Servoy Forum

by **swingman** » Thu Aug 31, 2006 1:04 am

What about adding a checkbox in Servoy Server Admin to store passwords encrypted instead of as clear text?

by **ROCLASI** » Thu Aug 31, 2006 10:22 am

swingman wrote:What about adding a checkbox in Servoy Server Admin to store passwords encrypted instead of as clear text?

The point that Jan Blok raised is that you need to encrypt it with a key. So where do you store that key?
Fill it in when you start Servoy Server?
Or have Servoy encrypt it with a default key ? Not very secure.

by **Jan Blok** » Thu Aug 31, 2006 5:28 pm

Exactly, but we made an improvement after all in the upcoming Servoy 3.0 rc4, it is vastly more safer, but not absolutely secure.
In the property file we now encrypt the values for the keys containing the string "password" with keystore keys (can be default SSL one)

So now the db-admin can enter the db passwords in the adminpage, without the system/server admin ever knowing the db passwords.

by **Jan Aleman** » Thu Aug 31, 2006 8:38 pm

alb wrote:In many scenarios division of administrative function is one of the key tenets of security and audit in a government scenario. Why wouldnt it be possible for the servoy.properties to be encrypted and decrypted with the java keystore that servoy already uses? Then the keystore could be setup by the information administrator (ie the person with legal access to the data) and the password on the keystore (which is not stored in plain text) would prevent browsing by non-authorised admins? I setup the keystore on a server last night and it took me about 5 minutes.
Just a thought.

If plain text is not a problem why does no other app/OS store it that way? Why not just store the passwords for the entire server in plain text? After all only the really trustworthy admin will ever see them so what could be the problem? I think you need to get a little more paranoid (or maybe I am too paranoid).

I'm going to follow up with our security advisor and Defence Signals and will post back to this list when I get an answer. (and accept with good grace if I am wrong).
Al.

Well, there's a major difference between storing an OS password and a database password! A OS password is stored using one way encryption: when you login whatever you type in is encrypted and compared to what is stored, obviously this isn't possible with passwords in the property file as they have to login to the database server. To store those passwords secure there are only two really secure possibilities: one is to key in the passwords everytime you fire up your servoy application and the second to make sure your file is in a secure location. The first one is not very convenient and the latter one is what we already support. The solution you suggest is not secure.

by **antonio** » Thu Aug 31, 2006 11:43 pm

jaleman wrote:To store those passwords secure there are only two really secure possibilities: one is to key in the passwords everytime you fire up your servoy application and the second to make sure your file is in a secure location. The first one is not very convenient and the latter one is what we already support.

There are situations where the inconvenience of entering a password to open a DB is exactly what is required. For my customers, I routinely require them to log in to the UI with a password, to establish permissions to access different parts of the solution. I also require the same level of security for accessing the SQL db, whether it's throught the Servoy UI, or direct queries on the db. With Servoy, I don't currently have that, though the new feature in Servoy 3.0 rc4 is a big improvement.

It would be brilliant to optionally secure the db by requiring a user to enter a password - stored in Servoy as a one-way hash and not in plain text for prying eyes to find.

by **bcusick** » Fri Sep 01, 2006 9:04 pm

In 3.0RC4 we're planning to encrypt the password in the properties file so it's not human-readable.

by **antonio** » Fri Sep 01, 2006 10:04 pm

Yup, noted, that's a great improvement.

by **alb** » Sat Sep 02, 2006 2:31 am

I talked to our security guys and they confirmed that *everyone is right* :lol:

If someone is an admin on the box then there is always a way they can get around anything you put in place - for example they can copy the entire database off to somewhere else and brute force it in their own time.......for really (spook) secure systems they use multiple tokens etc etc
*but*
it is not best-practise to leave passwords in plain text on any system as it makes comprimising the data just so much easier without much effort or any audit trail
*so*
encrypting the passwords in 3.0 RC4, is a great improvement in system integrity and makes the system conform to accepted standards for most IT (non-military) systems.
Thanks to all for the contributions.

We will utilise the 3.0RC4 in our furture developments in Servoy to take advantage of this improvement.
Regards
Al.

by **ROCLASI** » Sat Sep 02, 2006 1:41 pm

Jan Blok wrote:In the property file we now encrypt the values for the keys containing the string "password" with keystore keys (can be default SSL one)

When you setup your database connections with the default keystore and later you decide to get your own SSL certificate what happens with the already encrypted properties file?
You need to type in all the passwords again or do you have a nice and easy migration-procedure for this?

by **Jan Blok** » Sat Sep 02, 2006 11:45 pm

yes you have to type them again

by **ROCLASI** » Tue Sep 05, 2006 10:21 am

Thanks, I just wanted to clear that up here on the forum because I am certain this will generate a lot of questions when people start changing keys.

by **pbakker** » Wed Sep 06, 2006 2:09 pm

This new feature of encrypted passwords is nice, but the OS administrator can still start up the server with stacktrace on and then all non encrypted connectiondata, inclusing the DB passwords is still shown in the console and written to the logfile.

Paul

by **Jan Blok** » Wed Sep 06, 2006 2:25 pm

I'm not sure if any drivers do log this ... but if they do ... well there are more reasons explained why I said it's "much safer" but not absolutely secure.
Someone with bad intentions can get far when having access at the server itself.

by **pbakker** » Wed Sep 06, 2006 2:31 pm

Looks to me Servoy does the logging, but I might be wrong:

2006-09-06 10:16:21,937 DEBUG [TaskExecuter[0]] com.servoy.j2db.util.Debug - driver=com.sybase.jdbc2.jdbc.SybDriver@d0570e
2006-09-06 10:16:21,937 DEBUG [TaskExecuter[0]] com.servoy.j2db.util.Debug - url=jdbc:sybase:Tds:localhost:2638?ServiceName=servoy_repository&CHARSET=utf8
2006-09-06 10:16:21,937 DEBUG [TaskExecuter[0]] com.servoy.j2db.util.Debug - connectionProperties={user=DBA, password=SQL}

Paul

by **Jan Blok** » Wed Sep 06, 2006 2:56 pm

Good point!, will be corrected in Servoy 3.0 rc5

Servoy Forum

Security concerns with security of servoy.properties?

Who is online