-1

I'm building a system that for reasons I'll outline below, can't used hashed passwords, but I'd still like to encrypt them so that it's as hard as possible to crack them, in the (unlikely) event the DB does get compromised.

Basically, the reason I can't store them hashed is because they aren't authentication details for my system, they'll be used to log into external services, and because of that I'd need to store them in a reversible format so I can decrypt the authentication details and perform remote logins.

What would be the best way to approach this problem?

David Xu
  • 107
  • 3
    So, you want to build keypass right? I would check the things they use. http://keepass.info/help/base/security.html – Gudradain Mar 02 '15 at 05:23
  • 1
    I'm not sure what you are asking. If you want to encrypt passwords, then use an encryption algorithm. Perhaps you have constraints or issues that you haven't explained? – schroeder Mar 02 '15 at 06:32
  • Does your database have built-in encryption support? – Mark Mar 02 '15 at 07:33
  • 1
    Hardware security module, CTR mode encryption using a constant size block, say 64 bytes – Richie Frame Mar 02 '15 at 07:39

5 Answers5

1

The fundamental problem in any system like this is where do you store the key? There are plenty of decent symmetric ciphers out there, many of which would be acceptable for this use case, but every single one of them is trivially broken if the attacker can get the key. You obviously can't store it in the same database as the secrets. You probably shouldn't store it in a file either; those are sometimes exposed either through SQLi or through other attacks that allow reading local files, or are exposed if the entire machine or one if its backups are captured. You can try passing it in from another key store but that just moves the problem by one step. You can try storing it on removable media (a flashdrive or similar) that you only plug in while using it, but then you risk losing the drive or the file being read off of it while the drive is plugged in.

The usual solution here is some kind of Hardware Security Module (HSM), which supports write-only key storage (you give it a key once, and it remembers but never divulges it) and various cryptographic operations using that key (such as using it to decrypt a database key which is never stored in decrypted form, or to decrypt any individual secret extracted from the database). Ideally you also want to require some authentication to the HSM so that an attacker can't use it themselves if they somehow get code execution on your machine or steal the HSM, but you've already raised the bar by a lot just by requiring those levels of access.

If a full HSM is too expensive, there are various other options. Some operating systems (Windows definitely, MacOS or Linux maybe) provide a write-only key storage solution in software; these aren't quite as secure as an HSM because the key is written to disk in some form but at least the file containing it isn't readable by the process that uses the secret (instead, some inter-process communication is done to a security service that is the only one able to read the key file and never divulges the key, and which can also require authentication of the caller). There are also cloud-based key storage options; they're backed by HSMs but are only as secure as the authentication to your cloud account.

You can also just do something similar to the password storage systems out there today (or just use one directly), such as KeePass (mentioned in a comment). You then do still need to store the password to unlock the password storage somewhere - that somewhere can potentially be "your brain, and also written on paper in a fireproof safe" though - and input that password at need, but this might work for your situation and doesn't require you making any direct decisions about how to implement the cryptosystem (which is generally best left to experts).

CBHacking
  • 40,303
  • 3
  • 74
  • 98
0

Depending on what other services/systems your service/system wants to log into, you probably want to store an authentication token rather than the user's password. Look into whether you can use e.g. OAuth or similar to access those other systems.

Stephen Warren
  • 246
  • 1
  • 6
0

You can use TPM version 2.0 for securing the keys that encrypts your database or passwords. TPM is cheap and fairly secure.

As an idea you can store your key under Endorsement heirarchy and encrypts your database or password with that key.

This will atleast provide you some level security but if someone got the access of system they can still decrypt the password or database.

Edit: If access to password or database can be allowed with password input you can set password on your key while encrypting it with TPM2.0 Endorsement key which will give extra security.

saurabh
  • 723
  • 1
  • 4
  • 12
0

This is exactly the kind of problem that vault was designed to solve. Once you authenticate to the vault you get a temporary token, then based on the policies associated with your token you can read or write key/value pairs that you want to keep secret. The vault encrypts your secrets and stores them in a backend database. Only the vault has the decryption key, and does not have a facility for recovering it. When you first install the vault, you must configure it to require m of n shares; it then generates n number of key shares, which you distribute to various trusted people. When the vault is started, it is in a sealed state which then requires the entry of m shares to unseal it. That way you can set it up so one single person doesn't have enough shares to decrypt the master key.

That's also a drawback of the open source version: if the server is ever restarted (for patching or whatever), you need to find the right group of people before you can unseal your vault server and bring it back on line.

If you opt to pay for HashiCorp's enterprise licensed version, they support storing one or more shares of the master unlock key in a PKCS#11 HSM (and if you store enough shares it can auto-unlock itself). The enterprise version also supports high availability, redundancy, and fault tolerance; and some other features that are critical to corporations, but may not be as important to smaller operations.

With a broadly used open source tool like this, all the hard security problems have already been solved for you, and the security of vault has been tested by a lot of different organizations (not just HashiCorp.) It can be a less risky route than rolling your own database encryption solution.

John Deters
  • 33,650
  • 3
  • 57
  • 110
0

Don't roll your own crypto.

There are lots of "team" password managers available already which provide APIs you can access, however they vary in the level of sophistication of implementation. A reasonably correct model to follow is that the data is encrypted with a master key. Then each user account on the password manager gets a copy of this master key encrypted with the user's password.

A slightly better model is to split the master key and encrypt a portion with the user's password and retain part on the system hosting the service.

Unfortunately while there is no end of products out there, trying to find out how their security models work is very difficult. Very few are geared up for machine clients (I.e. APIs). A special mention here for Passbolt who claim to offer an API but don't have any documentation for it (or so I was told when I approached them).

I'm currently looking at syspass as a candidate for where I work, but hashicorp vault and bitwarden also seem quite capable in this context.

symcbean
  • 18,278
  • 39
  • 73