OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

How does Maven 3 password encryption work?

  • Thread starter Thread starter aaronsnoswell
  • Start date Start date
A

aaronsnoswell

Guest
I'm trying to understand Maven 3's[password encryption feature. I have found that this feature is poorly documented and confusing. For example, the feature documentation and a blog post by the author of the feature contradict each other about several points.

This question is broader than How does maven --encrypt-master-password work and is not covered by Maven encrypt-master-password good practice for choosing password.

Specifically, I am trying to answer the following questions which are not covered by the documentation. I've put what information I have been able to gather so far below each question in italics.

  1. Does the encrypted master password provide security simply by existing in settings-security.xml in a folder that only one user can access (~/.m2)? If so, why bother with encrypting a 'master password' (why not just use some random value)? Isn't the 'master password' really just an entropy input to the cryptographic function? Calling it a password is confusing - I expected Maven to prompt me for this password before de-crypting any encrypted server passwords, but it did not.

My understanding is that yes, this only provides security by existing in an operating-system protected file. I believe Maven allows you to encrypt a master password so that if you loose the settings-security.xml file you can re-generate it. Is this correct?

  1. Do the master password and server passwords use the same encryption process/cipher? The server passwords are based on the master password, so there must be some difference in the algorithm. Where is the source code for this located?

Marcelo Morales' answer on How does maven --encrypt-master-password work links to the plexus-cihper project on GitHub. It isn't clear if that is just the cipher, or the actual Maven plugin that provides the password functionality though.

  1. I have observed that the same master password or server password encrypted multiple times gives different hashes. According to Marcelo Morales' answer on How does maven --encrypt-master-password work, this is because 'a JVM-configuration-specific (usually SHA1PRNG) 64-bit random salt' is added to the password prior to encrypting. Maven decrypts stored passwords when they are used at compile time. Doesn't this mean the salts have to be stored somewhere?

I have no idea.

  1. I have also observed that a regular password encrypted using one encrypted master password will still work if the master password is re-encrypted and stored in the settings-security.xml file, even though the encrypted master password ciphertext is now different. Can someone explain how this works?

I have no idea. This seems to me like Maven is doing something fishy or storing cleartext somewhere.

  1. My understanding is that the encrypted passwords can only be used with <server /> tags in the settings.xml file. is this true? Where can servers defined in settings.xml be used?

My understanding is that <server /> definitions can be used in <repositories /> and <distributionManagement />, but not <scm />. Can someone verify this?

  1. For such a critical feature (build system security) it seems to me that there is a lot of confusion and poor documentation. Can someone point out how the documentation on the Maven 3 website works? Is there a wiki link somewhere that would allow me to try and improve the documentation at all?

I have no idea

Sorry for the wall of text, and thanks for any answers.
<p>I'm trying to understand Maven 3's[password encryption feature. I have found that this feature is poorly documented and confusing. For example, the <a href="https://maven.apache.org/guides/mini/guide-encryption.html" rel="noreferrer">feature documentation</a> and <a href="http://blog.sonatype.com/2009/10/maven-tips-and-tricks-encrypting-passwords/" rel="noreferrer">a blog post by the author of the feature</a> contradict each other about several points.</p>

<p>This question is broader than <a href="https://stackoverflow.com/questions/15789984/how-does-mvn-encrypt-master-password-password-work">How does maven --encrypt-master-password work</a> and is not covered by <a href="https://stackoverflow.com/questions...word-good-practice-for-choosing-password?lq=1">Maven encrypt-master-password good practice for choosing password</a>.</p>

<p>Specifically, I am trying to answer the following questions which are not covered by the documentation. I've put what information I have been able to gather so far below each question in italics.</p>

<ol>
<li>Does the encrypted master password provide security simply by existing in <code>settings-security.xml</code> in a folder that only one user can access (<code>~/.m2</code>)? If so, why bother with encrypting a 'master password' (why not just use some random value)? Isn't the 'master password' really just an entropy input to the cryptographic function? Calling it a password is confusing - I expected Maven to prompt me for this password before de-crypting any encrypted server passwords, but it did not.</li>
</ol>

<p><em>My understanding is that yes, this only provides security by existing in an operating-system protected file. I believe Maven allows you to encrypt a master password so that if you loose the <code>settings-security.xml</code> file you can re-generate it. Is this correct?</em></p>

<ol start="2">
<li>Do the master password and server passwords use the same encryption process/cipher? The server passwords are based on the master password, so there must be some difference in the algorithm. Where is the source code for this located?</li>
</ol>

<p><em><a href="https://stackoverflow.com/a/15792131/885287">Marcelo Morales' answer on How does maven --encrypt-master-password work</a> links to the <a href="https://github.com/sonatype/plexus-cipher" rel="noreferrer">plexus-cihper project on GitHub</a>. It isn't clear if that is just the cipher, or the actual Maven plugin that provides the password functionality though.</em></p>

<ol start="3">
<li>I have observed that the same master password or server password encrypted multiple times gives different hashes. According to <a href="https://stackoverflow.com/a/15792131/885287">Marcelo Morales' answer on How does maven --encrypt-master-password work</a>, this is because 'a JVM-configuration-specific (usually SHA1PRNG) 64-bit random salt' is added to the password prior to encrypting. Maven decrypts stored passwords when they are used at compile time. Doesn't this mean the salts have to be stored somewhere?</li>
</ol>

<p><em>I have no idea</em>.</p>

<ol start="4">
<li>I have also observed that a regular password encrypted using one encrypted master password will still work if the master password is re-encrypted and stored in the <code>settings-security.xml</code> file, <strong>even though the encrypted master password ciphertext is now different</strong>. Can someone explain how this works?</li>
</ol>

<p><em>I have no idea. This seems to me like Maven is doing something fishy or storing cleartext somewhere.</em></p>

<ol start="5">
<li>My understanding is that the encrypted passwords can only be used with <code><server /></code> tags in the <code>settings.xml</code> file. is this true? Where can servers defined in <code>settings.xml</code> be used?</li>
</ol>

<p><em>My understanding is that <code><server /></code> definitions can be used in <code><repositories /></code> and <code><distributionManagement /></code>, but not <code><scm /></code>. Can someone verify this?</em></p>

<ol start="6">
<li>For such a critical feature (build system security) it seems to me that there is a lot of confusion and poor documentation. Can someone point out how the documentation on the Maven 3 website works? Is there a wiki link somewhere that would allow me to try and improve the documentation at all?</li>
</ol>

<p><em>I have no idea</em></p>

<p>Sorry for the wall of text, and thanks for any answers.</p>
Continue reading...
 

Latest posts

Online statistics

Members online
0
Guests online
4
Total visitors
4
Top