Encrypting the database password


#1

Hi,

I swear I’ve searched the Wiki, FAQs, mailing lists, etc., but I can’t
seem to find an answer to this.

I’m proposing using RoR for an admin app that by all accounts would be a
perfect candidate for this technology… but our operations staff is
nervous about the fact that the database password is stored in clear
text. They point out that in Weblogic (which is what they want us to
use), the password is encrypted.

Is there any way to make RoR use an encrypted password? This seems like
a pretty important consideration if RoR is going to be used in secure
production environments.

Thanks


#2

On 2/12/2005, at 11:23 AM, Marshall L. wrote:

I’m proposing using RoR for an admin app that by all accounts would
be a
perfect candidate for this technology… but our operations staff is
nervous about the fact that the database password is stored in clear
text. They point out that in Weblogic (which is what they want us to
use), the password is encrypted.

Think for a second. If the password is encrypted it must get
decrypted at some point. If it can be decrypted and someone breaks in
to your system do you really think you stand a gnat’s chance in hell
of keeping the password out of the hands of the attacker? You’re
better off making sure database.yml is readable only to the Rails
user, and make that user different from the web server’s user.
FastCGI is great at that.

In short, yes it can be done. It can be done easily. But it offers no
extra security. Once a machine is compromised you must assume that
all data on it has been taken, things like this only help clueless
administrators keep their head in the clouds.


Phillip H.
WebGenius Programmer
removed_email_address@domain.invalid


#3

a pretty important consideration if RoR is going to be used in secure
production environments.

Thanks

How would you encrypt it without having the secret password on the
system with it? What good would that do besides providing a layer of
obscurity?

I actually did this kind of thing in ASP.Net w/ the Data Protection
API. It’s basically a pki system built in to windows (for EFS) where
the server and each user has their own private key. Though, I’m not
sure what it did for my app besides making it a PITA to change the
password :slight_smile:


rick
http://techno-weenie.net


#4

snacktime wrote:

I really don’t know how weblogic encrypts the password. Is it really
encrypting it a way that is offering real protection, or is it just
illusory? Where is the encryption key stored?

Weblogic encrypts the string using 3DES and its encryption key is hidden
somewhere inside the beast. I’m not entirely sure where. I just know
that it has its own encryption tool (see
http://e-docs.bea.com/wls/docs90/admin_ref/utils.html#1209592) that uses
a mysterious “encryption service.”

I realize that this is somewhat illusory – it’s better than having it
in plain text, but yes, if the app server is compromised, the database
isn’t far behind.

Incidentally, my company specializes in putting sensitive information
online.


#5

Incidentally, my company specializes in putting sensitive information
online.

I think I smell a plugin…


rick
http://techno-weenie.net


#6

On 12/1/05, Marshall L. removed_email_address@domain.invalid wrote:

Is there any way to make RoR use an encrypted password? This seems like
a pretty important consideration if RoR is going to be used in secure
production environments.

I’m sure you are going to get a lot of answers on this…

I really don’t know how weblogic encrypts the password. Is it really
encrypting it a way that is offering real protection, or is it just
illusory? Where is the encryption key stored?
With the way that rails works, encrypting the database password gets
you very little. In fact encrypting the database password gets you
very little no matter what platform you are using. If your system
really needs to be secure then you need to approach the problem from
an in depth approach. Otherwise don’t put sensitive information
online to begin with.

I know that’s not what most operations types might like to hear, but
it’s what they should be told.

Chris


#7

I may not understand your question but is the password not stored in
MySQL and not rails? If so, I know that MySQL can encrypt passwords
and I think that is the default arrangement on 5.0 Rails can work
with that.

bruce


#8

Well, that was a much better answer than mine. I regret having
answered now (and I think I did miss your point). Perhaps Phillip
Hutchins is a “webgenius programmer”

bruce balmer
not webgenius programmer


#9

One aspect of RoR database login and password management is that, I am
willing to bet in most sites, the developers know the database login and
password that RoR uses. This is a violation of Sarbanes Oxley rules
that many of will have to address sooner rather than later (and, in
theory, you can go to prison for not being duely diligent about it).


#10

On 12/1/05, Marshall L. removed_email_address@domain.invalid wrote:

I realize that this is somewhat illusory – it’s better than having it
in plain text, but yes, if the app server is compromised, the database
isn’t far behind.

Incidentally, my company specializes in putting sensitive information
online.

A halfway decent checklist for securing web applications is the CISP
auditing checklist from the Visa site. It’s pretty basic and I’d
argue with a few of it’s methods, but it covers enough ground to be
useful.

Chris


#11

On 2/12/2005, at 1:56 PM, Bruce B. wrote:

Well, that was a much better answer than mine. I regret having
answered now (and I think I did miss your point). Perhaps Phillip
Hutchins is a “webgenius programmer”

Hah, doubt it. That’s just the company I work for, my mail client
defaults to that signature.

I still stand by my assertion that an encrypted password offers no
benefits over clear text when you’re facing a determined attacker,
and for a ‘casual’ break in file permissions will be better. Just
make sure the user that the application runs as doesn’t have any
login capabilities.


Phillip H.
removed_email_address@domain.invalid