used elsewhere in other subsystems.
I thought we are not going to use special expressions to supply passwords and we leave what we have to PicketBox vault/MASK usage.
pskopek commented on 11 Jan
oops, I see the problem. Putting this on hold to fix it.
dmlloyd commented on 11 Jan
Vault expressions should go, yes. But I think there are good arguments for allowing masked passwords to be used in places where clear passwords would otherwise be allowed.
pskopek commented on 11 Jan
I agree that masked passwords should be used at places where clear passwords are allowed.
Only problem is that we have to separate IV and InitialKey definitions/locations from salt and iteration.
My idea is to use new type of credential store for IV and InitialKey and credential-reference or special expression will hold salt, iteration and actual encrypted data.
Do you agree @dmlloyd ?
dmlloyd commented on 11 Jan
If the masked form of the password depends on IV then I guess the IV should be part of the MaskedPassword itself... then things which represent a masked password in text form would have to have configuration to tell what IV to use. Where do we store the IV today under PB?
dmlloyd commented on 11 Jan
The work of @zregvart is also tied into this.
pskopek commented on 11 Jan
As far as I remember PB is using different algorithm "PBEwithMD5andDES" which doesn't require IV.
Sure IV could be part of MaskedPassword, but still we have the InitialKey.
It could be constant like in PB but having chance to store it inside credential store will be much better.
> Create better way of masking passwords using modern PBE algorithm
> -----------------------------------------------------------------
>
> Key: ELY-1189
> URL: https://issues.jboss.org/browse/ELY-1189
> Project: WildFly Elytron
> Issue Type: Task
> Components: Credential Store
> Reporter: Peter Skopek
> Assignee: Peter Skopek
>
> Create better way of masking passwords using modern PBE algorithm.
> This bug contains discussion from PR: https://github.com/wildfly-security/wildfly-elytron/pull/619
> To have this documented and PR closed.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list