All geek questions in one place

How to implement a secure static credential system in Java?

We recently had a security audit, and it revealed several flaws in the systems that are here. One of the challenges that have arisen as a result of this is that we need to update the credential system of our partners to make it more secure.

The "old" way of doing things was to generate a (bad) password, pass it to the partner with the identifier, and then he would send that identifier and the base 64 encoding of this password with all their XML requests via https. Then we decrypt them and verify.

These passwords will not change (because then our partners would have to make changes in the encoding / config in order to change them, and coordinating the password outputs with hundreds of partners for several environments would be a nightmare) and they would not need to be entered using a person or a person readable . I am open to changing this if a simpler but relatively simple implementation exists for our partners.

This basically boils down to two things: I need a more secure Java password generation system and are guaranteed to pass them in a secure way.

I found several manual password generators, but nothing really stood out as a standard way to do this (maybe for a good reason). There may also be a safer way to transmit them than simply encoding Base 64 over https.

, ?

: XML SOAP-, XML. , , , .

+3
4

, , , . Base-64 hexadecimal , , , XML.

. , " ", . , , , 128 .

, , ( ).

Base-64 - :

  SecureRandom rnd = new SecureRandom();
  /* Byte array length is multiple of LCM(log2(64), 8) / 8 = 3. */
  byte[] password = new byte[18];
  rnd.nextBytes(password);
  String encoded = Base64.encode(password);

, Base-64. (26 24), . ( 130 , 30 , .)

SecureRandom rnd = new SecureRandom();
/* Bit length is multiple of log2(32) = 5. */
String encoded = new BigInteger(130, rnd).toString(32);

SecureRandom , , , .

XML .

, , , . , XML . XML , , ? , ?

-, HTTPS, , , " " -. .

, HTTP. HTTPS, HTTP "Basic" authentication. SSL ( ).

HTTP. , SSL- SSL.

, . - , .

+6

SSL- ?

+1

, SSL - HTTPS - "" . , , , - , - .

, , ...

0

I would give up the whole approach to the password and start using client certificates that allow using a 2-way authenticated SSL connection.

You must create and sign individual certificates for each client. In the SSL confirmation, you request a client certificate and verify it. If this fails, the connection ends with status code 401.

Certificates can be revoked at any time by your side, making it easy to disconnect former customers.

Since all this happens in a handshake before communication, it is impossible to direct the server to the data.

0
source

Source: https://habr.com/ru/post/1697218/

More articles:


All Articles