-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
7.1.2.Final (EAP)
-
None
In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, we need to use the bin/add-user.sh script to add user access to the Jboss console.
And in the the bin/add-user.sh script, you can find that the org.jboss.as.domain-add-user java class is used to :
1) add the login in the files standalone/configuration/mgmt-users.properties and domain/configuration/mgmt-users.properties
2) first hash the password with MD5 hash algorithm and then copy it hashed in the files standalone/configuration/mgmt-users.properties and domain/configuration/mgmt-users.properties
When you search about the org.jboss.as.domain-add-user java class on the Internet, you find this source file
http://grepcode.com/file/repo1.maven.org/maven2/org.jboss.as/jboss-as-domain-management/7.1.1.Final/org/jboss/as/domain/management/security/AddPropertiesUser.java#AddPropertiesUser
and this file use an import of the org.jboss.sasl.util.UsernamePasswordHashUtil class that is in the file
http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/releases/org.jboss.sasl/jboss-sasl/1.0.1.Final/org/jboss/sasl/util/UsernamePasswordHashUtil.java
In the file UsernamePasswordHashUtil.java, we can see that this is the weakness MD5 hash algorithm that is used and that is broken for a long time :
At http://en.wikipedia.org/wiki/MD5, the wikipedia article said :
"In 1996, a flaw was found with the design of MD5, and while it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1—which has since been found also to be vulnerable. In 2004, more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable...In December 2008, a group of researchers used this technique to fake SSL certificate validity,[7][8] and
US-CERT now says that MD5 "should be considered cryptographically broken and unsuitable for further use."[9]
and most U.S. government applications now require the SHA-2 family of hash functions."
org.jboss.sasl.util.UsernamePasswordHashUtil class use java.security.MessageDigest class.
As you can see at : http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html,
getAlgorithm function can use several hash or Message Digest Algorithms.
The hash or Message Digest Algorithms available are :
MD2 (weak), MD5 (weak), SHA-1 (weak), SHA-256, SHA-384, and SHA-512
http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA
http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA
Then can you replace the weakness MD5 Message Digest Algorithm used by add-user.sh by
SHA-256 or AES-256 ?
Note : The security team in my big company want now that all the application servers used in the company use strong
cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic 11.
[AS7-4982] add-user.sh script (to pre-hash password used in domain security realms for use with HTTP and SASL Digest) use weakeness hashing security algorithm (MD5) that is broken for a long time
Darran Lofthouse
added a comment - I am marking this specific issue as deferred as it is something we are working to address at a higher level.
The reason that we use hashed passwords is because we are using Digest based authentication by default in AS7 for the HTTP management interface and the Remoting connectors - to achieve this we either need to store the password in a recoverable form or we need to pre-hashed to match the authentication mechanism in use.
For any immediate problems this proves to migrations end users can now deploy their own plug-in using their own backing store of passwords with whatever restrictions they wish to place on the storage.
From an AS perspective our first task is to enhance the Digest mechanisms themselves to support stronger hashes and then the passwords we store can be hashed using these mechanisms.
Darran Lofthouse
added a comment - I am marking this specific issue as deferred as it is something we are working to address at a higher level.
The reason that we use hashed passwords is because we are using Digest based authentication by default in AS7 for the HTTP management interface and the Remoting connectors - to achieve this we either need to store the password in a recoverable form or we need to pre-hashed to match the authentication mechanism in use.
For any immediate problems this proves to migrations end users can now deploy their own plug-in using their own backing store of passwords with whatever restrictions they wish to place on the storage.
From an AS perspective our first task is to enhance the Digest mechanisms themselves to support stronger hashes and then the passwords we store can be hashed using these mechanisms. 
I have done SHA-256 passwords encryption in separate elytron branch. I use it for custom property-realm in Wildfly 22 and it works (but not of full value) for me.