如何使用 JNDI 和 Digest-MD5 对 LDAP 进行身份验证

2022-01-17 00:00:00 encryption md5 ldap java jndi

我正在尝试使用 DIGEST-MD5 加密对我的 LDAP 服务器进行身份验证.虽然使用简单加密它工作得很好,但由于显而易见的原因,我不能通过网络以纯文本形式发送密码.奇怪的是,在使用 Softerra LDAP 浏览器时,我可以使用 Digest-MD5 连接到服务器,但是通过我的代码,我收到了一系列错误.

I'm trying to authenticate to my LDAP server using DIGEST-MD5 encryption. While using Simple encryption it works just fine, but I can't have the password sent over the network in plain-text, for obvious reasons. The strange thing is that while using Softerra LDAP Browser I can connect to the server using Digest-MD5, but through my Code I receive a range of errors.

这是我的 LDAP 身份验证类中的一段代码,我在其中尝试在创建初始上下文之前设置安全身份验证等.

Here is a snippet of code from my LDAP authentication class where I try to set the security authentication etc before creating the initial context.

Hashtable env = new Hashtable(11);
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put(Context.PROVIDER_URL, ldapURI);
env.put(Context.INITIAL_CONTEXT_FACTORY, context);
env.put("com.sun.jndi.ldap.trace.ber", System.out);
try{
    DirContext ctx = new InitialLdapContext(env,null);
} Catch (NamingException e){
    e.printStackTrace();
}

推荐答案

我的回复并没有回答你的问题,而是纠正一个误解:在 BIND 请求中使用 SASL DIGEST-MD5 机制需要目录服务器有权访问用户的密码.为了让目录服务器能够访问密码,密码必须以明文形式存储或使用可逆密码方案进行加密.可逆密码方案本质上不如加盐 SHA 散列安全,特别是带有长摘要的加盐 SHA-2 散列.因此,使用带有 DIGEST-MD5 的 SASL 不如在安全连接上使用简单的 BIND 请求安全,其中安全连接是从一开始就通过 SSL 加密的连接,或者将非安全连接提升为与StartTLS 扩展操作,安全性低于 SASL EXTERNAL 机制或 Kerberos.

My response does not answer your question, but rather corrects a misunderstanding: using the SASL DIGEST-MD5 mechanism in a BIND request requires that the directory server have access to the password of the user. For the directory server to have access to the password, the password must be stored in clear text or be encrypted with a reversible password scheme. Reversible password schemes are inherently less secure than the salted SHA hash, particularly a salted SHA-2 hash with a long digest. As a result, using SASL with DIGEST-MD5 is less secure than using a simple BIND request over a secure connection, where a secure connection is a connection encrypted from the beginning via SSL or a non-secure connection promoted to a secure connection with the StartTLS extended operation, and less secure than the SASL EXTERNAL mechanism or Kerberos.

误解是以纯文本形式通过网络发送的密码"这一概念并不安全,而事实上,使用加盐 SHA-2 哈希将密码存储在目录服务器中(现代专业质量的目录服务器具有能够使用具有长摘要长度的加盐 SHA-2 哈希)并通过安全连接传输明文密码比让目录服务器以明文或可逆加密方案存储密码更安全.因此,应避免使用 DIGEST-MD5 的 SASL.具有 EXTERNAL 机制的 SASL,其中服务器从加密会话建立期间提供的证书中提取身份验证信息是一个更好的选择.Kerberos 也是一个更好的选择.网络上的纯文本也更安全如果服务器在使用加盐 SHA 算法对密码进行哈希处理后存储密码.

The misunderstanding is the notion "password sent over the network in plain-text" is not secure, when in fact, storing the password in the directory server using a salted SHA-2 hash (modern professional-quality directory servers have the capability to use salted SHA-2 hashes with long digest lengths) and transmitting the clear text password over a secure connection is more secure than having the directory server store the password in clear text or in a reversible encryption scheme. Therefore, SASL with DIGEST-MD5 should be avoided. SASL with the EXTERNAL mechanism where the server extracts the authentication information from the certificate presented during the establishment of the encrypted session is a better alternative. Kerberos is also a better alternative. Plain-text over the network is also more secure if the server is storing the passwords after hashing them with a salted SHA algorithm.

如果将 SASL 与 DIGEST-MD5 一起使用绝对至关重要,则应将目录服务器配置为使用可用的最强加密方案加密密码,除非我弄错了,否则它是 AES.专业品质的服务器可以使用 AES 加密密码.

If it is absolutely vital to use SASL with DIGEST-MD5, the directory server should be configured to encrypt the passwords with the strongest encryption scheme available, which unless I am mistaken, is AES. Professional-quality servers can encrypt passwords using AES.

相关文章