Re: Mid-Tier sending cleartext passwords ?
There was also a problem with FB fields, where they would pass the username and pass in clear text to the mid-tier server, but this was fixed in 6.0.1p? through an aruser patch. Axton Grams On 6/4/07, Rick Cook <[EMAIL PROTECTED]> wrote: I know that MT 6.3 patch 16, I think, stopped the MT logs from displaying the login/pw in clear text. I thought that was the last significant hole. My question to the security guru would be "Which is it - clear text or simple algorithm?". I can understand security people never thinking that the encryption is strong enough -that's what they're paid to think. But looking at it from a practical matter, there's probably not a lot of people trying to crack Remedy authentication data, is there? Any encryption keeps out the amateurs, and any pro who gets as far as your Remedy data is indicative of larger security problems than one weak DES key. Rick -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Axton Sent: Monday, June 04, 2007 11:25 AM To: arslist@ARSLIST.ORG Subject: Re: Mid-Tier sending cleartext passwords ? I would not be surprised. There are a number of places where the username/password are handed off: - when user fills in login.jsp, the username/password is sent to the mid-tier server from the browser - when the mid-tier receives the username/password, it is sent to the arserver - when the arserver receives the username/password, it is sent to the ldap server (if using the area/ldap plugin) SSL only addresses the last hand-off. If you want to cover the first hand-off, use https instead of http. If you want to cover the second hand-off, force client based encryption. This still uses a simple algorithm to encrypt the password (DES). For stronger encryption, you can either (1) purchase the remedy encryption products, or (2) create a tunnel of your own. The encryption algorithm used for the free encryption is: 512-bit RSA algorithm with cipher block chaining for the public/private key pair. For the session key, it :uses a DES (Data Encryption Standard) 56-bit algorithm. Axton Grams On 6/4/07, Christian Rom <[EMAIL PROTECTED]> wrote: > ** > > One of our corporate LDAP and security guru's just told me that Remedy > 7 mid-tier may be sending passwords in cleartext or at least with a > simple cipher algorithm. > > Does anyone know if this is correct ? > > I have the AREALDAP and ARDBC plug-ins configured for SSL, so I would > expect all traffic to be encrypted. > > Rgds, > > Christian H. Rom > Schlumberger - Service Desk Engineering > > __20060125___This posting was submitted with > HTML in it___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are" ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are" ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
Re: Mid-Tier sending cleartext passwords ?
I know that MT 6.3 patch 16, I think, stopped the MT logs from displaying the login/pw in clear text. I thought that was the last significant hole. My question to the security guru would be "Which is it - clear text or simple algorithm?". I can understand security people never thinking that the encryption is strong enough -that's what they're paid to think. But looking at it from a practical matter, there's probably not a lot of people trying to crack Remedy authentication data, is there? Any encryption keeps out the amateurs, and any pro who gets as far as your Remedy data is indicative of larger security problems than one weak DES key. Rick -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Axton Sent: Monday, June 04, 2007 11:25 AM To: arslist@ARSLIST.ORG Subject: Re: Mid-Tier sending cleartext passwords ? I would not be surprised. There are a number of places where the username/password are handed off: - when user fills in login.jsp, the username/password is sent to the mid-tier server from the browser - when the mid-tier receives the username/password, it is sent to the arserver - when the arserver receives the username/password, it is sent to the ldap server (if using the area/ldap plugin) SSL only addresses the last hand-off. If you want to cover the first hand-off, use https instead of http. If you want to cover the second hand-off, force client based encryption. This still uses a simple algorithm to encrypt the password (DES). For stronger encryption, you can either (1) purchase the remedy encryption products, or (2) create a tunnel of your own. The encryption algorithm used for the free encryption is: 512-bit RSA algorithm with cipher block chaining for the public/private key pair. For the session key, it :uses a DES (Data Encryption Standard) 56-bit algorithm. Axton Grams On 6/4/07, Christian Rom <[EMAIL PROTECTED]> wrote: > ** > > One of our corporate LDAP and security guru's just told me that Remedy > 7 mid-tier may be sending passwords in cleartext or at least with a > simple cipher algorithm. > > Does anyone know if this is correct ? > > I have the AREALDAP and ARDBC plug-ins configured for SSL, so I would > expect all traffic to be encrypted. > > Rgds, > > Christian H. Rom > Schlumberger - Service Desk Engineering > > __20060125___This posting was submitted with > HTML in it___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are" ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
Re: Mid-Tier sending cleartext passwords ?
I would not be surprised. There are a number of places where the username/password are handed off: - when user fills in login.jsp, the username/password is sent to the mid-tier server from the browser - when the mid-tier receives the username/password, it is sent to the arserver - when the arserver receives the username/password, it is sent to the ldap server (if using the area/ldap plugin) SSL only addresses the last hand-off. If you want to cover the first hand-off, use https instead of http. If you want to cover the second hand-off, force client based encryption. This still uses a simple algorithm to encrypt the password (DES). For stronger encryption, you can either (1) purchase the remedy encryption products, or (2) create a tunnel of your own. The encryption algorithm used for the free encryption is: 512-bit RSA algorithm with cipher block chaining for the public/private key pair. For the session key, it :uses a DES (Data Encryption Standard) 56-bit algorithm. Axton Grams On 6/4/07, Christian Rom <[EMAIL PROTECTED]> wrote: ** One of our corporate LDAP and security guru's just told me that Remedy 7 mid-tier may be sending passwords in cleartext or at least with a simple cipher algorithm. Does anyone know if this is correct ? I have the AREALDAP and ARDBC plug-ins configured for SSL, so I would expect all traffic to be encrypted. Rgds, Christian H. Rom Schlumberger - Service Desk Engineering __20060125___This posting was submitted with HTML in it___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"