Skip to content
This repository has been archived by the owner on Jul 10, 2024. It is now read-only.

Security

Philipp Haussleiter edited this page Nov 25, 2015 · 1 revision

Security

Security is an open term and a wide field. Therefore, security always is defined by a bunch of aspects and measures.

clusters of nodes
see #12

All computers on a network that run BundleBee can automatically participate with the grid. This is not always desired. Sometimes it is necessary to define a closed-shop e.g. for a certain set of applications that should not be deployed an called on nodes other than from a predefined set. Lets call this predefined set a cluster for the moment.

BundleBee accomplishes that by optionally signing each message send by the Registry using state-of-the-art cryptographic means.

Therefore, someone (the admin) needs to define a secret that is shared by all nodes that are destined for the cluster:

@ org.bundlebee.registry.security.sharedsecret=ESVfzTKojjQ77htPgPpznfSFY6pzsRXz@

This password is used to create a 256 bit key using the PBKDF2WithHmacSHA1 algorithm. The key in turn goes into a HMAC signature that is based on a SHA256 hash function.
The HMAC and the message (in clear text) are than transmitted together. The receiver will compute the HMAC from the message on his own and compare it to the received one. In case of equality, the message is considered to come from an authorized node from the same cluster.

Why is it secure?

Because the length of the key of 256bit that goes into the HMAC computation. ‘Secure’ in this case means that it is impossible to compute or guess the key from listening to the traffic. The length of the key is crucial. Together with the SHA256 hash, where no attacks to create a hash collision are known. Even finding another key causing a hash collision would not destroy unforgeability of messages due to the features of the HMAC algorithm, that would require a collision of the key PLUS a collision of the key+something (HMAC is known to be secure even with non-collision-free hashes).
Therefor it doesn’t matter that the message itself is sent as clear text.

Of course, the quality of the key is only as good as a password is. If the password can easily be guessed a priori (first name of the admins girlfriend), the whole measure is compromised. It is strongly advised to use generated passwords with a lenght of at least 32 characters (256 bit again…).

Clone this wiki locally