电子邮件帐户密码存储在Java / Mysql服务器程序中 [英] Email account password storage in Java/Mysql server program
问题描述
1)将密码存储在程序的内存中,即私有的最终字符串字段。
2)服务器上可从
3中读取密码的文件3)某处MySQL数据库。
我认为1是最安全的选择,但有人有想法来处理这种情况,以最大限度地降低密码错误的风险手?感谢您的建议!
意见指出,SMTP不需要身份验证是正确的。也就是说,假设服务器使用商品硬件和软件,您指定的所有三个选项都不安全。我会说明为什么每个都不安全,虽然我不会遵循你的原始订单。
2)服务器上的一个文件可以从
中读取密码。3)MySQL数据库中的某处。
如果有人窃取服务器怎么办?然后,他们可以打开文件或数据库,阅读密码,并立即访问公司的所有重要信息。所以除非你们周围有武装守卫,这样做已经很不安全了。
但是它变得更糟。没有计算机系统完全不受攻击,而且在过去几年里,有几个广为人知的攻击(例如索尼的PlayStation网络)已经表明,攻击者可以在没有物理访问的情况下获得磁盘文件和数据库的内容。此外,从您的问题来看,似乎有问题的服务器是为了接受来自外部世界的数据包(HTTP请求,传入的电子邮件等),这会增加您的攻击面。
1)将密码存储在程序的内存中,即私人的最终字符串字段。
这是诱人的,但这比选项2或选项3更加有害。一方面,私有最终字符串字段存储在Java编译器生成的.class文件中,因此使用此选项,您已经存储了未加密的密码在服务器的硬盘上。在选项2或3中妥协服务器后,攻击者可以运行 javap ,以便将明文密码从.class文件中删除。
尽管如此,这种方法可以扩大你的攻击面。如果密码作为源代码的一部分存储,那么所有开发人员都可以使用该代码。根据最小权限的原则,开发人员不应该知道额外的密码,这里有很好的理由。如果任何一个开发者的机器从外部被盗或受到攻击,攻击者可以查看受损机器的硬盘驱动器并获取明文密码。然后有源代码控制。源代码控制的一个非常重要的优点是它允许您检查任何先前版本的代码。因此,即使您将来切换到安全方法,如果密码已经进入源代码管理,那么源代码管理服务器是一个潜在的攻击点。
所有这些因素加起来表明,即使HTTP /邮件服务器的安全性是一流的,选项1增加了攻击面,使得HTTP /邮件服务器的安全性无法真正帮助。
额外的细节:一开始我指定假设服务器使用商品硬件和软件。如果您不使用商品硬件和软件,则可以从只读存储进行启动,只能使用加密数据库,要求用户在每次启动时提供解密密钥。之后,解密的信息仅存储在内存中,并且永远不会写入磁盘。这样,如果服务器被盗,攻击者必须拔掉服务器的电源,从而丢失所有已经在内存中的解密信息。这种设置有时用于Kerberos KDC(服务器处于锁定的盒子中以实现额外的安全性),但是很少使用其他方式,并且当有一个简单的方法来解决您的问题,而不必去所有这些额外的费用。
I am in a sticky situation where I am writing an application that sends out emails to clients using an email account of my company. The issue here is that I have to have the password for the account to make the mail service on the server send out emails from that account. I know that passwords should never be stored in plain text, particularly ones that are used for an important email account. The dilemma here is that the program NEEDS to have the actual plain text password to send the emails so it needs to be stored somewhere accessible by the program. The program uses a MySQL database to store information so there are three options in my mind:
1) Store the password in the program's memory, i.e. a private final String field.
2) A file on the on the server where the password can be read from
3) Somewhere in the MySQL database.
I would think that 1 is the safest option, but does anybody have ideas to handle this sort of situation to minimize risk of the password falling into the wrong hands? Thanks for your advice!
The comments pointing out that SMTP doesn't require authentication are correct. That said, all three of the options you specified are insecure, assuming that the server uses commodity hardware and software. I'll show why each is insecure, although I won't follow your original order.
2) A file on the on the server where the password can be read from
3) Somewhere in the MySQL database.
What if someone were to steal the server? Then, they could just open the file or the database, read the password, and immediately have access to all the important information in the company. So unless you have armed guards surrounding the server day and night, this is already pretty insecure.
But it gets worse. No computer system is completely invulnerable to attack, and several well-publicized attacks (Sony's PlayStation Network, for example) in the past few years have shown that an attacker can get to the contents of disk files and databases without physical access. Furthermore, it seems from your question that the server in question is meant to accept packets (HTTP requests, incoming emails, etc.) from the outside world, which boosts your attack surface.
1) Store the password in the program's memory, i.e. a private final String field.
This is tempting, but this is even more pernicious than option 2 or option 3. For one thing, a private final string field is stored in the .class file generated by the Java compiler, so with this option you are already storing the unencrypted password on the server's hard drive. After compromising the server as in option 2 or 3, an attacker can just run javap in order to get the plaintext password out of the .class file.
This approach broadens your attack surface even more, though. If the password is stored as part of the source code, suddenly it's available to all developers who are working on the code. Under the principle of least privilege, the developers shouldn't know extra passwords, and there's a very good reason here. If any of the developers' machines is stolen or compromised from outside, the attacker can look through the compromised machine's hard drive and get the plaintext password. Then there's source control. One of the really important benefits of source control is that it allows you to inspect any prior version of your code. So even if you switch to a secure method in the future, if the password has ever entered source control then the source control server is a potential attack point.
All of these factors add up to show that, even if the HTTP/mail server's security is top-notch, option 1 increases the attack surface so much that the HTTP/mail server's security doesn't really help.
Extra detail: At the beginning I specified "assuming that the server uses commodity hardware and software." If you aren't using commodity hardware and software, you can do things like boot from readonly storage and use only an encrypted database, requiring a person to provide the decryption key on every boot. After that, the decrypted information lives in memory only, and is never written to disk. This way, if the server is stolen, an attacker has to unplug the server and so loses all the decrypted information that was only ever in memory. This kinds of setup is sometimes used for a Kerberos KDC (with the server in a locked boxe for extra security), but is rarely used otherwise, and is frankly overkill when there is an easy way to solve your problem without going to all this extra expense.
这篇关于电子邮件帐户密码存储在Java / Mysql服务器程序中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
