SessionKeyServer
Simple implementation of a session key server. Contribute to s-u/SessionKeyServer development by creating an account on GitHub. This is an implementation of a simple web-service that generates and stores session keys/tokens. The current implementation is written in Java. The session key is the lowest layer in the encryption key hierarchy. When Veeam Backup & Replication encrypts data, it first encodes every data block in a file with a session key. For session keys, Veeam Backup & Replication uses the AES algorithm with a 256-bit key length in the CBC-mode. Veeam Backup & Replication generates a new session key for every job session. Some sources says that the web browser generates the session key. Now if the web browser generates it then its vulnerable for replay attacks. Also some sources says that the server generates a part of it and the rest the client generates.
This is an implementation of a simple web-service that generates andstores session keys/tokens. The current implementation is written inJava.
By default the server listens on port 4431 and binds on
*
If no database is specified, keys will be only kept in memory andthus lost when the process dies.The default authentication module is PAM and it can be changed using the
-default
parameter.The -pam-app
option can be used to override the application to report to PAM when authenticating,the default is to use the realm supplied in the request, but sometimes app-based authentication is notconfigured in the system and -pam-app login
is a viable fall back to login authentication.Any module other than PAM is routed to JAAS. If JAAS is used, it is possible to set necessaryproperties either via Java's
-D
on invocation or there are two convenience options -jaas
forjava.security.auth.login.config
and -krb5conf
for java.security.krb5.conf
.Supported requests:
Response:
text/plain
Who Generates A Session Key In C
<result>
is one of NO, YES or SUPERCEDED:NO
invalid (no further content added)YES
valid and verified, user ID (attuid) is providedSUPERCEDED
the token used to be valid, but it has been superceded bya new token, user ID (attuid) is also supplied<user>
is the user id supplied by the source<source>
is the source that provided the authentication (i.e. themethod)Response:
text/plain
<result>
is one of:OK
token revoked successfullyINVALID
token is invalidWho Generates A Session Key In Computer
Note that it is legal to revoke a superceded token.
Response:
text/plain
Replaces a given token (if valid) by a newly generated token. Thesupplied token becomes invalid and only the new token is valid.The request fails with 403 error code if the supplied token is notvalid.
Response:
text/plain
Requests authentication using the module specified or if not specifiedwhatever module is configured to be the default module on the server.For
/auth_token
requests the source is defined as auth/<module>
.Note that requesting a new token in the same realm for the same userwill supercede all previous tokens.
The
<realm>
is mandatory for all requests and can be an arbitrarystring that identifies the realm in which this token will be valid.TLS/SSL mode
When
-tls
is specified on the command line it must point to a validJava key store file which will be used to load the private key andcertificate(s) for the secure HTTP server (aka HTTPS). The keys andkeystore password is set by default to 'SessionKeyServer'
, but canalso be specified via the -P
option or entered at the command lineif -PP
(password prompt) is specified. Obviously, if either thedefault password or -P
is used the key security is left to thefilesystem and the password does not provide additional protection.Alternatively -PF
allows the password to be read from a file in a keytab fashionwhich then needs to be protected by 400 or 600.If you have existing PEM key and certificate (e.g. for use in Rserve),you can create Java keystore out of it via PKCS12 bundle asfollows. First, concatenate any intermediate certificates into onefile - from the server cert to the root cert, e.g.:
Then create PKCS12 bundle:
Use
SessionKeyServer
as the password (unless you want to enter it byhand at each start). Then create a keystore out of that:Make sure you use the same password you used for the key. When done,make sure you adjust the permissions such that only the user runningSKS can read the keystore (and remote the intermediate pkcs12file). Now you can use
-tls keystore
option to run theSessionKeyServer in TLS/SSL mode.Implementation details
Those details may change at any time, they are not guaranteed. Thecurrent implementation uses SHA-1 hashes for tokens and internalrepresentation of realms. The token is a hash of a random UUID and thedecoded ESSec string.