zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject Re: Digest auth with classic TCP transport
Date Thu, 27 Sep 2018 13:17:28 GMT

________________________________
From: Jan Høydahl <jan.asf@cominvent.com>
Sent: Thursday, September 27, 2018 5:12 AM
To: user@zookeeper.apache.org
Subject: Digest auth with classic TCP transport

Hi

We use ZK 3.4.13, and unfortunately cannot use Netty transport and SSL.
We plan to use digest authentication and Zookeeper ACL protection.

Question is, since we cannot use SSL, is there some other way to make sure the user credentials
are not sniffed over the network and thus let an attacker impersonate our application and
cange the content in Zookeeper? Does the Zookeeper client do some smart moves to protect/hash
the password over the network? I suppose the binary transport is easy to decipher for those
who try.

MG>if you're prevented from implementing SSL why not use TLSv1.3?
MG>with TLSv1.3 you can implement encryption/decryption with crypto private/public keys
and x509 certs
https://en.wikipedia.org/wiki/Transport_Layer_Security
Transport Layer Security - Wikipedia<https://en.wikipedia.org/wiki/Transport_Layer_Security>
Transport Layer Security (TLS) – and its predecessor, Secure Sockets Layer (SSL), which
is now deprecated by the Internet Engineering Task Force (IETF) – are cryptographic protocols
that provide communications security over a computer network. Several versions of the protocols
find widespread use in applications such as web browsing, email, instant messaging, and voice
over IP (VoIP).
en.wikipedia.org


MG>path of least resistance is to contact verisign and ask them to generate keys, certs
and allow them to act as CA
MG>Caveat: tls1.3 implementation is slow and is supported by Mozilla v60...and some versions
of chrome
MG>as far as ciphers to prevent MIMA do not implement TLS_DH_anon and TLS_ECDH_anon key
agreement methods MG>do not authenticate the server
MG>you will want public key size to be min 2048bit to conform to chrome secure transmission
requirements
MG>securing message is done thru MD5 or SHA but you will need to incorporate selected algo
into
MG>supported cipher-suite(s)
https://en.wikipedia.org/wiki/Cipher_suite
Cipher suite - Wikipedia<https://en.wikipedia.org/wiki/Cipher_suite>
A cipher suite is a set of algorithms that help secure a network connection that uses Transport
Layer Security (TLS) or Secure Socket Layer (SSL). The set of algorithms that cipher suites
usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message
authentication code (MAC) algorithm.. The key exchange algorithm is used to exchange a key
between two devices.
en.wikipedia.org


HTH
Martin
--
Jan Høydahl
Cominvent AS - www.cominvent.com<http://www.cominvent.com>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message