Tuesday, April 27, 2010

Don't hide the key under a rock

This project is about a little critique I have on the mini guide for Maven password encryption.


The guide under-states the security ramification of these measures. Which I think should be explicitly stated for a reader to attain the desired effect.

The article should stress that the 'encrypted' master password must be stored on a removable drive to attain a secure environment.

Why do I put encrypted within quotes? Because fact of the matter is that the master password is not encrypted, but simply encoded.
public void test1() throws Exception
String master = "{WR51wo2sI1QHlQM0MhI7AULqJXRZvtoppQsqdg74p08=}";

DefaultPlexusCipher cipher = new DefaultPlexusCipher();

String result = cipher.decryptDecorated(master, "settings.security");
assertEquals("Doh!", result);

This means that putting the master password in .m2/settings-security.xml would make your server password perfectly readable again.
public void test2() throws Exception
String master = "Doh!";
String pwd = "{fB3b7bF6RKUHOTcOH790i8jm4C4fIBM4BZ5UvXSTODk=}";

DefaultPlexusCipher cipher = new DefaultPlexusCipher();

String result = cipher.decryptDecorated(pwd, master);
assertEquals("Eeek!", result);

So without introducing an external factor (like an USB key) the mechanism is just as secure as your plain password in .m2/settings.xml.

To try this out on your own passwords, simply clone
git://github.com/wolfc/plexus-cipher-test.git [1], mvn assembly:assembly and do:
$ java -jar target/jboss-plexus-cipher-test-full.jar {WR51wo2sI1QHlQM0MhI7AULqJXRZvtoppQsqdg74p08=}
$ java -jar target/jboss-plexus-cipher-test-full.jar {fB3b7bF6RKUHOTcOH790i8jm4C4fIBM4BZ5UvXSTODk=} Doh\!

In short: take the rock with you (in which case you don't need the rock anyway ;-) ).

[1] http://github.com/wolfc/plexus-cipher-test