[wildfly-dev] On the WildFly Elytron PasswordFactory API
Anil Saldhana
Anil.Saldhana at redhat.com
Thu Jun 12 13:08:37 EDT 2014
On 06/12/2014 11:08 AM, David M. Lloyd wrote:
> On 06/12/2014 10:55 AM, Anil Saldhana wrote:
>> I also want to highlight the difference between PBE and PBKDF2
>> (http://en.wikipedia.org/wiki/PBKDF2).
>> Developers keep pushing for PBKDF2 which is essentially a one way
>> process. You cannot get the password back.
>> In the case of an application server, there is a need to get access to
>> the configured database password to talk to
>> a database or another EIS system. So it is a two way process. Not all
>> databases can do a hashed/digest mechanism.
>>
>> I hope we can document this in Elytron documentation somewhere.
> The Password SPI in fact has OneWayPassword and TwoWayPassword
> sub-interfaces.
>
> At present, the only TwoWayPassword implementation we have is "clear",
> which, as the name says, is a clear password (and thus is trivially
> "reversible"). We recently were discussing that there seem to be very
> few (if any) good, reliable two-way password strategies (which do not
> involve a keystore, which is *not* the same thing).
>
> I've deliberately been referring to non-clear TwoWayPassword schemes as
> "obfuscation" rather than "encryption" since few (if any) two-way
> algorithms will actually make the password "secure" in the event of
> theft. More likely this is for the "accidental printout" kind of case.
You are using the right term, David. I use obfuscation or masking for the
two way password feature. I remember around 2007, Jason and I had this
minor argument
with a JBoss author who kept insisting on using the word "Encryption for
the masking.
Unfortunately PBE is the only available mechanism to do the two way
password without
the low-user-experience usage of a keystore or other certificate mechanism.
>
> That said, if anyone knows of any good two-way password obfuscation
> algorithms they think should be supported, please comment here and/or
> open an issue at https://issues.jboss.org/browse/ELY describing the
> algorithm (preferably with a link to a specification if possible).
>
I have seen a lot of usage and demand for this open source project - jasypt.
http://www.jasypt.org/
I have been planning on using it in PicketLink
(http://www.picketlink.org) to get away from all
the PBE based mechanisms we have to mask passwords in configuration files.
Maybe Elytron can use this library as a dependency.
More information about the wildfly-dev
mailing list