On 2/12/16, 3:40 PM, "Tim Watts" <t...@cliftonfarm.org> wrote:
>On Fri, 2016-02-12 at 20:35 +0000, Dougherty, Gregory T., M.S. wrote: >> You are correct, I¹m trying to authorize the web app, not the user. >> >> Goal: I am trying to come up with a way for a Tomcat app to securely >>store >> and retrieve the password it needs to access a DB. >> >> My definition of ³secure² includes ³there exist no files with an >> unencrypted copy of the password². IIUC, JNDI fails this test. >> >> My requirements include that all web app components are checked in to a >> source control system that malicious users can have read access to. >> >> Solution: >> 1: Trusted user creates public:private key pair (1), distributes public >>key >> 2: Web app developer creates pubic:private key pair (2), distributes >> public key >> 3: Web app developer encrypted password with private key 2, then public >> key 1, stores with web app >> 4: Web app calls decryption jar that¹s in tomcat/lib, passing in the >> encrypted password from step 3 >> 5: Decryption code determines which app called it, pulls the public key >> (3) saved for that app >> 6: Decryption code decrypts with private key 1, public key 3, and >>returns >> the unencrypted password. >> >> So long as 1: Trusted user can store private key where it¹s secure, but >> accessible to decryption code > >Since the webapps all run in the same tomcat and therefore under the >same OS user account, how do you ensure that *only* the decryption code >can access the private key? Otherwise, any webapp could decrypt any >other webapp's password. I’m leaning towards having a web app that the sys admin uses to upload his private key to the decryption code. So long as we have a “setPrivateKey ()” and no “getPrivateKey ()” a malicious user can break everyone, but can’t extract anything. -- Gregory Dougherty Sr. Analyst/Programmer | Information Technology Information Technology (507) 284-8493 | dougherty.greg...@mayo.edu