[MDSAL-680] Node credential storage encryption Created: 27/Jul/21  Updated: 13/Oct/22  Resolved: 13/Oct/22

Status: Resolved
Project: mdsal
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Medium
Reporter: ercan-101@hotmail.com Assignee: Oleksandr Panasiuk
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Dear colleague,

I would like to understand the encryption mechanism to store node data (login password) stated in netconf-node-topology.yang file.

In below section from netconf-node-topology.yang, I see that if login-pw is selected, login credentials are encrypted.

case login-pw {

          description "login-password credentials, encrypted.";

          container login-password

{                       uses username-password;            }

}

If a node creation request with below content returns "200 OK" does this guarantee that credentials are encrypted in persistent configuration datastore? Is there a way to verify that they are stored encrypted? If so, which encryption mechanism is used?

request body:

{

  "node": {

             "node-id": "test",

              "host": "192.168.111.111",

              "port": 2022,

              "tcp-only": false,

              "login-pw:login-password" :

{                            "username": "admin",                            "password": "admin"                 }

      }

}

 

Thanks.

 Comments   
Comment by Wassim Sabra [ 06/Feb/22 ]

Hi,

 

I have the same concern, GET /restconf/config/network-topology:network-topology/topology/topology-netconf/node/<nodename> returns the password in clear text unencrypted.

I tried a PUT request with netconf-node-topology:password and netconf-node-topology:login-password.

 

Regards

 

 

Comment by Oleksandr Panasiuk [ 12/Oct/22 ]

From what i found, password encryption uses AAAEncryptionService which firstly generates key from aaa-encrypt-service-config.xml using PBKDF2WithHmacSHA1 encryption method and AES encryption type. After that AAAEncryptionService generates javax.crypto.Cipher instance with specs from aaa-encrypt-service-config.xml and previously generated key. Cipher is used to transform password byte array into String/byte[] encrypted by chosen method and type from key and after that, it is also encoded using rfc4648/Base64 algorithm. Also Cipher might not work if it is initialized in the wrong state which shouldn't be happening if aaa-encrypt-service-config.xml is OK, but if that happens the rfc4648/Base64 is used anyway so the password is protected in some way. AAAEncryptionService also generates decryption Cipher , it is used to return password in its unencrypted state after GET /restconf/config/network-topology:network-topology/topology/topology-netconf/node/<nodename> request. 
Also there is a possibility that key might be initialized as null if aaa-encrypt-service-config.xml is corrupted, in that case password will be stored with no encryption, no exceptions will be thrown and user will still get 200 OK response.
So under normal valid circumstances (when aaa-encrypt-service-config.xml  is ok) password will be stored encrypted.
 
 
 

Comment by Tibor Král [ 13/Oct/22 ]

I believe Oleksandr's findings answered the question. Closing this issue.

Generated at Wed Feb 07 20:10:32 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.