search

sscarduzio / elasticsearch-readonlyrest-plugin

Free Elasticsearch security plugin and Kibana security plugin: super-easy Kibana multi-tenancy, Encryption, Authentication, Authorization, Auditing
https://readonlyrest.com
GNU General Public License v3.0
952 stars 165 forks source link

Suggestion : Adding Sha256 support for login/pass encryption #163

Closed ld57 closed 7 years ago

ld57 commented 7 years ago

Hi Simone,

it would be nice to add in roadmap the support of sha256 to replace sha1, due to new rules since start of 2017.

also maybe we could include a short executable to do that , in like "tools".

for now on my side I did this script (powershell)

write-host "`n"
$name = Read-Host 'What to hash in sha1, sha256 and Base64 ?'
write-host "`n"
$sha1 = [System.Security.Cryptography.SHA1]::Create()
$sha256 = [System.Security.Cryptography.SHA256]::Create()
$bytes = [byte[]][char[]]$name
$encryptedBytessha1 = $sha1.ComputeHash($bytes)
$encryptedBytessha256 = $sha256.ComputeHash($bytes)
$encryptedBytessha1clean = $encryptedBytessha1 | foreach -Begin{$str=''} -Process{$str += "{0:x2}" -f $_} -End{$str}
$encryptedBytessha256clean = $encryptedBytessha256 | foreach -Begin{$str=''} -Process{$str += "{0:x2}" -f $_} -End{$str}
write-host "String [$name] in SHA1 is [$encryptedBytessha1clean]"
write-host "String [$name] in SHA256 is [$encryptedBytessha256clean]"
write-host "`n"

$base64enc= [System.Text.Encoding]::UTF8.GetBytes($name)
$resultencoded= [System.Convert]::ToBase64String($base64enc)
Write-Host "String [$name] in Base64 is [$resultencoded]"

$base64dec  = [System.Convert]::FromBase64String($resultencoded)
$resultdecoded =[System.Text.Encoding]::UTF8.GetString($base64dec)
Write-Host "[$resultdecoded]  is that you originally input as string"
write-Host "`n"

it asks for a string ( enter login:password ) and it returns sha1, sha256 and also base64 crypted and converted.

I am not good at java, but maybe someone could translate this. Or what about python ?

an improvement : instead of requesting "just" the string to convert, it should be a good idea to split into 2 questions, one for login, one for password, and rebuild the string by $login + ":" + $password before encrypting.

Ld57

sscarduzio commented 7 years ago

Nice improvement, can you expand on what rules came out in 2017? Is it something in your business or some internet-wide recommendation that came out and I know nothing about?

BTW, this is a discussible non-issue issue, AKA: can be tracked here! http://forum.readonlyrest.com/

ld57 commented 7 years ago

Great @sscarduzio you gave us a forum ! Thanks ! Going to !

ld57 commented 7 years ago

Well , as you may know sha1 certificate are no more supported by browser by this year. While it is normally only related to external relation, in my company security team decided (on their own) that all certificates, encryption method and stuff have to support sha256 and no more sha1 use.

Since I fight to prove that elk stack is more interesting than splunk, I must convince on all plan that elk is better (cost, easy access, transferable, and secure, etc...), whatever I disagree their approach.

Here is my challenge, convincing them to choose elk vs splunk to use in company. Ld

sscarduzio commented 7 years ago

yeah make super sense. Let's do this.

ld57 commented 7 years ago

Closing , transfered into the new forum