1

I have a web application. The application needs to connect to the database to read/write information. The database can be accessed with username/password or certificate.

Is it possible, somehow, to encrypt all this communication so even the Application administrator/OS administrator cannot see database password in plaintext while the application still has access to it?

I guess you can encrypt secret data with solutions like hashicorp vault... But still, the application will need to have the decryption key/token to read encrypted secrets, and in this case, the application administrator can look at application runtime and read data in plaintext.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Evaldas
  • 13
  • 3
  • Look what [a quick google search turned up](https://dev.mysql.com/doc/refman/8.0/en/encrypted-connections.html) –  Aug 06 '19 at 09:46
  • 1
    thanks for down-vote buddy. However, Your google search is not the question I ask. I ask not about connection between application and database. My questions is about configuration of connection string itself. I am looking for way to encrypt connection string so even application/os administrator cannot read it in plaintext. – Evaldas Aug 06 '19 at 14:10
  • And you don't want to use the certificate to connect? – schroeder Aug 06 '19 at 15:53

4 Answers4

1

It depends on your database. Trying to protect a resource where the resource is physically compromised by a bad actor is a hard problem because the bad actor has access to all resources: disk, network and memory. I'd be tempted to threat model the application and consider how you can mitigate the bad admin. If you don't trust the admin then there you do have a problem, but it might be that you can store credentials in an external source such as a Hardware Security Module. There is a whole industry around privileged account management where companies such as Cyberark claim that they can control access to your database. These products typically record privileged account access: they won't stop an authorised person going on a frolic of their own.

For the specific question of how to prevent someone with full access to the environment from reading a specific file: it's not possible. You could try to set access permissions ownership etc but you can't stop someone who has the access from getting to it. Putting the data into an HSM to which the actor does not have access will mitigate but you need to ensure that your database can talk to the HSM.

To really prevent someone who has legitimate root/admin to the system I think you will need to split up the systems to implement segregation of duties, then change your database authentication model: one admin looks after the user credentials store while the other admin looks after the database.

You could require every individual user to have their own login to the database. The web app then performs the login, assuming the admin can't hook into the web app (which they can). Perhaps not scalable, but possible.

For MS SQL you can use Windows authentication mode. doc This uses the windows authentication to the domain via kerberos. Your admin won't be able to get the credentials. You could of course have a service account and put that service account in a domain that your DBA does not have access to

For MySQL you can use LDAP via the pluggable authentication link

For Oracle take a look at Oracle Key Manager link

Unicorn Tears
  • 1,189
  • 4
  • 6
0

No. If the application has the password then so does anyone who has access to the application. You mention a memory dump but a simpler solution is to run a slightly modified version of the application which prints out its password in plain text, or sends it to an external API, etc... There is really no sure-fire way of stopping that.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • So even in case with HSM / KMS solution - still , data only is encrypted in HSM/KMS itself. Application will need this data to be decrypted, and from application perspective login information/password is always plain-text - correct? cc @voilier-mottais – Evaldas Aug 12 '19 at 23:47
  • @Evaldas don't get me wrong. HSM/KMS have some very important roles in securing an application and its data. However, if someone manages to gain root access to a machine which is running an application that has full access encrypted data protected with an HSM/KMS, then yes, the attacker has effectively gained access to everything. It may take some effort for them to figure out how to get the data out, but ultimately you can't stop a root user from asserting full control over any application on the machine. – Conor Mancone Aug 13 '19 at 12:23
  • Thanks @conor-mancone ! This is an answer I needed, that's it's not possible to hide password/secrets for connection to database from application which needs access to database itself! – Evaldas Aug 13 '19 at 18:17
0

As others have said its not possible to restrict a db_owner (MSSQl) or an admin/root with GRANT OPTION on mysql/mariadb from accessing your table. Encryption, thus rending the table contents worthless is the correct approach, but as you've already noted coding this in plain text (PHP/ASP) isn't going to work. What you CAN do is code the encrypt/decrypt in binary (c on linux, c# on windows etc) and then build environment verification into the process.

That is, before I'm going to decrypt anything I need to verify that my caller is an ASP/PHP page within a given context, and the page is on disk and its checksum matches, etc. All this extra work is going to make it awkward, if not challenging for an experienced programmer to circumvent but its never going to be 100%. 100% is however almost never achieved, but 'not worth the effort' is a worthy target.

Richard Taylor
  • 11
  • 2
0

HSM are really good at that but really expensive, even in a virtualised model.

Another way of thinking could be: I can't stop admin access to my data eventually, but I can detect every way he could access it with a SIEM and alerts. If accountability is guaranteed, it's a good way to discourage malicious insiders.

schroeder
  • 123,438
  • 55
  • 284
  • 319