Analysis of Jenkins proprietary user database encryption algorithm

Source: Internet
Author: User
Tags asymmetric encryption

Analysis of Jenkins proprietary user database encryption algorithm

Jenkins access control includes security domain authentication and authorization policies.

The security domain can be in three forms: Jenkins private user database, LDAP, and Servlet Container proxy.

Storage location of Jenkins private user data: <JENKINS_HOME>/users/

Information about each user is stored in the config. xml file: <JENKINS_HOME>/users/<user>/config. xml

In the config. xml file, the passwordHash node displays the ciphertext hash value encrypted by the user name.

So what encryption method does it use to encrypt it? Can I decrypt the ciphertext to obtain the plaintext?

View the source code on github and find the HudsonPrivateSecurityRealm. java file by keyword # jbcrypt.

HudsonPrivateSecurityRealm. java detailed path is: jenkins/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm. java

By analyzing the source code, we know that:

1. the ciphertext format is salt: encPass, where the # jbcrypt represents salt as the data header.

2. Use the jbcrypt algorithm to obtain the ciphertext encPass.

About jbcrypt:

Jbcrypt is a java implementation of bcrypt encryption tool.

Its API is very simple. The DEMO is as follows. The following API is used for encryption and verification in HudsonPrivateSecurityRealm. java:

 
 
  1. // Hash a password for the first time   
  2. String hashed = BCrypt.hashpw(password, BCrypt.gensalt());   
  3.  
  4. // gensalt's log_rounds parameter determines the complexity the work factor is 2**log_rounds, and the default is 10   
  5. String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12));   
  6.  
  7. // Check that an unencrypted password matches one that has previously been hashed   
  8. if (BCrypt.checkpw(candidate, hashed))   
  9. System.out.println("It matches");   
  10. else   
  11. System.out.println("It does not match");   

It has been verified that after jbcrypt is used to encrypt the same plaintext, the encrypted ciphertext is generally different because the salt is generally different.

About bcrypt:

1. bcrypt is an irreversible encryption algorithm and cannot obtain plaintext through ciphertext decryption.

2. Different from other symmetric or asymmetric encryption methods, bcrypt does not directly decrypt the plaintext, nor compares the ciphertext with the secondary encryption. Instead, it computes the plaintext and the stored ciphertext to another ciphertext, if the two ciphertext values are the same, the verification is successful.

In summary, the Jenkins private user database uses jbcrypt encryption. jbcrypt encryption is irreversible, and the encryption results for the same plaintext are generally different.

From: http://my.oschina.net/donhui/blog/379925

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.