magistrala icon indicating copy to clipboard operation
magistrala copied to clipboard

Published 20 hours ago verified publisher icon absmach

Keep hashed things tokens in the database

Open ghost opened this issue 5 years ago • 15 comments

FEATURE REQUEST

Things tokens are stored in a plaintext format in the things db. Anyone with the read access to the database can see them. I think they should be stored in a hashed format.

From security perspective, I think that this is a must have feature

ghost avatar Oct 23 '18 12:10 ghost

In order for this to happen, there are following things that need to be changed:

  1. the API should return the token upon thing creation
  2. the token should be hashed and stored in the db
  3. auth should be updated so it compares hashes
  4. there should be a way to reset the token in case it's lost of compromised

ghost avatar Oct 23 '18 13:10 ghost

Hashing is one way encryption function that cannot be easily reversed. This is in contradiction with current API which can return plain thing key anytime. IMO we have two options:

  1. Change API and return plain key only when creating thing.
  2. Keep current API and use some other kind of encryption function that can be reversed only on client side.

I would like to hear other opinions regarding this @mainflux/contributors.

anovakovic01 avatar Jan 14 '19 13:01 anovakovic01

Find appropriate solution with Vault (or similar) - it's a storage for keys and secrets.

drasko avatar Jan 14 '19 17:01 drasko

@drasko I like this idea of using Vault too.

anovakovic01 avatar Jan 15 '19 11:01 anovakovic01

Needs more research and brainstorming, moving for 0.9

nmarcetic avatar Jan 28 '19 10:01 nmarcetic

Apart from this - I think we should separate thing token from thingID, and really have an independant pair. This would allow then for users to provide us their Passwords (or tokens) for things.

I am saying this in light of the MQTT protocol, which indeed has an independent Username and Password - while in our case token contains thingID inside as well, as it uniquelly represents Thing.

drasko avatar Sep 25 '19 20:09 drasko

  1. thing token is a separate piece of info (it has nothing to do with thing ID). Our token doesn't have thing ID info inside of it,
  2. AFAIK user can already set thing token on his own.

anovakovic01 avatar Sep 25 '19 20:09 anovakovic01

OK, then I guess it is just for us to decide do we encrypt, or we let user give us his key.

I am more for the approach where we ecrypt, especially for the reasons that this way encryption key does not have to travel.

So I would say that this issue would then consider:

  • How do we change an API to use one pre-defined (our) key for encryption in the DB
  • How do we store this key (as this is a deployments issue, we can stop at reccomendations, we do not necesary have to do an implementation with Vault. Also - this key can be maybe stored in binary).

drasko avatar Sep 25 '19 20:09 drasko

I did something similar to this, do we want to encrypt or just hash? Would we need to retrieve that or just validate the hash?

lpegoraro avatar Jul 12 '22 14:07 lpegoraro

At this moment, I think we should encrypt, as I would expect that someone forgot/lost token written in the device flash and wants to retrieve it.

If we just hash, then all we can do is reset, but this might be complicated for devices in the field - they would have to be re-flashed.

But I might be wrong, and hash with reset might be the correct procedure. The rationale for this might be that if device "forgot" its token - there is something already wrong with the device's flash or firmware...

@dborovcanin @nmarcetic what would be your opinions here?

drasko avatar Jul 12 '22 14:07 drasko

When you guys figure that out, let me know, I will have some time probably next week and I could work on this.

lpegoraro avatar Jul 13 '22 20:07 lpegoraro

@lpegoraro great, it would be highly appreciated. We'll let you know very soon.

drasko avatar Jul 13 '22 23:07 drasko