Maven 3密码加密如何工作? [英] How does Maven 3 password encryption work?

问题描述

我试图了解Maven 3的[密码加密功能.我发现此功能的文档记录不清且令人困惑.例如，功能文档和

I'm trying to understand Maven 3's[password encryption feature. I have found that this feature is poorly documented and confusing. For example, the feature documentation and a blog post by the author of the feature contradict each other about several points.

这个问题比> maven --encrypt-master如何工作-password的工作，但未包含在

This question is broader than How does maven --encrypt-master-password work and is not covered by Maven encrypt-master-password good practice for choosing password.

具体来说，我正在尝试回答文档未涵盖的以下问题.到目前为止，我已经将能够收集到的信息放在每个斜体字下面.

Specifically, I am trying to answer the following questions which are not covered by the documentation. I've put what information I have been able to gather so far below each question in italics.

1. 通过仅存在于一个用户只能访问的文件夹(〜/.m2 )中的 settings-security.xml 中存在的加密主密码是否可以简单地提供安全性?如果是这样，为什么还要麻烦加密主密码"(为什么不只是使用一些随机值)呢?主密码"真的不只是密码功能的熵输入吗?称它为密码令人困惑-我希望Maven在解密任何加密的服务器密码之前提示我输入该密码，但是没有.

1. Does the encrypted master password provide security simply by existing in settings-security.xml in a folder that only one user can access (~/.m2)? If so, why bother with encrypting a 'master password' (why not just use some random value)? Isn't the 'master password' really just an entropy input to the cryptographic function? Calling it a password is confusing - I expected Maven to prompt me for this password before de-crypting any encrypted server passwords, but it did not.

我的理解是，是的，这只能通过操作系统保护的文件中的现有文件提供安全性.我相信Maven允许您加密主密码，这样，如果您松开 settings-security.xml 文件，则可以重新生成它.这是正确的吗?

My understanding is that yes, this only provides security by existing in an operating-system protected file. I believe Maven allows you to encrypt a master password so that if you loose the settings-security.xml file you can re-generate it. Is this correct?

1. 主密码和服务器密码是否使用相同的加密过程/密码?服务器密码基于主密码，因此算法必须有所不同.源代码在哪里?

Marcelo Morales关于maven --encrypt-master-password如何工作的答案链接到 plexus-cihper项目.尚不清楚这仅仅是密码还是提供密码功能的实际Maven插件.

Marcelo Morales' answer on How does maven --encrypt-master-password work links to the plexus-cihper project on GitHub. It isn't clear if that is just the cipher, or the actual Maven plugin that provides the password functionality though.

1. 我发现多次加密相同的主密码或服务器密码会产生不同的哈希值.根据 Marcelo Morales对maven --encrypt-master-password如何工作的回答，这是因为'JVM-在加密之前，将特定于配置的(通常为SHA1PRNG)64位随机盐添加到密码中.Maven在编译时使用存储的密码时会对其进行解密.这不是意味着盐必须存储在某个地方吗?

1. I have observed that the same master password or server password encrypted multiple times gives different hashes. According to Marcelo Morales' answer on How does maven --encrypt-master-password work, this is because 'a JVM-configuration-specific (usually SHA1PRNG) 64-bit random salt' is added to the password prior to encrypting. Maven decrypts stored passwords when they are used at compile time. Doesn't this mean the salts have to be stored somewhere?

我不知道.

1. 我还观察到，如果将主密码重新加密并存储在尽管加密的主密码密文现在不同了.有人可以解释它的工作原理吗?

1. I have also observed that a regular password encrypted using one encrypted master password will still work if the master password is re-encrypted and stored in the settings-security.xml file, even though the encrypted master password ciphertext is now different. Can someone explain how this works?

我不知道.在我看来，Maven正在做一些可疑的操作或将明文存储在某个地方.

1. 我的理解是，加密密码只能与 settings.xml 文件中的< server/> 标记一起使用.这是真的?在 settings.xml 中定义的服务器可以在哪里使用?

1. My understanding is that the encrypted passwords can only be used with <server /> tags in the settings.xml file. is this true? Where can servers defined in settings.xml be used?

我的理解是<服务器/> 定义可用于<存储库/> 和< distributionManagement/> ，但不是< scm/> .有人可以验证吗?

My understanding is that <server /> definitions can be used in <repositories /> and <distributionManagement />, but not <scm />. Can someone verify this?

1. 对于这样的关键功能(构建系统安全性)，在我看来似乎存在很多混乱和糟糕的文档.有人可以指出Maven 3网站上的文档如何工作吗?是否在某个地方有Wiki链接可以让我尝试并完全改善文档?

我不知道

对不起，谢谢您的回答.

Sorry for the wall of text, and thanks for any answers.

推荐答案

我的答案基于阅读Maven源代码并进行了一些研究.

My answer is based on reading the Maven source code and doing a little research.

1. 仅通过一个用户只能在 settings-security.xml 中存在的加密主密码来提供安全性吗?访问(〜/.m2 )?如果是这样，为什么还要麻烦加密一个母版"密码"(为什么不只使用一些随机值)?不是'主人密码"实际上只是密码功能的熵输入吗?称它为密码令人困惑-我希望Maven提示我输入密码在解密任何加密的服务器密码之前使用此密码，但是没有.

1. Does the encrypted master password provide security simply by existing in settings-security.xml in a folder that only one user can access (~/.m2)? If so, why bother with encrypting a 'master password' (why not just use some random value)? Isn't the 'master password' really just an entropy input to the cryptographic function? Calling it a password is confusing - I expected Maven to prompt me for this password before de-crypting any encrypted server passwords, but it did not.

主密码是用于加密/解密服务器密码的加密功能的输入.如果某人拥有您的个人加密服务器密码，则除非他们也拥有您的主密码，否则他们将无法对其解密.这意味着您可以与其他人自由共享您的maven settings.xml文件，而不必使他们能够解密您的服务器密码.这也是将主密码保存在单独文件中的原因.

The master password is an input into the cryptographic function for encrypting/decrypting the server passwords. If someone has your individual encrypted server passwords, they won't be able to decrypt them unless they also have your master password. This means you can freely share your maven settings.xml file with others, without them being able to decrypt your server passwords. This is also why the master password is kept in a separate file.

加密指南

1. 主密码和服务器密码是否使用相同的加密过程/密码?服务器密码基于主密码，因此算法必须有所不同.来源在哪里的代码吗?

据我所知，主密码是使用与服务器密码相同的密码加密的.解密服务器密码时，将输入主密码(未加密形式).解密主密码时，魔术字符串"settings.security"用作附加输入.

From what I can tell, the master password is encrypted using the same cipher as the server passwords. When decrypting the server passwords, the master password (unencrypted form) is an input; when decrypting the master password, the magic string '"settings.security"' is used as the additional input.

您可以看到源代码

1. 我发现多次加密相同的主密码或服务器密码会产生不同的哈希值.根据 Marcelo莫拉莱斯关于Maven的答案--encrypt-master-password工作，这是因为'a特定于JVM配置的(通常是SHA1PRNG)64位随机盐是在加密之前已添加到密码中.Maven解密存储编译时使用的密码.这不是说盐必须存放在某个地方?

1. I have observed that the same master password or server password encrypted multiple times gives different hashes. According to Marcelo Morales' answer on How does maven --encrypt-master-password work, this is because 'a JVM-configuration-specific (usually SHA1PRNG) 64-bit random salt' is added to the password prior to encrypting. Maven decrypts stored passwords when they are used at compile time. Doesn't this mean the salts have to be stored somewhere?

处理盐的传统方法是将随机盐与加密文本一起存储.请参阅维基百科文章.

A traditional approach to handling salts is that the random salt is stored with the encrypted text, alongside it. See the Wikipedia article.

根据上面链接的源代码，该盐似乎存储为Base64解码字节的前8个字节，就在加密密码之前.

Based on the source code linked above, the salt appears to be stored as the first 8 bytes of the Base64 decoded bytes, right before the encrypted password.

1. 我还观察到，如果主密码为重新加密并存储在 settings-security.xml 文件中，甚至尽管加密的主密码密文现在不同了.有人可以解释它的工作原理吗?

1. I have also observed that a regular password encrypted using one encrypted master password will still work if the master password is re-encrypted and stored in the settings-security.xml file, even though the encrypted master password ciphertext is now different. Can someone explain how this works?

这是因为使用的是主密码的解密形式，而不是加密的密文".因此，重新加密不会影响服务器密码的加密/解密.

This is because the decrypted form of the master password is used, not the encrypted "ciphertext". Thus re-encrypting it doesn't affect the server password encryption/decryption.

我不知道您最近的两个(5和6)问题的答案.

I don't know the answer to your last two (5 and 6) questions.

这篇关于Maven 3密码加密如何工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！