Hi,
That's me again :) well, I can't really find a reason, but from php I'm
able to do both encrypt & decrypt, but Java-generated decrypted hash
returns me unreadable symbols instead.
I've found the source code for both Graylog2 & Play framework, but still
cannot reproduce this :-/ also I wasn't able to reproduce the behaviour on
Perl.
Here's example of the script I'm trying to use (somewhere from the net):
<?php
function pkcs5_pad($text, $blocksize)
{
$pad = $blocksize - (strlen($text) % $blocksize);
return $text . str_repeat(chr($pad), $pad);
}
$alg = MCRYPT_RIJNDAEL_128; // AES
$mode = MCRYPT_MODE_ECB; // not recommended unless used with OTP
$iv_size = mcrypt_get_iv_size($alg, $mode);
$block_size = mcrypt_get_block_size($alg, $mode);
$iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM); // pull from
/dev/urandom
$key = "my_key_is_here"; // replaced for security reasons :)
$input = utf8_encode("tester 9be23c27-9b1f-44d6-b257-c570123ccd8a");
$input = pkcs5_pad($input, $block_size);
$crypttext = mcrypt_encrypt($alg, $key, $input, $mode, $iv);
$text = bin2hex($crypttext);
echo $text;
When I try to use the result, it's not working at all :( what I am missing?
On Monday, February 24, 2014 5:52:38 PM UTC+2, Kay Röpke wrote:
>
> Hi!
>
> The
> string
> e6c12bace0608a422bf03954086e4d0a2ec64e7396a95871af55d986d3c7517968aadfc203975fdc8433e824533229dd
>
> is what you want to decrypt.
> Use the first 16 characters from the application.secret (play uses only 16
> char keys for AES private key input) and use AES/ECB/PKCS5Padding.
> The content of cleartext will be username<tab>session-id. The session id
> can then be used for REST calls against the servers (as long as that
> session did not expire, of course).
> The code for decrypting is
> https://github.com/Graylog2/graylog2-web-interface/blob/0.20/app/models/UserService.java#L129-129
>
> The session-id value in the cookie should not change, but other fields
> might, of course.
>
> Best,
> Kay
>
> On Friday, February 21, 2014 11:30:43 AM UTC+1, Егор Морозов wrote:
>>
>> Hi!
>>
>> I've tried doing this, but still have no success :)
>> That's what I have in cookie:
>>
>> "bbf13a266d32aef6f89fb35f250db77d15f04516-sessionid=e6c12bace0608a422bf03954086e4d0a2ec64e7396a95871af55d986d3c7517968aadfc203975fdc8433e824533229dd"
>> If I correctly understood the code, first part is username<tab>password,
>> second is username<tab>session-id, but both parts are different all the
>> times (that shouldn't happen because login/password are static).
>> I've tried to decode one of these strings using AES/ECB/PKCS5Padding, but
>> wasn't able to get anything useful. So I wonder if there's any other random
>> symbols are included in the cookie and what should be the AES method
>> exactly?
>>
>> Thanks!
>>
>> On Friday, January 24, 2014 1:02:55 PM UTC+2, Kay Röpke wrote:
>>>
>>> Hi! Sorry for the delay.
>>>
>>> You could do the same as the web interface does when logging a user in,
>>> which is a POST to the /system/sessions resource in the graylog2 server.
>>> That will return a session id and a validity timestamp (this is
>>> currently fixed to 8 hours).
>>>
>>> The web interface will then take the username and session-id, catenate
>>> them with a tab character and AES encrypt them to yield the final cookie
>>> field called sessionid.
>>> Which means that in order to write the cookie you need to have the
>>> application.secret of the web interface as well as the user credentials.
>>>
>>> The server also supports generating access tokens, even though it's not
>>> document anywhere yet, but the web interface only relies on the cookie
>>> method described above.
>>> The underlying problem is that you need to set up authentication state
>>> in two separate applications, so I think this would get tricky and can
>>> break easily whenever our code changes.
>>>
>>> Best,
>>> Kay
>>>
>>>
>>> On Wednesday, January 22, 2014 2:09:31 PM UTC+1, Егор Морозов wrote:
>>>>
>>>> Thanks for the information.
>>>>
>>>> So what about the cookie generation? We have one page that
>>>> authenticates the users in Atlassian products by generating a cookie, I
>>>> think that it should be possible to do the same with Graylog2.
>>>>
>>>> On Wednesday, January 22, 2014 12:44:15 PM UTC+2, Kay Röpke wrote:
>>>>>
>>>>> Hi!
>>>>>
>>>>> Graylog2 0.20 web interface currently only supports authenticating via
>>>>> username/password and after that relies on its own session cookie to
>>>>> authenticate against the graylog2 servers.
>>>>> To support client certificates we would need add that as an
>>>>> authentication mechanism. In fact we have received one or two questions
>>>>> about allowing certificates to be used for authentication, but so far
>>>>> this
>>>>> has been low priority, to be honest.
>>>>>
>>>>> For this to work sensibly and securely, we would need to support some
>>>>> kind of certificate management for all the connections between the user,
>>>>> web interface process and graylog2 server (as well as mongodb which
>>>>> stores
>>>>> the user's data and session information). That was well beyond the scope
>>>>> of
>>>>> this release, so we decided to not support it for now.
>>>>>
>>>>> If you need this feature, could you please file an issue over at
>>>>> github:
>>>>> https://github.com/Graylog2/graylog2-web-interface/issues?milestone=&state=open?
>>>>>
>>>>> BTW, it wouldn't be as easy as in the 0.1x versions, because starting
>>>>> in 0.20 the server authenticates all requests, too, and it has no
>>>>> knowledge
>>>>> about the first proxy server.
>>>>>
>>>>> Thanks,
>>>>> Kay
>>>>>
>>>>>
>>>>> On Wednesday, January 22, 2014 10:47:33 AM UTC+1, Егор Морозов wrote:
>>>>>>
>>>>>> Hello everyone!
>>>>>>
>>>>>> We've been using Graylog2 0.1x for a long time, it was simple enough
>>>>>> to patch it and make using SSL_CLIENT_S_DN_CN Apache env variable. As
>>>>>> now
>>>>>> it's powered using a binary, this is much more painful to do the same so
>>>>>> I
>>>>>> wonder if it's somehow possible to make it use any of the variables
>>>>>> passed
>>>>>> by a proxy (nginx/Apache) to authenticate the user.
>>>>>>
>>>>>> Alternative approach that I can see is to generate the cookie using
>>>>>> perl or php script, but as I have no experience with Java, I can't
>>>>>> really
>>>>>> understand how to generate the same cookie (like graylog2-web does).
>>>>>> Could
>>>>>> someone describe this?
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
