Password Cipher and resources

[Alex Soto <as...@gmail.com>]

Hi, I know that you can write something like:

VaultPassword = cipher:Static3DES:xMH5uM1V9vQzVUv5LG7YLA==

in a resources.xml file for setting an encrypted password. My concern is
that since the password is decrypted using decrypt method of PasswordCipher
class and since this method returns value as String, this only works if the
parameter is an String. This might be a problem since first of all storing
a password (clean password) in String is a bad practice because of memory
dump attack. And the second one is that if your library requires a byte[]
you need to do a transformation calling getBytes which then it means that
there can be problems with Charsets.

Since Cipher class always returns a byte[], should it not be better to
return byte[] in this method as well?

Alex.

Re: Password Cipher and resources

[Alex Soto <as...@gmail.com>]

Great. I agree with you that you only fixes one part of the problem, but
security is about layers and adding fences to the field, add as many
protections as you can.

El dt., 3 nov. 2015 a les 17:40, Romain Manni-Bucau (<rm...@gmail.com>)
va escriure:

> https://issues.apache.org/jira/browse/TOMEE-1651
>
> Side note: I know some security teams are kind of strict on this but if you
> can dump the memory char[] or String you can do much more damages so this
> only solves a very few part of the security risk you are exposed to if you
> fear it on your environment.
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-11-03 7:16 GMT-08:00 Alex Soto <as...@gmail.com>:
>
> > Yes we already discussed but I think that it is more restrictive setting
> > the return type as String. Instead and since Cipher returns a byte[] it
> > would be better in terms of security to return the byte[] and if the
> setter
> > that you are going to inject the value is a String, then internally we
> can
> > convert to String. With current implementation you need to pass to the
> > String yes or yes.
> >
> > For example MongoClient allows you to use a char[] (to avoid creating an
> > String). You can read more at
> >
> >
> http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords-in-java
> >
> >
> > Alex.
> >
> > El dt., 3 nov. 2015 a les 15:05, Romain Manni-Bucau (<
> > rmannibucau@gmail.com>)
> > va escriure:
> >
> > > Le 3 nov. 2015 05:01, "Alex Soto" <as...@gmail.com> a écrit :
> > > >
> > > > Hi, I know that you can write something like:
> > > >
> > > > VaultPassword = cipher:Static3DES:xMH5uM1V9vQzVUv5LG7YLA==
> > > >
> > > > in a resources.xml file for setting an encrypted password. My concern
> > is
> > > > that since the password is decrypted using decrypt method of
> > > PasswordCipher
> > > > class and since this method returns value as String, this only works
> if
> > > the
> > > > parameter is an String. This might be a problem since first of all
> > > storing
> > > > a password (clean password) in String is a bad practice because of
> > memory
> > > > dump attack. And the second one is that if your library requires a
> > byte[]
> > > > you need to do a transformation calling getBytes which then it means
> > that
> > > > there can be problems with Charsets.
> > > >
> > > > Since Cipher class always returns a byte[], should it not be better
> to
> > > > return byte[] in this method as well?
> > > >
> > >
> > > Think we discussed it already: String is mandatory for most of
> resources.
> > > Nothing prevents you to have a setter with string but no string field.
> > >
> > > Good point about raw byte[] which is not supported yet - never saw the
> > need
> > > until now, only String and char[].
> > >
> > > > Alex.
> > >
> >
>

Re: Password Cipher and resources

[Romain Manni-Bucau <rm...@gmail.com>]

https://issues.apache.org/jira/browse/TOMEE-1651

Side note: I know some security teams are kind of strict on this but if you
can dump the memory char[] or String you can do much more damages so this
only solves a very few part of the security risk you are exposed to if you
fear it on your environment.


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>

2015-11-03 7:16 GMT-08:00 Alex Soto <as...@gmail.com>:

> Yes we already discussed but I think that it is more restrictive setting
> the return type as String. Instead and since Cipher returns a byte[] it
> would be better in terms of security to return the byte[] and if the setter
> that you are going to inject the value is a String, then internally we can
> convert to String. With current implementation you need to pass to the
> String yes or yes.
>
> For example MongoClient allows you to use a char[] (to avoid creating an
> String). You can read more at
>
> http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords-in-java
>
>
> Alex.
>
> El dt., 3 nov. 2015 a les 15:05, Romain Manni-Bucau (<
> rmannibucau@gmail.com>)
> va escriure:
>
> > Le 3 nov. 2015 05:01, "Alex Soto" <as...@gmail.com> a écrit :
> > >
> > > Hi, I know that you can write something like:
> > >
> > > VaultPassword = cipher:Static3DES:xMH5uM1V9vQzVUv5LG7YLA==
> > >
> > > in a resources.xml file for setting an encrypted password. My concern
> is
> > > that since the password is decrypted using decrypt method of
> > PasswordCipher
> > > class and since this method returns value as String, this only works if
> > the
> > > parameter is an String. This might be a problem since first of all
> > storing
> > > a password (clean password) in String is a bad practice because of
> memory
> > > dump attack. And the second one is that if your library requires a
> byte[]
> > > you need to do a transformation calling getBytes which then it means
> that
> > > there can be problems with Charsets.
> > >
> > > Since Cipher class always returns a byte[], should it not be better to
> > > return byte[] in this method as well?
> > >
> >
> > Think we discussed it already: String is mandatory for most of resources.
> > Nothing prevents you to have a setter with string but no string field.
> >
> > Good point about raw byte[] which is not supported yet - never saw the
> need
> > until now, only String and char[].
> >
> > > Alex.
> >
>

Re: Password Cipher and resources

[Alex Soto <as...@gmail.com>]

Yes we already discussed but I think that it is more restrictive setting
the return type as String. Instead and since Cipher returns a byte[] it
would be better in terms of security to return the byte[] and if the setter
that you are going to inject the value is a String, then internally we can
convert to String. With current implementation you need to pass to the
String yes or yes.

For example MongoClient allows you to use a char[] (to avoid creating an
String). You can read more at
http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords-in-java


Alex.

El dt., 3 nov. 2015 a les 15:05, Romain Manni-Bucau (<rm...@gmail.com>)
va escriure:

> Le 3 nov. 2015 05:01, "Alex Soto" <as...@gmail.com> a écrit :
> >
> > Hi, I know that you can write something like:
> >
> > VaultPassword = cipher:Static3DES:xMH5uM1V9vQzVUv5LG7YLA==
> >
> > in a resources.xml file for setting an encrypted password. My concern is
> > that since the password is decrypted using decrypt method of
> PasswordCipher
> > class and since this method returns value as String, this only works if
> the
> > parameter is an String. This might be a problem since first of all
> storing
> > a password (clean password) in String is a bad practice because of memory
> > dump attack. And the second one is that if your library requires a byte[]
> > you need to do a transformation calling getBytes which then it means that
> > there can be problems with Charsets.
> >
> > Since Cipher class always returns a byte[], should it not be better to
> > return byte[] in this method as well?
> >
>
> Think we discussed it already: String is mandatory for most of resources.
> Nothing prevents you to have a setter with string but no string field.
>
> Good point about raw byte[] which is not supported yet - never saw the need
> until now, only String and char[].
>
> > Alex.
>

Re: Password Cipher and resources

[Romain Manni-Bucau <rm...@gmail.com>]

Le 3 nov. 2015 05:01, "Alex Soto" <as...@gmail.com> a écrit :
>
> Hi, I know that you can write something like:
>
> VaultPassword = cipher:Static3DES:xMH5uM1V9vQzVUv5LG7YLA==
>
> in a resources.xml file for setting an encrypted password. My concern is
> that since the password is decrypted using decrypt method of
PasswordCipher
> class and since this method returns value as String, this only works if
the
> parameter is an String. This might be a problem since first of all storing
> a password (clean password) in String is a bad practice because of memory
> dump attack. And the second one is that if your library requires a byte[]
> you need to do a transformation calling getBytes which then it means that
> there can be problems with Charsets.
>
> Since Cipher class always returns a byte[], should it not be better to
> return byte[] in this method as well?
>

Think we discussed it already: String is mandatory for most of resources.
Nothing prevents you to have a setter with string but no string field.

Good point about raw byte[] which is not supported yet - never saw the need
until now, only String and char[].

> Alex.