You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Rempter, A. (Adam)" <ad...@ing.com.INVALID> on 2019/01/08 13:21:11 UTC
PD: Password encryption for service definitions
Hello there,
While using Ranger I noticed that when I create service def with input property:
{
"itemId": 3,
"name": "password",
"type": "password",
"subType": "",
"mandatory": true,
"validationRegEx": "",
"validationMessage": "",
"uiHint":"",
"label": "Secret key"
}
Ranger will encrypt it using:
if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) {
String cryptConfigString = CRYPT_ALGO + "," + ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT + "," + configValue;
String encryptedPwd = PasswordUtils.encryptPassword(cryptConfigString);
Problem is that all encryption parameters are stored next to password (encryption key and salt):
| 609 | NULL | 2019-01-08 10:07:33 | 2019-01-08 10:07:34 | 1 | 1 | 82 | password | PBEWithMD5AndDES,tzL1AKl5uc4NKYaoQ4P3WLGIBFPXWPWdu1fRm9004jtQiV,f77aLYLo,1000,6IxJOOpoFsJXyLNjNf/M9Q==
Even if I change default ones in $ranger_home/ews/webapp/WEB-INF/classes/conf/ranger-admin-default-site.xml, they will still be storred in db
Is this know issue? Basically it means that password can be decrypted with little effort…
Thanks,
Adam Rempter
ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, VAT PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą ING Business Shared Services B.V. spółka z ograniczoną odpowiedzialnością Oddział w Polsce z siedzibą w Katowicach, ul. Konduktorska 35, 40-155 Katowice, NIP: 2050005130, wpisana do rejestru przedsiębiorców Krajowego Rejestru Sądowego prowadzonego przez Sąd Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem KRS 0000702305.
ODP: PD: Password encryption for service definitions
Posted by "Rempter, A. (Adam)" <ad...@ing.com.INVALID>.
Hey Zsombor,
Thanks for update.
I understand that... but it means that (when storing encryption key next to password) it is effectively not encrypted.
According to owasp (https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Ensure_that_any_secret_key_is_protected_from_unauthorized_access)
Rule - Store unencrypted keys away from the encrypted data
If the keys are stored with the data then any compromise of the data will easily compromise the keys as well. Unencrypted keys should never reside on the same machine or cluster as the data.
One solution would be simply not store encryption key in db. It is anyway available via configuration key:
public static final String ENCRYPT_KEY = PropertiesUtil.getProperty("ranger.password.encryption.key", PasswordUtils.DEFAULT_ENCRYPT_KEY)
What do you think?
Thanks,
Adam
-----Wiadomość oryginalna-----
Od: Zs. [mailto:gzsombor@gmail.com]
Wysłano: 8 stycznia 2019 14:56
Do: ranger <de...@ranger.apache.org>
Temat: Re: PD: Password encryption for service definitions
Hi,
The problem is that Ranger needs to know the password, to reach out to the service, so it must store the password somewhere in a decryptable state.
Ideally, every service/protocol should support kerberos, so authentication could work without passwords.
Regards,
Zsombor
On Tue, Jan 8, 2019 at 2:21 PM Rempter, A. (Adam) <ad...@ing.com.invalid> wrote:
> Hello there,
>
> While using Ranger I noticed that when I create service def with input
> property:
> {
> "itemId": 3,
> "name": "password",
> "type": "password",
> "subType": "",
> "mandatory": true,
> "validationRegEx": "",
> "validationMessage": "",
> "uiHint":"",
> "label": "Secret key"
> }
>
> Ranger will encrypt it using:
>
> if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) {
> String cryptConfigString = CRYPT_ALGO + ","
> + ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT + "," +
> + configValue;
> String encryptedPwd =
> PasswordUtils.encryptPassword(cryptConfigString);
>
> Problem is that all encryption parameters are stored next to password
> (encryption key and salt):
>
> | 609 | NULL | 2019-01-08 10:07:33 | 2019-01-08 10:07:34 | 1 |
> 1 | 82 | password |
> PBEWithMD5AndDES,tzL1AKl5uc4NKYaoQ4P3WLGIBFPXWPWdu1fRm9004jtQiV,f77aLY
> Lo,1000,6IxJOOpoFsJXyLNjNf/M9Q==
>
> Even if I change default ones in
> $ranger_home/ews/webapp/WEB-INF/classes/conf/ranger-admin-default-site
> .xml,
> they will still be storred in db
>
> Is this know issue? Basically it means that password can be decrypted
> with little effort…
>
> Thanks,
> Adam Rempter
>
>
> ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia,
> VAT PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą
> ING Business Shared Services B.V. spółka z ograniczoną
> odpowiedzialnością Oddział w Polsce z siedzibą w Katowicach, ul.
> Konduktorska 35, 40-155 Katowice, NIP: 2050005130, wpisana do rejestru
> przedsiębiorców Krajowego Rejestru Sądowego prowadzonego przez Sąd
> Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy
> Krajowego Rejestru Sądowego pod numerem KRS 0000702305.
>
ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, VAT PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą ING Business Shared Services B.V. spółka z ograniczoną odpowiedzialnością Oddział w Polsce z siedzibą w Katowicach, ul. Konduktorska 35, 40-155 Katowice, NIP: 2050005130, wpisana do rejestru przedsiębiorców Krajowego Rejestru Sądowego prowadzonego przez Sąd Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem KRS 0000702305.
Re: PD: Password encryption for service definitions
Posted by "Zs." <gz...@gmail.com>.
Hi,
The problem is that Ranger needs to know the password, to reach out to the
service, so it must store the password somewhere in a decryptable state.
Ideally, every service/protocol should support kerberos, so authentication
could work without passwords.
Regards,
Zsombor
On Tue, Jan 8, 2019 at 2:21 PM Rempter, A. (Adam)
<ad...@ing.com.invalid> wrote:
> Hello there,
>
> While using Ranger I noticed that when I create service def with input
> property:
> {
> "itemId": 3,
> "name": "password",
> "type": "password",
> "subType": "",
> "mandatory": true,
> "validationRegEx": "",
> "validationMessage": "",
> "uiHint":"",
> "label": "Secret key"
> }
>
> Ranger will encrypt it using:
>
> if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) {
> String cryptConfigString = CRYPT_ALGO + ","
> + ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT + "," + configValue;
> String encryptedPwd =
> PasswordUtils.encryptPassword(cryptConfigString);
>
> Problem is that all encryption parameters are stored next to password
> (encryption key and salt):
>
> | 609 | NULL | 2019-01-08 10:07:33 | 2019-01-08 10:07:34 | 1 |
> 1 | 82 | password |
> PBEWithMD5AndDES,tzL1AKl5uc4NKYaoQ4P3WLGIBFPXWPWdu1fRm9004jtQiV,f77aLYLo,1000,6IxJOOpoFsJXyLNjNf/M9Q==
>
> Even if I change default ones in
> $ranger_home/ews/webapp/WEB-INF/classes/conf/ranger-admin-default-site.xml,
> they will still be storred in db
>
> Is this know issue? Basically it means that password can be decrypted with
> little effort…
>
> Thanks,
> Adam Rempter
>
>
> ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, VAT
> PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą ING
> Business Shared Services B.V. spółka z ograniczoną odpowiedzialnością
> Oddział w Polsce z siedzibą w Katowicach, ul. Konduktorska 35, 40-155
> Katowice, NIP: 2050005130, wpisana do rejestru przedsiębiorców Krajowego
> Rejestru Sądowego prowadzonego przez Sąd Rejonowy Katowice-Wschód w
> Katowicach, VIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod
> numerem KRS 0000702305.
>