Analysis of Jenkins proprietary user database encryption algorithm
Jenkins access control includes security domain authentication and authorization policies.
The security domain can be in three forms: Jenkins private user database, LDAP, and Servlet Container proxy.
Storage location of Jenkins private user data: <JENKINS_HOME>/users/
Information about each user is stored in the config. xml file: <JENKINS_HOME>/users/<user>/config. xml
In the config. xml file, the passwordHash node displays the ciphertext hash value encrypted by the user name.
So what encryption method does it use to encrypt it? Can I decrypt the ciphertext to obtain the plaintext?
View the source code on github and find the HudsonPrivateSecurityRealm. java file by keyword # jbcrypt.
HudsonPrivateSecurityRealm. java detailed path is: jenkins/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm. java
By analyzing the source code, we know that:
1. the ciphertext format is salt: encPass, where the # jbcrypt represents salt as the data header.
2. Use the jbcrypt algorithm to obtain the ciphertext encPass.
About jbcrypt:
Jbcrypt is a java implementation of bcrypt encryption tool.
Its API is very simple. The DEMO is as follows. The following API is used for encryption and verification in HudsonPrivateSecurityRealm. java:
- // Hash a password for the first time
- String hashed = BCrypt.hashpw(password, BCrypt.gensalt());
-
- // gensalt's log_rounds parameter determines the complexity the work factor is 2**log_rounds, and the default is 10
- String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12));
-
- // Check that an unencrypted password matches one that has previously been hashed
- if (BCrypt.checkpw(candidate, hashed))
- System.out.println("It matches");
- else
- System.out.println("It does not match");
It has been verified that after jbcrypt is used to encrypt the same plaintext, the encrypted ciphertext is generally different because the salt is generally different.
About bcrypt:
1. bcrypt is an irreversible encryption algorithm and cannot obtain plaintext through ciphertext decryption.
2. Different from other symmetric or asymmetric encryption methods, bcrypt does not directly decrypt the plaintext, nor compares the ciphertext with the secondary encryption. Instead, it computes the plaintext and the stored ciphertext to another ciphertext, if the two ciphertext values are the same, the verification is successful.
In summary, the Jenkins private user database uses jbcrypt encryption. jbcrypt encryption is irreversible, and the encryption results for the same plaintext are generally different.
From: http://my.oschina.net/donhui/blog/379925