passw3rd. remember… what is it? cross-platform, cross-language password management for...
TRANSCRIPT
Passw3rd
Remember…
What is it?• Cross-platform, cross-language password management for
applications• Keeps passwords out of code and configuration files, but keeps
them in encrypted files that can be checked into version control
• Keys for dev/test can be checked in, but prod keys must be protected
Nerd stuff• Uses openssl to generate an AES-128 key and IV• The keys are stored in a location protected by OS access
controls• The password files are generated which store an encrypted
version of the password• Uses the cipher block chaining (CBC) mode of operation
• Bonus points: why not 256? Why create an IV?
Gotchas• EACH WEB APPLICATION MUST RUN AS A SEPARATE USER• But you already knew that• Why? Because one application can read any password file owned
by the same user/group/etc. • Can’t protect from in memory access• Anyone can put a logger in and see the password…
Give me the run down• Generate keys: passw3rd –g <path> generated keys in /Users/neil (creates .passw3rd-encryptionIV and .passw3rd-encryptionKey)
• Create a password file $ passw3rd –e file_name <-p path> <-k path> Enter the password: Wrote password to /Users/neil/file_name
• Verify the password can be retrieved $ passw3rd –d file_name <-p path> <-k path> The password is: asdf
Business model
Phase 1: Find Passwords
development: adapter: mysql database: rails_development username: app_user password: my super secret password
Phase 1: Collect Passwords
development: adapter: mysql database: rails_development username: app_user password: <%=get_password(’app’)%>
Phase 2
CHANGE ALL PASSWORDS!!!!
Phase 3: Profit• Need a password rotation?• Fine, just create a new password file for the affected accounts
• Need a new server?• Just make the keys part of your build script
• Need to rotate your key?• Trivial, decrypt with the old, encrypt with the new
Wait, hold on a second you can’t change… oh yeah that sounds like a good idea…
Performance$ time ruby -e "require 'passw3rd’; X.times {Passw3rd::PasswordService.get_password('asdf')}”
• X = 100: 0.281s• X = 1,000: 0.359s• X = 10,000: 1.081s• X = 100,000: 8.372s• X = 1,000,000: 1m21.007s
This is without optimization, the file is opened and read during each iteration
Passw3rd Current Support
Passw3rd Future Support• Python• .NET• PHP• <your language here>• Passw3rd is an official OWASP project, so there is an entire
community behind it
https://www.owasp.org/index.php/OWASP_Passw3rd_Project#tab=Project_About
Roadmap• Key rotation script• Multi-key support• Load encrypted password files in memory for rapid sequential
decryption
Go collect some underwear!
http://www.itd.umich.edu/posters/
Credits• Warren Liang for creating the project
that inspired passw3rd• Josh Drummond for using that project
in innovative ways • Joe Milora for the Spring
configuration file code
Questions?
https://github.com/oreoshake/passw3rdhttps://github.com/oreoshake/passw3rd_javahttp://rubygems.org/gems/passw3rdhttps://www.owasp.org/index.php/OWASP_Passw3rd_Project#tab=Project_About