2 Secure Coding Guidelines for STAP
Learn how the Secure-Text Encryption Tool employs AES-192 for encrypting, decrypting, and creating unique keys and Initialization Vectors (IVs) for each operation in Oracle Communications Solution Test Automation Platform (STAP).
Secure Plain Passwords in Configuration Files
Secure Text Encryption Tool is a secure data encryption utility that uses the Advanced Encryption Standard (AES) algorithm with a 192-bit key length to encrypt and decrypt data. It generates a random secret key and IV for each encryption operation, ensuring that the encrypted data is unique and secure. For the decryption operation, the same secret key is used and the IV is extracted from the encrypted text.
Technical Details
- Encryption Algorithm: AES (Rijndael)
- Key Size: 192-bit
- Mode of Operation: CBC (Cipher Block Chaining)
- IV: A random IV is generated and prepended to the encrypted data. The IV must be used during decryption alongside the secret key.
Generating a Secret Key Using keytool
keytool -genseckey -keystore "filename.jceks" -storetype jceks storepassPhrase -keyalg AES -keysize 192 -alias aliasNamewhere:
- filename is file name for your keystore.
- storepassPhrase, if included, is the phrase to access the
keystore password. The format for this can be either of the following:
- -storepass:env envVar (with envVar being the name of an environment variable that contains the keystore password)
- -storepass:file pwFile (with pwFile being the name of a file that contains the keystore password)
If you do not include this phrase, you will be prompted for the keystore password.
- aliasName is the name of the alias for the secret.
This command generates a 192-bit AES secret key and stores it in a JCE keystore file called keys.jceks.
You can read the JCEKS keys from your keystore using the following command:
keytool -list -keystore "filename.jceks" -storetype jceks storepassPhrase - The tool generates a random 192-bit AES secret key and a random IV.
- The plaintext data is encrypted using the AES algorithm with the generated secret key and IV.
- The encrypted data is prepended with the IV, forming the final encrypted output.
- The IV is extracted from the beginning of the encrypted data.
- The remaining ciphertext is decrypted using the AES algorithm with the provided secret key and the extracted IV.
- The decrypted plaintext data is returned.
Using the security key password
The tool allows you to encrypt sensitive data within a properties file using the AES encryption algorithm. Here's a breakdown of the process:
1. Set the command line arguments:
- .properties filepath: Path to the properties file containing data to be encrypted.
- .jceks filepath: Path to the Java Key Store (JCEKS) file used to store the secret key.
- Keystore Password: Password to access the JCEKS keystore.
- Alias Name: The alias name within the JCEKS keystore that identifies the secret key.
2. Property Identification:
The tool scans the specified properties file for entries where the value equals "${SECURE_PASSWORD}". This indicates properties containing sensitive data.
3. User Interaction:
For each identified property, you are prompted to enter a new password.
4. Encrypt and Update:
- The new password is encrypted using the generated secret key.
- The value of the identified property is replaced with the following
format:
${SECURE_TEXT("new-password")}
The original properties file is updated with the new placeholders indicating encrypted data.
Note:
This approach stores the encrypted passwords within the JCEKS keystore, requiring the keystore and password for decryption. Ensure the JCEKS keystore is protected with a strong password and stored securely.Security Considerations
- Key Management: It is crucial to keep the secret key secure and protect it from unauthorized access. The security of the encrypted data relies entirely on the confidentiality of the secret key.
- IV: The IV is not a secret value and should be shared along with the encrypted data for successful decryption. Therefore, it is prepended to the encrypted data during the encryption process.
Secure Passwords in Configuration (Environment) Files
To secure sensitive data like passwords and OAuth credentials within your application's environment configuration files:
- Generate a secret key by running the
following:
keytool -genseckey -keystore "filename.jceks" -storetype jceks storepassPhrase -keyalg AES -keysize 192 -alias aliasNamewhere:- filename is file name for your keystore.
- storepassPhrase, if included, is the phrase to
access the keystore password. The format for this can be either of the
following:
- -storepass:env envVar (with envVar being the name of an environment variable that contains the keystore password)
- -storepass:file pwFile (with pwFile being the name of the file that contains the keystore password)
If you do not include this phrase, you will be prompted for the keystore password.
- aliasName is the name of the alias for the secret.
This command generates a 192-bit AES secret key and stores it in a JCE keystore file called keys.jceks.
- You can read the JCEKS keys from your keystore using the following command:
keytool -list -keystore "filename.jceks" -storetype jceks storepassPhrase - Run the encryption tool by running the following
command:
./gradlew encryptPasswords -PtaasArgs="['file-path','keyfile-path','keystore-pass','alias-name']"Where:- file-path is the path to your
.propertiesfile containing the data to be encrypted. -
keyfile-path the path to the JCEKS file
(
filename.jceks) storing the secret key. - keystore-pass is the keystore password.
- alias-name is the alias name identifying the secret key.
- file-path is the path to your
- Enter your new password.
For each
${SECURE_PASSWORD}entry, you will be asked to enter a new password. - Encrypt and update your password.
- The tool encrypts the new password using the secret key.
- It replaces the original
${SECURE_PASSWORD}entry with${SECURE_TEXT("new-password")}.
Your original properties file is updated with encrypted passwords.