Encrypting or Obfuscating Passwords

Unless encrypted, passwords in the configuration can be read by anyone who have access to the administration GUI, or who have access to the configuration files on disk containing the passwords.

If you wish to have stronger protection you can either obfuscate or encrypt the passwords before placing them in the file.
Obfuscated passwords are passwords which are scrambled using a complicated bit-shifting algorithm. They appear to be unreadable, but if you have access to the bit-shifting code it is possible to revert the process making the passwords readable again.
Encrypted passwords however, are encrypted using an encryption key, and it is impossible to recover the password unless you have access to both the encryption key and the password.
Ceptor supports one method of obfuscation, and 3 methods of encryption.

Obfuscation

Uses a proprietary bit-shifting mechanism that can be reversed.

168 bit Tripple DES

Uses 168 bit Tripple DES key to encrypt the password. The same key is used for both encryption and decryption. Requires the key in “passwordUtils.3deskey”

256 bit AES

Uses 256 bit strong encryption AES key to encrypt/decrypt the passwords. The same key is used for both encryption and decryption. Requires the key in “passwordUtils.aesKey”

2048 bit RSA Private / Public Key

Uses the 2048 bit RSA private / public key algorithm. Separate keys are used for encryption and decryption so you can allow certain people to only encrypt passwords using the key in “passwordUtils.publickey” but they will not be able to decrypt any password unless they also have access to the private key stored in “passwordUtils.privatekey”.

Encrypting the password

Note that in order to support encrypted passwords (with JVMs older than 1.8 update 165), you will need to the have the “Unlimited Strength JCE Policy files” installed in your Java VM – these files are obtainable from where you download your JVM – e.g. java.sun.com

To encrypt the password, execute “java dk.itp.security.utils.PasswordUtils <password>” replacing <password> with the password to encrypt. You will need PortalProtectAgent.jar in your classpath.
Below is an example of the output when run the first time – here the keys are generated.

Ceptor Password obfuscation and encryption

Obfuscated password:     {encoded}BC817B5B1F2BC934
Generating Tripple DES key and saving it as passwordUtils.3deskey
Generating AES key and saving it as passwordUtils.aeskey
Generating 2048 bit RSA Keypair, and saving the keys as passwordUtils.privatekey and passwordUtils.publickey
3DES encrypted password: {3DES}EXohj8jIBmU79IQB2biNVA==
AES encrypted password:  {AES}Ld6S9xK7u53UrDbubaUCIw==
RSA encrypted password:  {RSA}eqMozuIXv1jsiYez5IyfawrFi6R8WmY8ZAq+PTyJJYCl3F85okFGMNk0oiobGEDCvRoz78At5pZfjaS38o64SU6K1TfmK4LsRNE77T/lOQw67Z4S2PNzlEw1MNd8zXA/8rBIrRLgzEoWS+jr20OUa1bYO3Yz/ICJhxY3YtJQVr54mvWWocM0rA7OQVJ65w0QgteZ6VSFIJndAwNH+L7UYVrEjdgOqC2IY+WuJaB60fqcPXqSrJVPU5ix4/xSErTJR3i6MEiTSEDGbN776Rfo8sU7FYqODXFvXw6LKfJgXa0EorYMilJIqJaMA5d7JJSMFXHkeUROuQL/omLNo1LVkA==

The following passwords are hashed and not encrypted - hashed passwords will not work in ceptor-configuration.xml but will work in ceptor-security.xml

BCRYPT hashed password: {bc}$2a$10$Hv8JBPMI1IokORd7pqr4kOLnPESkPyoaQ8TmD7QRf7Iyh0cbfZZt2
PBKDF2 hashed password: {pbkdf2}1000:3400e4b8d201e25b6acd61801a489adc4023df28763123eb1b044a8fdede:cee69f33d864b98962c65dda60ced4b2eca16be15fc11c30ff8878bf26bb
SHA-1 hashed password: {sha1}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
Subsequent runs will produce output similar to this:
Ceptor Password obfuscation and encryption

Obfuscated password:     {encoded}BC817B5B1F2BC934
3DES encrypted password: {3DES}EXohj8jIBmU79IQB2biNVA==
AES encrypted password:  {AES}Ld6S9xK7u53UrDbubaUCIw==
RSA encrypted password:  {RSA}OYPU45Br6Qg0n3Mz8YGSvwTWo20R++y4bd7GpXuBm0YEtV3pmv9b6eqZF2HPk/Itmg/FKYDU0pNXAiGOeXq7vq86zlGqKVdFkKJBva/gzwoO1nr4vCkT9Gms2m/FyCJehsGlPJj0UXNIWAAARS3ZqehmV1xN05IyMYvkmJN/VUK17n/AZO1M6oKvdEB+b70uy+CCoJ4zjvFYbvzEd6ZA47r+2r8SVsmu9c7tJa/ch7dVGqMSNGmzA+OMOn9Ly87o4fXWQOKB0rykz3QGMPnF3pMuGkhMBzQZYcw1QhCt3LRhWuro7KFO+ZQNgQeGE+xp8Se3tRpeAssoJKYi0ujcFw==

The following passwords are hashed and not encrypted - hashed passwords will not work in ceptor-configuration.xml but will work in ceptor-security.xml

BCRYPT hashed password: {bc}$2a$10$8i0spYfh7.R7j78jyhUj4OTmlPuOiQvs2baXfjH13xz.yEbIUw1wW
PBKDF2 hashed password: {pbkdf2}1000:8d0b454f9524fcdc5fd0a57adf67c32deb8057105d146985573278f019b9:f8dcd9f3c9408b772231b3c54c2f6dcf261dfb777495af54ca715b6baf93
SHA-1 hashed password: {sha1}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

You can then cut’n paste the corresponding encrypted key to your configuration.

You cannot in general use hashed passwords within Ceptor's XML configuration - Ceptor needs to be able to decrypt a password to used it against another party - that is not possible with hashed passwords.

Hashed passwords however can be used to verify a real password against - so they are great for using in ceptor-security.xml

Important Points to Remember

  • When Ceptor runs, it by default requires the key files to be in the current working directory – if you wish them placed elsewhere, set the system property “passwordUtils.keyfiledirectory” to point to another directory elsewhere on your system.
  • Please note that the encryption is only worth doing if you protect access to the corresponding key files, e.g. by using file permissions to ensure that no unauthorized personnel are able to access the keys. Also be wary of protecting backups.
  • If you run in a cluster setup, with multiple server instances you also will need to ensure they all have access to the same key files or they will not be able to decrypt the passwords.
  • If you choose not to use encryption, but only obfuscation you do not need to copy key files around.
  • If you only use one type of encryption, e.g. AES you will only need the corresponding key file – e.g “passwordUtils.aesKey”.
  • If you want to reuse the password encryption in your code, e.g. for your custom authentication plugins, call dk.itp.security.utils.PasswordUtils.getPassword(“xxxx”) with the encrypted or obfuscated password to retrieve the decrypted version.