Hardening KeyMaster security

Until you have hardened KeyMaster security (see the information below), it should not be used in a production environment. This information applies to Java-based KeyMaster and to KeyMaster.NET.

KeyMaster.NET

To make KeyMaster.NET production ready, configure the web application server so that access to the ASP.NET pages requires authentication.

Java-based KeyMaster

To make Java-based KeyMaster production ready:

  • You must configure the web application server to which you have deployed KeyMaster, so that access to the KeyMaster servlets requires authentication. See the Server configuration examples for configuring the Java Authentication, also see here for information on validating the server config. The correct way to ensure secure access to the KeyMaster servlets will vary depending on your web application server. Consult your server documentation for further information.

  • For all Java-based KeyMaster, you must ensure that the private key file defined within the parameter caplin.keymaster.privatekey.filename (6.2.0 onwards) or encrypting.generator.private.key.store.filename (pre- 6.2.0) is only accessible to persons and processes trusted to create users with permission to log into the Liberator. The private key file should otherwise remain undisclosed to anyone unauthorised to access it.

  • For older versions of KeyMaster (pre- 6.2.0) - From the example servlets provided with the KeyMaster API, the UnsecureUrlParameterCredentialsProvider class should never be used outside of development or in a production environment for authentication testing. For production, it is recommended that you use the UserCredentialsProvider class as a basis (which you may extend) to securely provide the username when writing your own KeyMaster implementation. Also, any information provided using JNDI needs to be accessible to the servlet once deployed. For example, here is a location of the keystore relative to the web app root:

    caplin.keymaster.encrypting.generator.private.key.store.filename

    and here’s the id that you would provide when you generate the keystore:

    caplin.keymaster.encrypting.generator.key.identifier.
    Consult your Java web container documentation for information on how to configure JNDI parameters. Any provided JNDI parameters that are not going to change should be hardcoded in the servlet.

Configure Encryption Software

MD5 limitations: Since KeyMaster was first released, the cryptographic community have found that the MD5 algorithm can produce hash collisions. This potentially compromises the algorithm. The KeyMaster Java servlet implements the SHA256 signature algorithm by default. Therefore you do not need to configure or modify the algorithm.

If you need to make changes to the encryption software, you may find the information below useful:

  • The Key Generator generates a key pair using a Java Cryptography Extension (JCE) provider and the RSA key pair generation algorithm.

  • Digital signatures are generated using a Java Cryptography Architecture algorithm.


See also: