[Geoserver-devel] Decrypting passwords given in REST response

Hello List,

even though I am not a GeoServer core developer myself, I think that my questions can best be answered by people who are involved in the geoserver development.

I try to reverse the encryption mechanism of the passwords for the DB connections that are returned via the REST API. I know the master password and therefore expected to be able to decrypt these strings, for example with the tool here: https://8gwifi.org/pbe.jsp

The strings are:

“crypt2:rvaPmI1USC4jaiPVJlFSWZ8mFHPh9jyMAU9jGfB1ABI=” (Strong PBE)

“crypt1:E1kAaW4HURBcJLDIRahhi3DBBov7r+DG” (Weak PBE)

As far as I understood for weak PBE the algorithm is “PBEWITHMD5ANDDES” and for strong PBR its “PBEWITHSHA256AND128BITAES-CBC-BC”.

But no matter what I try, I seem to miss one step because the services and my programming attempts always give me errors. What are the involves steps in order to retrieve the plain text password from the string above? The string itself obviously can’t serve as an input directly and I only have a rough understanding of encryption in general. As far as I understood, I only need the master password or did I miss an important part about the salt?

Is there any example code available to decrypt the password? I looked into the source code of the GeoServer and came up with this:

byte encPasswordBytes = " ".getBytes();

Charset charset = Charset.forName(“UTF-8”);

String encPasswordString = new String(encPasswordBytes, charset);

char encPasswordChararray = encPasswordString.toCharArray();

StandardPBEStringEncryptor stringEncrypter = new StandardPBEStringEncryptor();

stringEncrypter.setPasswordCharArray(encPasswordChararray);

stringEncrypter.setAlgorithm(“PBEWITHMD5ANDDES”);

StandardPBEByteEncryptor byteEncrypter = new StandardPBEByteEncryptor();

byteEncrypter.setPasswordCharArray(encPasswordChararray);

byteEncrypter.setAlgorithm(“PBEWITHMD5ANDDES”);

byte encPasswordOrig = “E1kAaW4HURBcJLDIRahhi3DBBov7r+DG”.getBytes(charset);

//byte decodedPasswordBytes = Base64.decode(encPasswordOrig);

byte decryptedPasswordBytes = byteEncrypter.decrypt(encPasswordOrig);

CharBuffer buff = charset.decode(ByteBuffer.wrap(decryptedPasswordBytes));

char tmp = new char[buff.limit()];

buff.get(tmp);

System.out.println(“decrypt:” + new String(tmp));

I tried to stick to the example from SecurityUtils.java and GeoServerPBEPasswordEncoder.java but I always get a response that complains about the last block incomplete in decryption or an incorrect padding.

Can anybody help?

Thank you very much,

Michael

Hi Michael

Some facts you need to know.

The master password is used to encrypt the geoserver keystore located in
<GEOSERVER_DATA_DIR>/security/geoserver.jceks

This keystore contains an entry with the key used for the encryption of DB passwords.

You need the master password to open the keystore, then you have to fetch the key for DB password encryption and finally you can decrypt the DB password.
To decrypt the password on the client you have to store this password on the client, which is quite insecure.

Be warned, each GeoServer installation has its individual key for DB password encryption.

Hope this helps

Cheers
Christian

···

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Hello Christian,

thank you for your response but that was the info I was already aware of. I know the master password (I am the admin of that geoserver) but I believe that the string I need to pass to the decryption is not exactly the string that is returned in API response. Other pages state that the string is either a 64 character string or a 44 character string if it is base64 encoded. The string in the API response has 44 characters so I decoded the string with base64decode and tried to decrypt the resulting decoded string but it didn’t work either.

I always get a “javax.crypto.IllegalBlockSizeException: last block incomplete in decryption”, no matter if I use crypt1: string with PBEWITHMD5ANDDES or crypt2 string with PBEWITHSHA256AND128BITAES-CBC-BC (I remove the prefix of course when passing the string).

I hope anyone can give me a piece of code or advice what I do wrong.

Regards,

Michael

···

Hi Michael

Some facts you need to know.

The master password is used to encrypt the geoserver keystore located in

<GEOSERVER_DATA_DIR>/security/geoserver.jceks

This keystore contains an entry with the key used for the encryption of DB passwords.

You need the master password to open the keystore, then you have to fetch the key for DB password encryption and finally you can decrypt the DB password.

To decrypt the password on the client you have to store this password on the client, which is quite insecure.

Be warned, each GeoServer installation has its individual key for DB password encryption.

Hope this helps

Cheers

Christian

On Tue, Oct 23, 2018 at 12:40 PM <Michael.Haertel@…5260…> wrote:

Hello List,

even though I am not a GeoServer core developer myself, I think that my questions can best be answered by people who are involved in the geoserver development.

I try to reverse the encryption mechanism of the passwords for the DB connections that are returned via the REST API. I know the master password and therefore expected to be able to decrypt these strings, for example with the tool here: https://8gwifi.org/pbe.jsp

The strings are:

“crypt2:rvaPmI1USC4jaiPVJlFSWZ8mFHPh9jyMAU9jGfB1ABI=” (Strong PBE)

“crypt1:E1kAaW4HURBcJLDIRahhi3DBBov7r+DG” (Weak PBE)

As far as I understood for weak PBE the algorithm is “PBEWITHMD5ANDDES” and for strong PBR its “PBEWITHSHA256AND128BITAES-CBC-BC”.

But no matter what I try, I seem to miss one step because the services and my programming attempts always give me errors. What are the involves steps in order to retrieve the plain text password from the string above? The string itself obviously can’t serve as an input directly and I only have a rough understanding of encryption in general. As far as I understood, I only need the master password or did I miss an important part about the salt?

Is there any example code available to decrypt the password? I looked into the source code of the GeoServer and came up with this:

byte encPasswordBytes = " ".getBytes();

Charset charset = Charset.forName(“UTF-8”);

String encPasswordString = new String(encPasswordBytes, charset);

char encPasswordChararray = encPasswordString.toCharArray();

StandardPBEStringEncryptor stringEncrypter = new StandardPBEStringEncryptor();

stringEncrypter.setPasswordCharArray(encPasswordChararray);

stringEncrypter.setAlgorithm(“PBEWITHMD5ANDDES”);

StandardPBEByteEncryptor byteEncrypter = new StandardPBEByteEncryptor();

byteEncrypter.setPasswordCharArray(encPasswordChararray);

byteEncrypter.setAlgorithm(“PBEWITHMD5ANDDES”);

byte encPasswordOrig = “E1kAaW4HURBcJLDIRahhi3DBBov7r+DG”.getBytes(charset);

//byte decodedPasswordBytes = Base64.decode(encPasswordOrig);

byte decryptedPasswordBytes = byteEncrypter.decrypt(encPasswordOrig);

CharBuffer buff = charset.decode(ByteBuffer.wrap(decryptedPasswordBytes));

char tmp = new char[buff.limit()];

buff.get(tmp);

System.out.println(“decrypt:” + new String(tmp));

I tried to stick to the example from SecurityUtils.java and GeoServerPBEPasswordEncoder.java but I always get a response that complains about the last block incomplete in decryption or an incorrect padding.

Can anybody help?

Thank you very much,

Michael


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

DI Christian Mueller MSc (GIS), MSc (IT-Security)

OSS Open Source Solutions GmbH

Did you compare the encoded password sent by the REST Api and the encoded password stored in the datastore.xml file?

Cheers

···

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Hello,

As far as I know there is no other way to retrieve the password from the API than requesting exactly the datastore.xml.

All I do is calling this URL: “http://:8080/geoserver/rest/resource/workspaces///datastore.xml“

if there is a different API call that discovers the encrypted password please let me know.

Thank you very much,

Michael

···

Did you compare the encoded password sent by the REST Api and the encoded password stored in the datastore.xml file?

Cheers

On Wed, Oct 24, 2018 at 10:36 AM <Michael.Haertel@…5260…> wrote:

Hello Christian,

thank you for your response but that was the info I was already aware of. I know the master password (I am the admin of that geoserver) but I believe that the string I need to pass to the decryption is not exactly the string that is returned in API response. Other pages state that the string is either a 64 character string or a 44 character string if it is base64 encoded. The string in the API response has 44 characters so I decoded the string with base64decode and tried to decrypt the resulting decoded string but it didn’t work either.

I always get a “javax.crypto.IllegalBlockSizeException: last block incomplete in decryption”, no matter if I use crypt1: string with PBEWITHMD5ANDDES or crypt2 string with PBEWITHSHA256AND128BITAES-CBC-BC (I remove the prefix of course when passing the string).

I hope anyone can give me a piece of code or advice what I do wrong.

Regards,

Michael

Von: Christian Mueller <christian.mueller@…3674…>
Gesendet: Mittwoch, 24. Oktober 2018 08:41
An: Härtel, Michael <Michael.Haertel@…5260…>
Cc: geoserver-devel <geoserver-devel@lists.sourceforge.net>
Betreff: Re: [Geoserver-devel] Decrypting passwords given in REST response

Hi Michael

Some facts you need to know.

The master password is used to encrypt the geoserver keystore located in

<GEOSERVER_DATA_DIR>/security/geoserver.jceks

This keystore contains an entry with the key used for the encryption of DB passwords.

You need the master password to open the keystore, then you have to fetch the key for DB password encryption and finally you can decrypt the DB password.

To decrypt the password on the client you have to store this password on the client, which is quite insecure.

Be warned, each GeoServer installation has its individual key for DB password encryption.

Hope this helps

Cheers

Christian

On Tue, Oct 23, 2018 at 12:40 PM <Michael.Haertel@…5260…> wrote:

Hello List,

even though I am not a GeoServer core developer myself, I think that my questions can best be answered by people who are involved in the geoserver development.

I try to reverse the encryption mechanism of the passwords for the DB connections that are returned via the REST API. I know the master password and therefore expected to be able to decrypt these strings, for example with the tool here: https://8gwifi.org/pbe.jsp

The strings are:

“crypt2:rvaPmI1USC4jaiPVJlFSWZ8mFHPh9jyMAU9jGfB1ABI=” (Strong PBE)

“crypt1:E1kAaW4HURBcJLDIRahhi3DBBov7r+DG” (Weak PBE)

As far as I understood for weak PBE the algorithm is “PBEWITHMD5ANDDES” and for strong PBR its “PBEWITHSHA256AND128BITAES-CBC-BC”.

But no matter what I try, I seem to miss one step because the services and my programming attempts always give me errors. What are the involves steps in order to retrieve the plain text password from the string above? The string itself obviously can’t serve as an input directly and I only have a rough understanding of encryption in general. As far as I understood, I only need the master password or did I miss an important part about the salt?

Is there any example code available to decrypt the password? I looked into the source code of the GeoServer and came up with this:

byte encPasswordBytes = " ".getBytes();

Charset charset = Charset.forName(“UTF-8”);

String encPasswordString = new String(encPasswordBytes, charset);

char encPasswordChararray = encPasswordString.toCharArray();

StandardPBEStringEncryptor stringEncrypter = new StandardPBEStringEncryptor();

stringEncrypter.setPasswordCharArray(encPasswordChararray);

stringEncrypter.setAlgorithm(“PBEWITHMD5ANDDES”);

StandardPBEByteEncryptor byteEncrypter = new StandardPBEByteEncryptor();

byteEncrypter.setPasswordCharArray(encPasswordChararray);

byteEncrypter.setAlgorithm(“PBEWITHMD5ANDDES”);

byte encPasswordOrig = “E1kAaW4HURBcJLDIRahhi3DBBov7r+DG”.getBytes(charset);

//byte decodedPasswordBytes = Base64.decode(encPasswordOrig);

byte decryptedPasswordBytes = byteEncrypter.decrypt(encPasswordOrig);

CharBuffer buff = charset.decode(ByteBuffer.wrap(decryptedPasswordBytes));

char tmp = new char[buff.limit()];

buff.get(tmp);

System.out.println(“decrypt:” + new String(tmp));

I tried to stick to the example from SecurityUtils.java and GeoServerPBEPasswordEncoder.java but I always get a response that complains about the last block incomplete in decryption or an incorrect padding.

Can anybody help?

Thank you very much,

Michael


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

DI Christian Mueller MSc (GIS), MSc (IT-Security)

OSS Open Source Solutions GmbH

DI Christian Mueller MSc (GIS), MSc (IT-Security)

OSS Open Source Solutions GmbH