RE: How to Secure my Passwd Info from server.xml file?
Thanks Doug and Tim for the input. -Original Message- From: Parsons Technical Services [mailto:[EMAIL PROTECTED] Sent: Saturday, March 27, 2004 11:04 AM To: Tomcat Users List Subject: Re: How to Secure my Passwd Info from server.xml file? Cathy and list, I have been running this one through my head and have a couple of hang-ups. Since in this case tomcat is acting as the client then the use of encrypted would only work if you unencrypt it to send it. If the hacker can read the server.xml then he has the access to the code that does the unencryption. Obstructification would help here but not be totally secure. As some of you know and others don't, the way an encrypted password work is this: When the password is set in the first place it is run through an algorithm that encrypts it. Then when you enter a password to access whatever the system then encrypts your input with the same algorithm and compares the results. If it matches then you in. Now since Tomcat is acting as a client, TOMCAT is SENDING the password attempt to be encrypted and compared. If it was a simple solution to unencrypt the password to send it, then the whole idea of encrypted password would be a waste in that everyone could simply unencrypt the password. The fundamental idea behind encrypted passwords is that they are very difficult to unencrypt. Most password crackers have a brute force sections which simply encrypts every possible combination of characters and does the compare. So the first line of defense is to prevent the person from getting to the file, as mentioned in other emails. If there are people that you do not trust with access to the protected files then your security policy has some major flaws in it. Locking the glovebox in a car is useless if you give the thief the keys to the ignition. And to ask it another way, do you lock the glovebox in your car just in case someone breaks in? So my point is lock the car first(protect the file). If they break in the car(hack the box/file), then you have much bigger problems than this password. If they have the key and you don't trust them, take away the key! The best place to put a password is in plain site. If you want a little trickery to mess with there mind the try this. Simply create a password that appears to be encrypted. As noted in an email on this thread from Tim Funk "just security through obscurity." JSO97J6HH4VHT3FFC92K39K Now enter that as the password in the database. Most people looking at this will think it is encrypted and second would find it very hard to remember. For applications such as this, always use the maximum length of password and create it from random strokes. You don't have to remember it so it doesn't matter. Just my $0.02 worth. Sorry for the long rant, just had to get it off my chest. Doug - Original Message - From: "Cathy Hui" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Friday, March 26, 2004 5:16 PM Subject: RE: How to Secure my Passwd Info from server.xml file? I probably didn't state my question more clearly. What I actually want to encrypt is the dblogin passwd, not the user login to tomcat. Is there a way to do that? Thanks for the reply! Cathy -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 10:49 AM To: Tomcat Users List Subject: RE: How to Secure my Passwd Info from server.xml file? Hi, No, you have to write a custom realm for this. A couple of others have asked in the past, so you may wish to search the archives to see if they posted their solutions. If you come up with something nice and generic, it'd be a nice donation to tomcat ;) Yoav Shapira Millennium Research Informatics >-Original Message- >From: Cathy Hui [mailto:[EMAIL PROTECTED] >Sent: Thursday, March 25, 2004 1:41 PM >To: [EMAIL PROTECTED]; tomcat-user- >[EMAIL PROTECTED]; [EMAIL PROTECTED]; tomcat- >[EMAIL PROTECTED] >Subject: How to Secure my Passwd Info from server.xml file? > >I am trying to solve a security issue with my webapp. We are using >tomcat's connection pooling for our webapp. The database username and >password be specified in the server.xml file (as shown below). > >Is there a way to encrypt the password, and tomcat should decrypt the >password before establishing the database connection. We are trying to >do this without changing the tomcat code itself. Is it a setting in >tomocat, or is there a 3rd party software? > >Any suggestions/solutions are appreciated. Thanks >type="javax.sql.DataSource"/> > >username >myuser > > >password >mypassword > > > >Thanks! > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] T
Re: How to Secure my Passwd Info from server.xml file?
Cathy and list, I have been running this one through my head and have a couple of hang-ups. Since in this case tomcat is acting as the client then the use of encrypted would only work if you unencrypt it to send it. If the hacker can read the server.xml then he has the access to the code that does the unencryption. Obstructification would help here but not be totally secure. As some of you know and others don't, the way an encrypted password work is this: When the password is set in the first place it is run through an algorithm that encrypts it. Then when you enter a password to access whatever the system then encrypts your input with the same algorithm and compares the results. If it matches then you in. Now since Tomcat is acting as a client, TOMCAT is SENDING the password attempt to be encrypted and compared. If it was a simple solution to unencrypt the password to send it, then the whole idea of encrypted password would be a waste in that everyone could simply unencrypt the password. The fundamental idea behind encrypted passwords is that they are very difficult to unencrypt. Most password crackers have a brute force sections which simply encrypts every possible combination of characters and does the compare. So the first line of defense is to prevent the person from getting to the file, as mentioned in other emails. If there are people that you do not trust with access to the protected files then your security policy has some major flaws in it. Locking the glovebox in a car is useless if you give the thief the keys to the ignition. And to ask it another way, do you lock the glovebox in your car just in case someone breaks in? So my point is lock the car first(protect the file). If they break in the car(hack the box/file), then you have much bigger problems than this password. If they have the key and you don't trust them, take away the key! The best place to put a password is in plain site. If you want a little trickery to mess with there mind the try this. Simply create a password that appears to be encrypted. As noted in an email on this thread from Tim Funk "just security through obscurity." JSO97J6HH4VHT3FFC92K39K Now enter that as the password in the database. Most people looking at this will think it is encrypted and second would find it very hard to remember. For applications such as this, always use the maximum length of password and create it from random strokes. You don't have to remember it so it doesn't matter. Just my $0.02 worth. Sorry for the long rant, just had to get it off my chest. Doug - Original Message - From: "Cathy Hui" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Friday, March 26, 2004 5:16 PM Subject: RE: How to Secure my Passwd Info from server.xml file? I probably didn't state my question more clearly. What I actually want to encrypt is the dblogin passwd, not the user login to tomcat. Is there a way to do that? Thanks for the reply! Cathy -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 10:49 AM To: Tomcat Users List Subject: RE: How to Secure my Passwd Info from server.xml file? Hi, No, you have to write a custom realm for this. A couple of others have asked in the past, so you may wish to search the archives to see if they posted their solutions. If you come up with something nice and generic, it'd be a nice donation to tomcat ;) Yoav Shapira Millennium Research Informatics >-Original Message- >From: Cathy Hui [mailto:[EMAIL PROTECTED] >Sent: Thursday, March 25, 2004 1:41 PM >To: [EMAIL PROTECTED]; tomcat-user- >[EMAIL PROTECTED]; [EMAIL PROTECTED]; tomcat- >[EMAIL PROTECTED] >Subject: How to Secure my Passwd Info from server.xml file? > >I am trying to solve a security issue with my webapp. We are using >tomcat's connection pooling for our webapp. The database username and >password be specified in the server.xml file (as shown below). > >Is there a way to encrypt the password, and tomcat should decrypt the >password before establishing the database connection. We are trying to >do this without changing the tomcat code itself. Is it a setting in >tomocat, or is there a 3rd party software? > >Any suggestions/solutions are appreciated. Thanks >type="javax.sql.DataSource"/> > >username >myuser > > >password >mypassword > > > >Thanks! > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may
Re: Re: How to Secure my Passwd Info from server.xml file?
I am working on something similar to this. I need the password that will unlock a PKCS12 file, and what I have done is embed tomcat in a C application. I have the C code prompt for the password, and then pass the password to the JVM via the Invocation API. Since Java has no good way of reading in a password from a terminal that I know of, this was the only solution that I could come up with. On a side note, I have only gotten this to work with the tomcat 4.x series. So if anyone can offer some help with regards to embedding tomcat 5.x, I would appreciate it. On another note, if anyone knows of a better way to handle the password entry problem, please let me know. I think a few people have issues with passwords in the clear, no matter what the permissions of the file are. thank you. ---Original Message--- > From: Tim Funk <[EMAIL PROTECTED]> > Subject: Re: How to Secure my Passwd Info from server.xml file? > Sent: 27 Mar 2004 14:02:48 > > No there is no way currently. The problem the password needs decoded and no > method to do this securely has been proposed. Other vendors might do this but > they probably just use a proprietary encoding algorthm which is just security > through obscurity. > > The recommended workaorund now is: > 1) Custom realm - so your implementation encryption can be a "secret" > 2) Make server.xml read-only for the userid needing to run tomcat and let no > one have access to that box with that ID > > > -Tim > > Cathy Hui wrote: > > I probably didn't state my question more clearly. > > > > What I actually want to encrypt is the dblogin passwd, not the user > > login to tomcat. Is there a way to do that? > > > > Thanks for the reply! > > > > Cathy > > > > > > > > -Original Message- > > From: Shapira, Yoav [mailto:[EMAIL PROTECTED] > > Sent: Thursday, March 25, 2004 10:49 AM > > To: Tomcat Users List > > Subject: RE: How to Secure my Passwd Info from server.xml file? > > > > > > > > Hi, > > No, you have to write a custom realm for this. A couple of others have > > asked in the past, so you may wish to search the archives to see if they > > posted their solutions. > > > > If you come up with something nice and generic, it'd be a nice donation > > to tomcat ;) > > > > Yoav Shapira > > Millennium Research Informatics > > > > > > > >>-Original Message- > >>From: Cathy Hui [mailto:[EMAIL PROTECTED] > >>Sent: Thursday, March 25, 2004 1:41 PM > >>To: [EMAIL PROTECTED]; tomcat-user- > >>[EMAIL PROTECTED]; [EMAIL PROTECTED]; tomcat- > >>[EMAIL PROTECTED] > >>Subject: How to Secure my Passwd Info from server.xml file? > >> > >>I am trying to solve a security issue with my webapp. We are using > >>tomcat's connection pooling for our webapp. The database username and > >>password be specified in the server.xml file (as shown below). > >> > >>Is there a way to encrypt the password, and tomcat should decrypt the > >>password before establishing the database connection. We are trying to > >>do this without changing the tomcat code itself. Is it a setting in > >>tomocat, or is there a 3rd party software? > >> > >>Any suggestions/solutions are appreciated. Thanks > >>>type="javax.sql.DataSource"/> > >> > >>username > >>myuser > >> > >> > >>password > >>mypassword > >> > >> > >> > >>Thanks! > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] ---Original Message---
Re: How to Secure my Passwd Info from server.xml file?
No there is no way currently. The problem the password needs decoded and no method to do this securely has been proposed. Other vendors might do this but they probably just use a proprietary encoding algorthm which is just security through obscurity. The recommended workaorund now is: 1) Custom realm - so your implementation encryption can be a "secret" 2) Make server.xml read-only for the userid needing to run tomcat and let no one have access to that box with that ID -Tim Cathy Hui wrote: I probably didn't state my question more clearly. What I actually want to encrypt is the dblogin passwd, not the user login to tomcat. Is there a way to do that? Thanks for the reply! Cathy -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 10:49 AM To: Tomcat Users List Subject: RE: How to Secure my Passwd Info from server.xml file? Hi, No, you have to write a custom realm for this. A couple of others have asked in the past, so you may wish to search the archives to see if they posted their solutions. If you come up with something nice and generic, it'd be a nice donation to tomcat ;) Yoav Shapira Millennium Research Informatics -Original Message- From: Cathy Hui [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 1:41 PM To: [EMAIL PROTECTED]; tomcat-user- [EMAIL PROTECTED]; [EMAIL PROTECTED]; tomcat- [EMAIL PROTECTED] Subject: How to Secure my Passwd Info from server.xml file? I am trying to solve a security issue with my webapp. We are using tomcat's connection pooling for our webapp. The database username and password be specified in the server.xml file (as shown below). Is there a way to encrypt the password, and tomcat should decrypt the password before establishing the database connection. We are trying to do this without changing the tomcat code itself. Is it a setting in tomocat, or is there a 3rd party software? Any suggestions/solutions are appreciated. Thanks username myuser password mypassword Thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to Secure my Passwd Info from server.xml file?
I probably didn't state my question more clearly. What I actually want to encrypt is the dblogin passwd, not the user login to tomcat. Is there a way to do that? Thanks for the reply! Cathy -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 10:49 AM To: Tomcat Users List Subject: RE: How to Secure my Passwd Info from server.xml file? Hi, No, you have to write a custom realm for this. A couple of others have asked in the past, so you may wish to search the archives to see if they posted their solutions. If you come up with something nice and generic, it'd be a nice donation to tomcat ;) Yoav Shapira Millennium Research Informatics >-Original Message- >From: Cathy Hui [mailto:[EMAIL PROTECTED] >Sent: Thursday, March 25, 2004 1:41 PM >To: [EMAIL PROTECTED]; tomcat-user- >[EMAIL PROTECTED]; [EMAIL PROTECTED]; tomcat- >[EMAIL PROTECTED] >Subject: How to Secure my Passwd Info from server.xml file? > >I am trying to solve a security issue with my webapp. We are using >tomcat's connection pooling for our webapp. The database username and >password be specified in the server.xml file (as shown below). > >Is there a way to encrypt the password, and tomcat should decrypt the >password before establishing the database connection. We are trying to >do this without changing the tomcat code itself. Is it a setting in >tomocat, or is there a 3rd party software? > >Any suggestions/solutions are appreciated. Thanks >type="javax.sql.DataSource"/> > >username >myuser > > >password >mypassword > > > >Thanks! > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to Secure my Passwd Info from server.xml file?
Hi, No, you have to write a custom realm for this. A couple of others have asked in the past, so you may wish to search the archives to see if they posted their solutions. If you come up with something nice and generic, it'd be a nice donation to tomcat ;) Yoav Shapira Millennium Research Informatics >-Original Message- >From: Cathy Hui [mailto:[EMAIL PROTECTED] >Sent: Thursday, March 25, 2004 1:41 PM >To: [EMAIL PROTECTED]; tomcat-user- >[EMAIL PROTECTED]; [EMAIL PROTECTED]; tomcat- >[EMAIL PROTECTED] >Subject: How to Secure my Passwd Info from server.xml file? > >I am trying to solve a security issue with my webapp. We are using >tomcat's connection pooling for our webapp. The database username and >password be specified in the server.xml file (as shown below). > >Is there a way to encrypt the password, and tomcat should decrypt the >password before establishing the database connection. We are trying to >do this without changing the tomcat code itself. Is it a setting in >tomocat, or is there a 3rd party software? > >Any suggestions/solutions are appreciated. Thanks >type="javax.sql.DataSource"/> > > >username >myuser > > >password >mypassword > > > >Thanks! > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]