zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andor Molnar <an...@cloudera.com.INVALID>
Subject Re: Digest auth with classic TCP transport
Date Thu, 27 Sep 2018 15:10:15 GMT
Right. It's plaintext.


On Thu, Sep 27, 2018 at 4:54 PM, Jan Høydahl <jan.asf@cominvent.com> wrote:

> I am *explicitly* asking about old-style 3.4.x socket protocol, not the
> new Netty transport which I know supports SSL.
>
> My original question was whether authentication credentials are passed in
> plaintext across the wire and thus being easy to pickup by an attacker.
> And if that is true, if there are know ways of working around the lack of
> SSL support for the TCP transport.
>
> Martin Gainty, I cannot see how I can easily plug in TLS1.3 in my existing
> connection between client and Zookeeper 3.4.x, but if there is a simple way
> to do so then please share how you did it.
>
> The only solution I see, as we're stuck with 3.4.x, is to setup IPSec
> tunnels on OS level on all client/server traffic. I wanted to avoid that.
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
> > 27. sep. 2018 kl. 16:14 skrev Andor Molnar <andor@cloudera.com.INVALID>:
> >
> > https://cwiki.apache.org/confluence/display/ZOOKEEPER/
> ZooKeeper+SSL+User+Guide
> >
> > SSL (client-server) has been added in 3.5.1
> > SSL server-server support is being reviewed on GitHub.
> >
> > Regards,
> > Andor
> >
> >
> >
> > On Thu, Sep 27, 2018 at 3:46 PM, Jan Høydahl <jan.asf@cominvent.com>
> wrote:
> >
> >> Hi,
> >>
> >>> if you're prevented from implementing SSL why not use TLSv1.3?
> >>
> >>
> >> I have not found any evidence that Zookeeper server nor (Java) client
> >> supports TLS in version 3.4.13. Please point me to some docs or
> tutorial.
> >> We don't want to fork Zookeeper to implement this stuff ourselves :)
> >>
> >> --
> >> Jan Høydahl, search solution architect
> >> Cominvent AS - www.cominvent.com
> >>
> >>> 27. sep. 2018 kl. 15:17 skrev Martin Gainty <mgainty@hotmail.com>:
> >>>
> >>>
> >>> ________________________________
> >>> From: Jan Høydahl <jan.asf@cominvent.com>
> >>> Sent: Thursday, September 27, 2018 5:12 AM
> >>> To: user@zookeeper.apache.org
> >>> Subject: Digest auth with classic TCP transport
> >>>
> >>> Hi
> >>>
> >>> We use ZK 3.4.13, and unfortunately cannot use Netty transport and SSL.
> >>> We plan to use digest authentication and Zookeeper ACL protection.
> >>>
> >>> Question is, since we cannot use SSL, is there some other way to make
> >> sure the user credentials are not sniffed over the network and thus let
> an
> >> attacker impersonate our application and cange the content in Zookeeper?
> >> Does the Zookeeper client do some smart moves to protect/hash the
> password
> >> over the network? I suppose the binary transport is easy to decipher for
> >> those who try.
> >>>
> >>> MG>if you're prevented from implementing SSL why not use TLSv1.3?
> >>> MG>with TLSv1.3 you can implement encryption/decryption with crypto
> >> private/public keys and x509 certs
> >>> https://en.wikipedia.org/wiki/Transport_Layer_Security
> >>> Transport Layer Security - Wikipedia<https://en.
> >> wikipedia.org/wiki/Transport_Layer_Security>
> >>> Transport Layer Security (TLS) – and its predecessor, Secure Sockets
> >> Layer (SSL), which is now deprecated by the Internet Engineering Task
> Force
> >> (IETF) – are cryptographic protocols that provide communications
> security
> >> over a computer network. Several versions of the protocols find
> widespread
> >> use in applications such as web browsing, email, instant messaging, and
> >> voice over IP (VoIP).
> >>> en.wikipedia.org
> >>>
> >>>
> >>> MG>path of least resistance is to contact verisign and ask them to
> >> generate keys, certs and allow them to act as CA
> >>> MG>Caveat: tls1.3 implementation is slow and is supported by Mozilla
> >> v60...and some versions of chrome
> >>> MG>as far as ciphers to prevent MIMA do not implement TLS_DH_anon and
> >> TLS_ECDH_anon key agreement methods MG>do not authenticate the server
> >>> MG>you will want public key size to be min 2048bit to conform to chrome
> >> secure transmission requirements
> >>> MG>securing message is done thru MD5 or SHA but you will need to
> >> incorporate selected algo into
> >>> MG>supported cipher-suite(s)
> >>> https://en.wikipedia.org/wiki/Cipher_suite
> >>> Cipher suite - Wikipedia<https://en.wikipedia.org/wiki/Cipher_suite>
> >>> A cipher suite is a set of algorithms that help secure a network
> >> connection that uses Transport Layer Security (TLS) or Secure Socket
> Layer
> >> (SSL). The set of algorithms that cipher suites usually contain
> include: a
> >> key exchange algorithm, a bulk encryption algorithm, and a message
> >> authentication code (MAC) algorithm.. The key exchange algorithm is
> used to
> >> exchange a key between two devices.
> >>> en.wikipedia.org
> >>>
> >>>
> >>> HTH
> >>> Martin
> >>> --
> >>> Jan Høydahl
> >>> Cominvent AS - www.cominvent.com<http://www.cominvent.com>
> >>>
> >>
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message