RFC-18: Encryption of passwords in mapfiles

[Daniel Morissette]

Stephen Woodbridge wrote:
> 
> So just to be clear on my understanding of this, any one that can get 
> TEA, read the mykey.txt file and write a trivial program can decrypt the 
> password. If mykey.txt is in the mapfile then I'm mostly home free, if I 
> can install a trivial php script that can read MS_ENCRYPTION_KEY then I 
> can open the file and read the contents and I can also probably read the 
> mapfile and read its contents and then decrypt it online or offline.
> 
> The problem with this is that there is no real way to secure mykey.txt 
> because it has to be readable by the webserver process so anyone that 
> can add php script can access it.
> 
> I can't think of a better way to do this, but I think it should be made 
> VERY clear in the documentation that this is just simple obfuscation and 
> is by NO means secure and that users should NOT place VALUABLE passwords 
> in mapfiles encrypted or not.
> 

You're correct, this only provides obfuscation as far as people with 
access to the server are concerned, but obfuscation can be better than 
plain text in some cases as long as admins are well aware that this is 
not highly secure. We all had the same initial reaction as you on that 
front, including myself, and I just added a note about this concern at 
the end of the RFC.

Note that one of the real benefits of this is that it protects the 
passwords in backups (as long as the key is not included in the backup), 
when transferring the mapfile over insecure medias, and prevents plain 
text passwords from showing up in error messages or log files (not sure 
if any password was ever exposed this way though).

BTW, bug 1792 has been created for this RFC:
http://mapserver.gis.umn.edu/bugs/show_bug.cgi?id=1792

Daniel
-- 
Daniel Morissette
http://www.mapgears.com/