Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-2579

Make token passcode secure in DB token state backend

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.6.0
    • Fix Version/s: 1.6.0
    • Component/s: Server
    • Labels:
      None

      Description

      With KNOX-2554, we now have the ability to store passcode tokens in relational databases. However, it indicates poor security practice if sensitive data is stored in plain text format. Since the token_id JWT claim can be used as a passcode, we need to make sure it's saved in a hashed format. To be able to do this, the following is going to be implemented:

      • add a new column called id which will serve as the primary key of the KNOX_TOKENS table (this is also going to be a UUID)
      • keep the current token_id column as is, and store the token.id claim in a hashed form in this column

      By default, HS256 is going to be used as a hash algorithm, but end-users can configure it via the gateway.database.hash.alg gateway level configuration. A new pre-defined alias name is to be introduced too: gateway_database_hash_key. End-users must save the desired key using this alias if they use the new JDBCTokenStateService as the token management backend. Please note that key size it's very important for hash-based algorithms so using the master secret is not an option here.

      The token verification logic has to be changed too (need to hash token.id before getting expiration from the database).

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              smolnar Sandor Molnar
              Reporter:
              smolnar Sandor Molnar

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1h 20m
                1h 20m

                  Issue deployment