1 / 18

Passw3rd

Passw3rd. Remember…. What is it?. Cross-platform, cross-language password management for applications Keeps passwords out of code and configuration files, but keeps them in encrypted files that can be checked into version control

dessa
Download Presentation

Passw3rd

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Passw3rd

  2. Remember…

  3. What is it? • Cross-platform, cross-language password management for applications • Keeps passwords out of code and configuration files, but keeps them in encrypted files that can be checked into version control • Keys for dev/test can be checked in, but prod keys must be protected

  4. Nerd stuff • Uses openssl to generate an AES-128 key and IV • The keys are stored in a location protected by OS access controls • The password files are generated which store an encrypted version of the password • Uses the cipher block chaining (CBC) mode of operation • Bonus points: why not 256? Why create an IV?

  5. Gotchas • EACH WEB APPLICATION MUST RUN AS A SEPARATE USER • But you already knew that • Why? Because one application can read any password file owned by the same user/group/etc. • Can’t protect from in memory access • Anyone can put a logger in and see the password…

  6. Give me the run down • Generate keys: passw3rd –g <path> generated keys in /Users/neil (creates .passw3rd-encryptionIV and .passw3rd-encryptionKey) • Create a password file $ passw3rd –e file_name <-p path> <-k path> Enter the password: Wrote password to /Users/neil/file_name • Verify the password can be retrieved $ passw3rd –d file_name <-p path> <-k path> The password is: asdf

  7. Business model

  8. Phase 1: Find Passwords development: adapter: mysql database: rails_development username: app_user password: my super secret password

  9. Phase 1: Collect Passwords development: adapter: mysql database: rails_development username: app_user password: <%=get_password(’app’)%>

  10. Phase 2 CHANGE ALL PASSWORDS!!!!

  11. Phase 3: Profit • Need a password rotation? • Fine, just create a new password file for the affected accounts • Need a new server? • Just make the keys part of your build script • Need to rotate your key? • Trivial, decrypt with the old, encrypt with the new Wait, hold on a second you can’t change… oh yeah that sounds like a good idea…

  12. Performance $ time ruby -e "require 'passw3rd’; X.times {Passw3rd::PasswordService.get_password('asdf')}” • X = 100: 0.281s • X = 1,000: 0.359s • X = 10,000: 1.081s • X = 100,000: 8.372s • X = 1,000,000: 1m21.007s This is without optimization, the file is opened and read during each iteration

  13. Passw3rd Current Support

  14. Passw3rd Future Support • Python • .NET • PHP • <your language here> • Passw3rd is an official OWASP project, so there is an entire community behind it https://www.owasp.org/index.php/OWASP_Passw3rd_Project#tab=Project_About

  15. Roadmap • Key rotation script • Multi-key support • Load encrypted password files in memory for rapid sequential decryption

  16. Go collect some underwear! http://www.itd.umich.edu/posters/

  17. Credits • Warren Liang for creating the project that inspired passw3rd • Josh Drummond for using that project in innovative ways • Joe Milora for the Spring configuration file code

  18. Questions? https://github.com/oreoshake/passw3rd https://github.com/oreoshake/passw3rd_java http://rubygems.org/gems/passw3rd https://www.owasp.org/index.php/OWASP_Passw3rd_Project#tab=Project_About

More Related