Re: Password encryption for service definitions
I also feel we shouldn't store the key along with the encrypted data. It
defeats the purpose.
Adam, getting from properties is one way to do it. We have to ensure that the
key is auto generated per install and we have to ensure that it works in HA
environment.
Ideally, even the config file shouldn't have the actual key. It should be in
the keystore with only user Privacera have the read permission. The key to the
keystore can be in the config file.
The other way is to use Ranger KMS in the future.
Bosco
On 1/8/19, 6:13 AM, "Rempter, A. (Adam)" wrote:
Hey Zsombor,
Thanks for update.
I understand that... but it means that (when storing encryption key next to
password) it is effectively not encrypted.
According to owasp
(https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Ensure_that_any_secret_key_is_protected_from_unauthorized_access)
Rule - Store unencrypted keys away from the encrypted data
If the keys are stored with the data then any compromise of the data will
easily compromise the keys as well. Unencrypted keys should never reside on the
same machine or cluster as the data.
One solution would be simply not store encryption key in db. It is anyway
available via configuration key:
public static final String ENCRYPT_KEY =
PropertiesUtil.getProperty("ranger.password.encryption.key",
PasswordUtils.DEFAULT_ENCRYPT_KEY)
What do you think?
Thanks,
Adam
-Wiadomość oryginalna-
Od: Zs. [mailto:gzsom...@gmail.com]
Wysłano: 8 stycznia 2019 14:56
Do: ranger
Temat: Re: PD: Password encryption for service definitions
Hi,
The problem is that Ranger needs to know the password, to reach out to the
service, so it must store the password somewhere in a decryptable state.
Ideally, every service/protocol should support kerberos, so authentication
could work without passwords.
Regards,
Zsombor
On Tue, Jan 8, 2019 at 2:21 PM Rempter, A. (Adam)
wrote:
> Hello there,
>
> While using Ranger I noticed that when I create service def with input
> property:
>{
> "itemId": 3,
> "name": "password",
> "type": "password",
> "subType": "",
> "mandatory": true,
> "validationRegEx": "",
> "validationMessage": "",
> "uiHint":"",
> "label": "Secret key"
> }
>
> Ranger will encrypt it using:
>
> if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) {
> String cryptConfigString = CRYPT_ALGO + ","
> + ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT + "," +
> + configValue;
> String encryptedPwd =
> PasswordUtils.encryptPassword(cryptConfigString);
>
> Problem is that all encryption parameters are stored next to password
> (encryption key and salt):
>
> | 609 | NULL | 2019-01-08 10:07:33 | 2019-01-08 10:07:34 | 1 |
>1 | 82 | password |
> PBEWithMD5AndDES,tzL1AKl5uc4NKYaoQ4P3WLGIBFPXWPWdu1fRm9004jtQiV,f77aLY
> Lo,1000,6IxJOOpoFsJXyLNjNf/M9Q==
>
> Even if I change default ones in
> $ranger_home/ews/webapp/WEB-INF/classes/conf/ranger-admin-default-site
> .xml,
> they will still be storred in db
>
> Is this know issue? Basically it means that password can be decrypted
> with little effort…
>
> Thanks,
> Adam Rempter
>
>
> ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia,
> VAT PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą
> ING Business Shared Services B.V. spółka z ograniczoną
> odpowiedzialnością Oddział w Polsce z siedzibą w Katowicach, ul.
> Konduktorska 35, 40-155 Katowice, NIP: 2050005130, wpisana do rejestru
> przedsiębiorców Krajowego Rejestru Sądowego prowadzonego przez Sąd
> Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy
> Krajowego Rejestru Sądowego pod numerem KRS 702305.
>
ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, VAT
PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą ING Business
Shared Services B.V. spółka z ograniczoną odpowiedzialnością Oddział w Polsce z
siedzibą w Katowicach, ul. Konduktorska 35, 40-155 Katowice, NIP: 2050005130,
wpisana do rejestru przedsiębiorców Krajowego Rejestru Sądowego prowadzonego
przez Sąd Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy
Krajowego Rejestru Sądowego pod numerem KRS 702305.
ODP: PD: Password encryption for service definitions
Hey Zsombor,
Thanks for update.
I understand that... but it means that (when storing encryption key next to
password) it is effectively not encrypted.
According to owasp
(https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Ensure_that_any_secret_key_is_protected_from_unauthorized_access)
Rule - Store unencrypted keys away from the encrypted data
If the keys are stored with the data then any compromise of the data will
easily compromise the keys as well. Unencrypted keys should never reside on the
same machine or cluster as the data.
One solution would be simply not store encryption key in db. It is anyway
available via configuration key:
public static final String ENCRYPT_KEY =
PropertiesUtil.getProperty("ranger.password.encryption.key",
PasswordUtils.DEFAULT_ENCRYPT_KEY)
What do you think?
Thanks,
Adam
-Wiadomość oryginalna-
Od: Zs. [mailto:gzsom...@gmail.com]
Wysłano: 8 stycznia 2019 14:56
Do: ranger
Temat: Re: PD: Password encryption for service definitions
Hi,
The problem is that Ranger needs to know the password, to reach out to the
service, so it must store the password somewhere in a decryptable state.
Ideally, every service/protocol should support kerberos, so authentication
could work without passwords.
Regards,
Zsombor
On Tue, Jan 8, 2019 at 2:21 PM Rempter, A. (Adam)
wrote:
> Hello there,
>
> While using Ranger I noticed that when I create service def with input
> property:
>{
> "itemId": 3,
> "name": "password",
> "type": "password",
> "subType": "",
> "mandatory": true,
> "validationRegEx": "",
> "validationMessage": "",
> "uiHint":"",
> "label": "Secret key"
> }
>
> Ranger will encrypt it using:
>
> if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) {
> String cryptConfigString = CRYPT_ALGO + ","
> + ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT + "," +
> + configValue;
> String encryptedPwd =
> PasswordUtils.encryptPassword(cryptConfigString);
>
> Problem is that all encryption parameters are stored next to password
> (encryption key and salt):
>
> | 609 | NULL | 2019-01-08 10:07:33 | 2019-01-08 10:07:34 | 1 |
>1 | 82 | password |
> PBEWithMD5AndDES,tzL1AKl5uc4NKYaoQ4P3WLGIBFPXWPWdu1fRm9004jtQiV,f77aLY
> Lo,1000,6IxJOOpoFsJXyLNjNf/M9Q==
>
> Even if I change default ones in
> $ranger_home/ews/webapp/WEB-INF/classes/conf/ranger-admin-default-site
> .xml,
> they will still be storred in db
>
> Is this know issue? Basically it means that password can be decrypted
> with little effort…
>
> Thanks,
> Adam Rempter
>
>
> ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia,
> VAT PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą
> ING Business Shared Services B.V. spółka z ograniczoną
> odpowiedzialnością Oddział w Polsce z siedzibą w Katowicach, ul.
> Konduktorska 35, 40-155 Katowice, NIP: 2050005130, wpisana do rejestru
> przedsiębiorców Krajowego Rejestru Sądowego prowadzonego przez Sąd
> Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy
> Krajowego Rejestru Sądowego pod numerem KRS 702305.
>
ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, VAT PL
526-319-58-54, działająca w Polsce w formie oddziału, pod firmą ING Business
Shared Services B.V. spółka z ograniczoną odpowiedzialnością Oddział w Polsce z
siedzibą w Katowicach, ul. Konduktorska 35, 40-155 Katowice, NIP: 2050005130,
wpisana do rejestru przedsiębiorców Krajowego Rejestru Sądowego prowadzonego
przez Sąd Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy
Krajowego Rejestru Sądowego pod numerem KRS 702305.
Re: PD: Password encryption for service definitions
Hi,
The problem is that Ranger needs to know the password, to reach out to the
service, so it must store the password somewhere in a decryptable state.
Ideally, every service/protocol should support kerberos, so authentication
could work without passwords.
Regards,
Zsombor
On Tue, Jan 8, 2019 at 2:21 PM Rempter, A. (Adam)
wrote:
> Hello there,
>
> While using Ranger I noticed that when I create service def with input
> property:
>{
> "itemId": 3,
> "name": "password",
> "type": "password",
> "subType": "",
> "mandatory": true,
> "validationRegEx": "",
> "validationMessage": "",
> "uiHint":"",
> "label": "Secret key"
> }
>
> Ranger will encrypt it using:
>
> if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) {
> String cryptConfigString = CRYPT_ALGO + ","
> + ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT + "," + configValue;
> String encryptedPwd =
> PasswordUtils.encryptPassword(cryptConfigString);
>
> Problem is that all encryption parameters are stored next to password
> (encryption key and salt):
>
> | 609 | NULL | 2019-01-08 10:07:33 | 2019-01-08 10:07:34 | 1 |
>1 | 82 | password |
> PBEWithMD5AndDES,tzL1AKl5uc4NKYaoQ4P3WLGIBFPXWPWdu1fRm9004jtQiV,f77aLYLo,1000,6IxJOOpoFsJXyLNjNf/M9Q==
>
> Even if I change default ones in
> $ranger_home/ews/webapp/WEB-INF/classes/conf/ranger-admin-default-site.xml,
> they will still be storred in db
>
> Is this know issue? Basically it means that password can be decrypted with
> little effort…
>
> Thanks,
> Adam Rempter
>
>
> ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, VAT
> PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą ING
> Business Shared Services B.V. spółka z ograniczoną odpowiedzialnością
> Oddział w Polsce z siedzibą w Katowicach, ul. Konduktorska 35, 40-155
> Katowice, NIP: 2050005130, wpisana do rejestru przedsiębiorców Krajowego
> Rejestru Sądowego prowadzonego przez Sąd Rejonowy Katowice-Wschód w
> Katowicach, VIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod
> numerem KRS 702305.
>
PD: Password encryption for service definitions
Hello there,
While using Ranger I noticed that when I create service def with input property:
{
"itemId": 3,
"name": "password",
"type": "password",
"subType": "",
"mandatory": true,
"validationRegEx": "",
"validationMessage": "",
"uiHint":"",
"label": "Secret key"
}
Ranger will encrypt it using:
if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) {
String cryptConfigString = CRYPT_ALGO + "," +
ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT + "," + configValue;
String encryptedPwd =
PasswordUtils.encryptPassword(cryptConfigString);
Problem is that all encryption parameters are stored next to password
(encryption key and salt):
| 609 | NULL | 2019-01-08 10:07:33 | 2019-01-08 10:07:34 | 1 |
1 | 82 | password |
PBEWithMD5AndDES,tzL1AKl5uc4NKYaoQ4P3WLGIBFPXWPWdu1fRm9004jtQiV,f77aLYLo,1000,6IxJOOpoFsJXyLNjNf/M9Q==
Even if I change default ones in
$ranger_home/ews/webapp/WEB-INF/classes/conf/ranger-admin-default-site.xml,
they will still be storred in db
Is this know issue? Basically it means that password can be decrypted with
little effort…
Thanks,
Adam Rempter
ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, VAT PL
526-319-58-54, działająca w Polsce w formie oddziału, pod firmą ING Business
Shared Services B.V. spółka z ograniczoną odpowiedzialnością Oddział w Polsce z
siedzibą w Katowicach, ul. Konduktorska 35, 40-155 Katowice, NIP: 2050005130,
wpisana do rejestru przedsiębiorców Krajowego Rejestru Sądowego prowadzonego
przez Sąd Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy
Krajowego Rejestru Sądowego pod numerem KRS 702305.
