Hi, > if you're prevented from implementing SSL why not use TLSv1.3?
I have not found any evidence that Zookeeper server nor (Java) client supports TLS in version 3.4.13. Please point me to some docs or tutorial. We don't want to fork Zookeeper to implement this stuff ourselves :) -- Jan Høydahl, search solution architect Cominvent AS - www.cominvent.com > 27. sep. 2018 kl. 15:17 skrev Martin Gainty <mgai...@hotmail.com>: > > > ________________________________ > From: Jan Høydahl <jan....@cominvent.com> > Sent: Thursday, September 27, 2018 5:12 AM > To: user@zookeeper.apache.org > Subject: Digest auth with classic TCP transport > > Hi > > We use ZK 3.4.13, and unfortunately cannot use Netty transport and SSL. > We plan to use digest authentication and Zookeeper ACL protection. > > Question is, since we cannot use SSL, is there some other way to make sure > the user credentials are not sniffed over the network and thus let an > attacker impersonate our application and cange the content in Zookeeper? Does > the Zookeeper client do some smart moves to protect/hash the password over > the network? I suppose the binary transport is easy to decipher for those who > try. > > MG>if you're prevented from implementing SSL why not use TLSv1.3? > MG>with TLSv1.3 you can implement encryption/decryption with crypto > private/public keys and x509 certs > https://en.wikipedia.org/wiki/Transport_Layer_Security > Transport Layer Security - > Wikipedia<https://en.wikipedia.org/wiki/Transport_Layer_Security> > Transport Layer Security (TLS) – and its predecessor, Secure Sockets Layer > (SSL), which is now deprecated by the Internet Engineering Task Force (IETF) > – are cryptographic protocols that provide communications security over a > computer network. Several versions of the protocols find widespread use in > applications such as web browsing, email, instant messaging, and voice over > IP (VoIP). > en.wikipedia.org > > > MG>path of least resistance is to contact verisign and ask them to generate > keys, certs and allow them to act as CA > MG>Caveat: tls1.3 implementation is slow and is supported by Mozilla > v60...and some versions of chrome > MG>as far as ciphers to prevent MIMA do not implement TLS_DH_anon and > TLS_ECDH_anon key agreement methods MG>do not authenticate the server > MG>you will want public key size to be min 2048bit to conform to chrome > secure transmission requirements > MG>securing message is done thru MD5 or SHA but you will need to incorporate > selected algo into > MG>supported cipher-suite(s) > https://en.wikipedia.org/wiki/Cipher_suite > Cipher suite - Wikipedia<https://en.wikipedia.org/wiki/Cipher_suite> > A cipher suite is a set of algorithms that help secure a network connection > that uses Transport Layer Security (TLS) or Secure Socket Layer (SSL). The > set of algorithms that cipher suites usually contain include: a key exchange > algorithm, a bulk encryption algorithm, and a message authentication code > (MAC) algorithm.. The key exchange algorithm is used to exchange a key > between two devices. > en.wikipedia.org > > > HTH > Martin > -- > Jan Høydahl > Cominvent AS - www.cominvent.com<http://www.cominvent.com> >
