Re: Password encryption for service definitions
I also feel we shouldn't store the key along with the encrypted data. It defeats the purpose. Adam, getting from properties is one way to do it. We have to ensure that the key is auto generated per install and we have to ensure that it works in HA environment. Ideally, even the config file shouldn't have the actual key. It should be in the keystore with only user Privacera have the read permission. The key to the keystore can be in the config file. The other way is to use Ranger KMS in the future. Bosco On 1/8/19, 6:13 AM, "Rempter, A. (Adam)" wrote: Hey Zsombor, Thanks for update. I understand that... but it means that (when storing encryption key next to password) it is effectively not encrypted. According to owasp (https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Ensure_that_any_secret_key_is_protected_from_unauthorized_access) Rule - Store unencrypted keys away from the encrypted data If the keys are stored with the data then any compromise of the data will easily compromise the keys as well. Unencrypted keys should never reside on the same machine or cluster as the data. One solution would be simply not store encryption key in db. It is anyway available via configuration key: public static final String ENCRYPT_KEY = PropertiesUtil.getProperty("ranger.password.encryption.key", PasswordUtils.DEFAULT_ENCRYPT_KEY) What do you think? Thanks, Adam -Wiadomość oryginalna- Od: Zs. [mailto:gzsom...@gmail.com] Wysłano: 8 stycznia 2019 14:56 Do: ranger Temat: Re: PD: Password encryption for service definitions Hi, The problem is that Ranger needs to know the password, to reach out to the service, so it must store the password somewhere in a decryptable state. Ideally, every service/protocol should support kerberos, so authentication could work without passwords. Regards, Zsombor On Tue, Jan 8, 2019 at 2:21 PM Rempter, A. (Adam) wrote: > Hello there, > > While using Ranger I noticed that when I create service def with input > property: >{ > "itemId": 3, > "name": "password", > "type": "password", > "subType": "", > "mandatory": true, > "validationRegEx": "", > "validationMessage": "", > "uiHint":"", > "label": "Secret key" > } > > Ranger will encrypt it using: > > if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) { > String cryptConfigString = CRYPT_ALGO + "," > + ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT + "," + > + configValue; > String encryptedPwd = > PasswordUtils.encryptPassword(cryptConfigString); > > Problem is that all encryption parameters are stored next to password > (encryption key and salt): > > | 609 | NULL | 2019-01-08 10:07:33 | 2019-01-08 10:07:34 | 1 | >1 | 82 | password | > PBEWithMD5AndDES,tzL1AKl5uc4NKYaoQ4P3WLGIBFPXWPWdu1fRm9004jtQiV,f77aLY > Lo,1000,6IxJOOpoFsJXyLNjNf/M9Q== > > Even if I change default ones in > $ranger_home/ews/webapp/WEB-INF/classes/conf/ranger-admin-default-site > .xml, > they will still be storred in db > > Is this know issue? Basically it means that password can be decrypted > with little effort… > > Thanks, > Adam Rempter > > > ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, > VAT PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą > ING Business Shared Services B.V. spółka z ograniczoną > odpowiedzialnością Oddział w Polsce z siedzibą w Katowicach, ul. > Konduktorska 35, 40-155 Katowice, NIP: 2050005130, wpisana do rejestru > przedsiębiorców Krajowego Rejestru Sądowego prowadzonego przez Sąd > Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy > Krajowego Rejestru Sądowego pod numerem KRS 702305. > ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, VAT PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą ING Business Shared Services B.V. spółka z ograniczoną odpowiedzialnością Oddział w Polsce z siedzibą w Katowicach, ul. Konduktorska 35, 40-155 Katowice, NIP: 2050005130, wpisana do rejestru przedsiębiorców Krajowego Rejestru Sądowego prowadzonego przez Sąd Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem KRS 702305.
ODP: PD: Password encryption for service definitions
Hey Zsombor, Thanks for update. I understand that... but it means that (when storing encryption key next to password) it is effectively not encrypted. According to owasp (https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Ensure_that_any_secret_key_is_protected_from_unauthorized_access) Rule - Store unencrypted keys away from the encrypted data If the keys are stored with the data then any compromise of the data will easily compromise the keys as well. Unencrypted keys should never reside on the same machine or cluster as the data. One solution would be simply not store encryption key in db. It is anyway available via configuration key: public static final String ENCRYPT_KEY = PropertiesUtil.getProperty("ranger.password.encryption.key", PasswordUtils.DEFAULT_ENCRYPT_KEY) What do you think? Thanks, Adam -Wiadomość oryginalna- Od: Zs. [mailto:gzsom...@gmail.com] Wysłano: 8 stycznia 2019 14:56 Do: ranger Temat: Re: PD: Password encryption for service definitions Hi, The problem is that Ranger needs to know the password, to reach out to the service, so it must store the password somewhere in a decryptable state. Ideally, every service/protocol should support kerberos, so authentication could work without passwords. Regards, Zsombor On Tue, Jan 8, 2019 at 2:21 PM Rempter, A. (Adam) wrote: > Hello there, > > While using Ranger I noticed that when I create service def with input > property: >{ > "itemId": 3, > "name": "password", > "type": "password", > "subType": "", > "mandatory": true, > "validationRegEx": "", > "validationMessage": "", > "uiHint":"", > "label": "Secret key" > } > > Ranger will encrypt it using: > > if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) { > String cryptConfigString = CRYPT_ALGO + "," > + ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT + "," + > + configValue; > String encryptedPwd = > PasswordUtils.encryptPassword(cryptConfigString); > > Problem is that all encryption parameters are stored next to password > (encryption key and salt): > > | 609 | NULL | 2019-01-08 10:07:33 | 2019-01-08 10:07:34 | 1 | >1 | 82 | password | > PBEWithMD5AndDES,tzL1AKl5uc4NKYaoQ4P3WLGIBFPXWPWdu1fRm9004jtQiV,f77aLY > Lo,1000,6IxJOOpoFsJXyLNjNf/M9Q== > > Even if I change default ones in > $ranger_home/ews/webapp/WEB-INF/classes/conf/ranger-admin-default-site > .xml, > they will still be storred in db > > Is this know issue? Basically it means that password can be decrypted > with little effort… > > Thanks, > Adam Rempter > > > ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, > VAT PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą > ING Business Shared Services B.V. spółka z ograniczoną > odpowiedzialnością Oddział w Polsce z siedzibą w Katowicach, ul. > Konduktorska 35, 40-155 Katowice, NIP: 2050005130, wpisana do rejestru > przedsiębiorców Krajowego Rejestru Sądowego prowadzonego przez Sąd > Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy > Krajowego Rejestru Sądowego pod numerem KRS 702305. > ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, VAT PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą ING Business Shared Services B.V. spółka z ograniczoną odpowiedzialnością Oddział w Polsce z siedzibą w Katowicach, ul. Konduktorska 35, 40-155 Katowice, NIP: 2050005130, wpisana do rejestru przedsiębiorców Krajowego Rejestru Sądowego prowadzonego przez Sąd Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem KRS 702305.
Re: PD: Password encryption for service definitions
Hi, The problem is that Ranger needs to know the password, to reach out to the service, so it must store the password somewhere in a decryptable state. Ideally, every service/protocol should support kerberos, so authentication could work without passwords. Regards, Zsombor On Tue, Jan 8, 2019 at 2:21 PM Rempter, A. (Adam) wrote: > Hello there, > > While using Ranger I noticed that when I create service def with input > property: >{ > "itemId": 3, > "name": "password", > "type": "password", > "subType": "", > "mandatory": true, > "validationRegEx": "", > "validationMessage": "", > "uiHint":"", > "label": "Secret key" > } > > Ranger will encrypt it using: > > if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) { > String cryptConfigString = CRYPT_ALGO + "," > + ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT + "," + configValue; > String encryptedPwd = > PasswordUtils.encryptPassword(cryptConfigString); > > Problem is that all encryption parameters are stored next to password > (encryption key and salt): > > | 609 | NULL | 2019-01-08 10:07:33 | 2019-01-08 10:07:34 | 1 | >1 | 82 | password | > PBEWithMD5AndDES,tzL1AKl5uc4NKYaoQ4P3WLGIBFPXWPWdu1fRm9004jtQiV,f77aLYLo,1000,6IxJOOpoFsJXyLNjNf/M9Q== > > Even if I change default ones in > $ranger_home/ews/webapp/WEB-INF/classes/conf/ranger-admin-default-site.xml, > they will still be storred in db > > Is this know issue? Basically it means that password can be decrypted with > little effort… > > Thanks, > Adam Rempter > > > ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, VAT > PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą ING > Business Shared Services B.V. spółka z ograniczoną odpowiedzialnością > Oddział w Polsce z siedzibą w Katowicach, ul. Konduktorska 35, 40-155 > Katowice, NIP: 2050005130, wpisana do rejestru przedsiębiorców Krajowego > Rejestru Sądowego prowadzonego przez Sąd Rejonowy Katowice-Wschód w > Katowicach, VIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod > numerem KRS 702305. >
PD: Password encryption for service definitions
Hello there, While using Ranger I noticed that when I create service def with input property: { "itemId": 3, "name": "password", "type": "password", "subType": "", "mandatory": true, "validationRegEx": "", "validationMessage": "", "uiHint":"", "label": "Secret key" } Ranger will encrypt it using: if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) { String cryptConfigString = CRYPT_ALGO + "," + ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT + "," + configValue; String encryptedPwd = PasswordUtils.encryptPassword(cryptConfigString); Problem is that all encryption parameters are stored next to password (encryption key and salt): | 609 | NULL | 2019-01-08 10:07:33 | 2019-01-08 10:07:34 | 1 | 1 | 82 | password | PBEWithMD5AndDES,tzL1AKl5uc4NKYaoQ4P3WLGIBFPXWPWdu1fRm9004jtQiV,f77aLYLo,1000,6IxJOOpoFsJXyLNjNf/M9Q== Even if I change default ones in $ranger_home/ews/webapp/WEB-INF/classes/conf/ranger-admin-default-site.xml, they will still be storred in db Is this know issue? Basically it means that password can be decrypted with little effort… Thanks, Adam Rempter ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, VAT PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą ING Business Shared Services B.V. spółka z ograniczoną odpowiedzialnością Oddział w Polsce z siedzibą w Katowicach, ul. Konduktorska 35, 40-155 Katowice, NIP: 2050005130, wpisana do rejestru przedsiębiorców Krajowego Rejestru Sądowego prowadzonego przez Sąd Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem KRS 702305.