Hi, I’m trying to store user credentials somehow to use them later for auto-login into another site, with a custom app on OC10.
BTW, users login to OC with an IMAP backend.
I thought of, on OC post_login, saving a pair of keys on server’s user session, encrypt credentials and send the encryption as a cookie. So when the user goes to the app, I read the cookie, decrypt with the key on server’s user session and auto-login.
After this, I saw there’s ICredentialsManager, but I wonder whether that’s a secure approach, I would store the credentials and retrieve them when the user goes to the app for auto-login.
My concern is that if the server gets compromised, the DB has the encryption, and the secret (config.php), so the credentials are exposed.
So, what if instead of using the ‘secret’ to encrypt, I use OC token or another random passphrase and save it to a cookie?
This way, credentials in DB are useless for an attacker because it doesn’t know the user’s passphrase.
What do you think?
Thanks!
The ICredentialsManager is intended to be used for storing credentials, but it can be used to store almost any information. If you don’t want store the username + password there, you can store the location where the credentials are, the cookie / token / secret to access the location, the algorithm to be used to decrypt the contents, and any other thing you need. You can also store encrypted information from other places. Obviously, this extra handling will be made by you on your own.
In any case, you’ll need to draw the line somewhere. If you think about public key algorithms, for example, I’m pretty sure all of them assume that the private key is always unknown to the attacker. If this assumption isn’t correct, none public key algorithm will ensure you anything.
My concern is that if the server gets compromised, the DB has the encryption, and the secret (config.php), so the credentials are exposed.
Maybe you should also consider additional messures to ensure this won’t happen: which users can access to the server? which privileges have those users (can those users read the ownCloud’s code or the config.php file?) what ports are open and how anyone (authenticated or not) could access to the server? Is there any known vulnerability in the product that anyone could exploit?.
Note that you should think about the same not just for ownCloud, but for any service you use.
I’m not a security expert, so pick the information you want knowing that I might be wrong.
Thanks for the feedback, and for clarifying the ICredentialsManager's purpose, I think I’ll go with the session storing approach, since it’s not necessary to be stored permanently.