[JBoss-user] [Persistence & CMP/JBoss] - Re: easiest way to encrypt a CMP field?
on your point #6 --- you can avoid passwords by using a so-called 'one-time-password' scheme. in that case, the user usually calculates a one-time-password using a trusted portable computing device such as a 'hardware token'. then, if an attacker gets access to a particular one-time-password, it will not be valid anymore since the user already used it. mike http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3824052#3824052";>View the original post http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3824052>Reply to the post --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Persistence & CMP/JBoss] - Re: easiest way to encrypt a CMP field?
Hi Martin, most security experts tend to discourage "Security through Obscurity". Moreover, it doesn't take too many lines of code or too powerful of a machine to perform a dictionary or brute force crack these passwords. Meaning, if I've gotten to your password store, you're already wide open. I'll just query the database, grab the passwords (even encrypted) and write about a 30 line perl script that guesses until it gets it right. I'll just disassemble the class file, redeploy, capture what the user types. I'd instead encrypt any remote EJB calls using the RMI+SSL, HTTP calls with SSL, etc. I'd put my datasource deinfitions in their own deploy directory with tight permissions. I'd put my authentication source somewhere locked down fairly tight. Prevent users from picking stupid passwords, etc. Heck, if you really want security don't use passwords :-). Ultimately, you want accountability, you need to know who did what and who had access to the information to leak it. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3822186#3822186 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3822186 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Persistence & CMP/JBoss] - Re: easiest way to encrypt a CMP field?
Thanks Andrew - I'll take a look. After a bit of research, my current thoughts are: 1) Use JAAS - I need this anyway 2) Use jboss DatabaseServerLoginModule 3) encrypt password with md5 4) (d)encrypt other data with Password-based encryption from JCE within ejbLoad/ejbStore The only downside of 4) is that once I have created the secret key from the user's password, I have to keep that key in the users session so I can (d)encrypt any data I need whilst they are logged in. This is okay so long as there's no memory dumps etc. I guess this is a normal scenario... This way - no one, not even sysadmin can read the sensitive data - right? I just need the source to DatabaseServerLoginModule so I can do md5 passwords - hopefully there's nothing in there to sink the plan. Martin View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3822180#3822180 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3822180 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Persistence & CMP/JBoss] - Re: easiest way to encrypt a CMP field?
I'm not sure I think this is a good idea but you can go look here: http://cvs.sourceforge.net/viewcvs.py/jboss/nukes/nukes/src/main/org/jboss/nukes/core/modules/user/UserModule.java?rev=1.29&view=markup -Andy View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3822176#3822176 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3822176 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Persistence & CMP/JBoss] - Re: easiest way to encrypt a CMP field?
Yes, guessing that PostgreSQL does not support transparent encryption on the database server side, you'd have to implement this in your application. EjbLoad() and ejbStore() could be the key in an implementation where you'd extend the default behaviour of CMP. Check section 10.3.9 of the EJB 2.0 spec for details on ejbLoad/Store(). Of course you could always write some additional accessors that deal with encrytion/decryption of attributes. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3822173#3822173 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3822173 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Persistence & CMP/JBoss] - Re: easiest way to encrypt a CMP field?
Thanks for the response so far. My database is Postgresql 7.4.1, and as well as passwords (MD5 noted), I also want to store other data that I need read+write access. I'm still gaining EJB knowledge - do ejbStore and ejbLoad play a part in this? Thanks again Martin View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3822170#3822170 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3822170 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Persistence & CMP/JBoss] - Re: easiest way to encrypt a CMP field?
Regarding passwords, you can use one-way encryption (e.g. using MD5) and store only store/compare the results. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3822150#3822150 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3822150 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Persistence & CMP/JBoss] - Re: easiest way to encrypt a CMP field?
Hi Martin, the best way to keep your data save in the DB is to encryt or decrypt data using DB engine tools. Sybase SQL Anywhere do this for example. Jan View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3822140#3822140 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3822140 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user