taoensso / tempel Goto Github PK

Description

When upgrading to 1.0.0-beta1 ( from 1.0.0-alpha1) I noticed if I pass JVM arg
-Dtaoesnsso.timbre.config.edn=some-symbol - some-symbol is not being evaluated.

Steps to reproduce

Gist
(its a clj tools project)

OS/Java version

Description: Ubuntu 22.04.3 LTS
Release: 22.04

openjdk version "17" 2021-09-14
OpenJDK Runtime Environment Temurin-17+35 (build 17+35)
OpenJDK 64-Bit Server VM Temurin-17+35 (build 17+35, mixed mode, sharing)

Notes

If I do a diff on the dependency trees (alpha vs beta) I get :

< com.taoensso/tempel 1.0.0-alpha1
<   . com.taoensso/encore 3.74.0
<     . org.clojure/tools.reader 1.3.6
---
> com.taoensso/tempel 1.0.0-beta1
>   . com.taoensso/encore 3.76.0
>     . org.clojure/tools.reader 1.3.7

In encore between 3.74.0 and 3.76.0 I noticed this .

It looks like the feature that resolves edn symbols was removed ?

Is the feature deprecated or is there another way to achieve the same effect?

I didn't know if I should file this ticket here or not. Thanks!

Moving a question from @ieugen below:

A different question (maybe another issue?).
Have you considered the OWASP recommendations for password storage?
Would it make sense to have an opinionated module that users can use and get Tempel with pre-configured options following OWASP recommendations ?

I know some people who do compliance find these certifications / recommendations very important.
I know they change over time so adding the year in the name would make it easy to check and switch: :owasp-2024-xxx .

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#maximum-password-lengths

Hello,

I'm implementing a pac4j integration for Ring .
One of the things that I was looking at is to provide a password encoder and I thought I could to this with tempel.
However there is no API to do this with tempel.
You have an API for encrypting data, but not one for hashing the password - or at least I did not figure it out at first glance.

Does it make sense to have an API that allows users to plug in tempel with other tools to provide the same password encryption?

This is how the password encoder is used in pac4j https://www.pac4j.org/docs/authenticators.html#2-passwordencoder .

Thanks,
Eugen

• https://www.pac4j.org
• https://github.com/ring-clojure/ring/blob/master/SPEC.md
• https://github.com/pac4j/pac4j/blob/master/pac4j-core/src/main/java/org/pac4j/core/credentials/password/PasswordEncoder.java

Hi @ptaoussanis ,

I watched the demo https://www.youtube.com/watch?v=sULZVFhR848 and I quite like where the project is heading and that it provides a pretty good flow for solving common problems developers are facing when trying to adopt data encryption at rest.

I am curios how would tempel work with (more common IMO scenarios) of third party authentication systems - like OpenID Connect (SSO in general - social login).

I do imagine one option would be for users to setup a dedicated password for the keystore.
Another things that could be addressed in the docs / future demos would be how tempel will handle multi factor authentication and WebAuthn or one time password systems.

The way I think about it right now it that users setup a dedicated password for the keystore that they have to enter after login.
The password could be an OTP code perhaps ( a pin) ?! .

An example flow of using tempel with OTP would be great as I believe it's a common use case.
As a side note I am doing DevOps and working with these ~ daily .
SSO is quite important for auth and I would not go forward without it.

I did not give these too much thought but from the video I believe you have given security and encryption quite some thought.
I hope you can share your ideas / examples around these subjects.

I am happy that I saw your demo now since I am working on a system where I need to store some JWT tokens encrypted at rest with the option of being able to decrypt them by admin.
I hope to get some time to work with tempel on that soon.

p.s. Than you! for writing tempel !

Thanks,
Eugen

Hi,

I was curios if there is a plan to have the library compatible with babashka.
I know @borkdude added some crypto stuff when I needed and it might be enough.

Hi there,

I was genuinely impressed with your introduction to this library, and now I'm experimenting with use cases to understand its functionality in practice better.

Currently, I'm mapping out the following architecture:

Organizations store sensitive data.
Organizations consist of users.
Users require access to all sensitive data, managed by the organization.

I've identified two potential solutions:

1. Each user possesses their own keychain, and all data are encrypted with public keys specific to each organization user.
2. All data are encrypted with a single keychain, and users are provided with a copy of this keychain, encrypted with their public keys.

The first approach should work well if data changes infrequently, but in other case it would be expensive to encrypt the data with all the keys on every write.
However, if I anticipate frequent updates to the data, the second approach seems more suitable. All data encrypted with one keychain, and each user read it with their own copy of the same keychain. But, I encountered a challenge with encrypting the keychain asymmetrically with the user's public key. To address this, I devised a solution where I encrypt an organization's keychain with a randomly generated key, then encrypt this random key with the user's public key, and share both with the user.

As I was outlining this, I realized that I could encrypt all data with random keys and then encrypt the keys for all users using their public keys. However, this approach resembles the second method I initially described.

Therefore, it would be beneficial if the keychain could also be encrypted with the public key.

And also it would be nice to have a multi-key encryption, that could make such cases much easier to solve without modelling the key sharing architecture manually.

Thank you for your contribution to data security. The situation is worsening these days, and initiatives like yours could help make the internet a safer place. Your efforts are truly invaluable.

If any post-quantum crypto key exchange algorithms are supported by tempel, I'd love to see some examples how to use them.

• Update deps
• Add MFA stuff?
• Add extra reserve layer to data formats?
• Extend docs re: OpenID, OWASP, etc.

Support for ChaCha20-Poly1305 was added in JDK 11 in 2018 (https://openjdk.org/jeps/329). It's a very popular alternative to AES-GCM, due to its performance [1], and the fact that its used in a lot of security network protocols and tools[2].

[1] Faster than AEC-GCM without hardware AES acceleration, and similar or better performace in multi-core machines even with AES hardware acceleration; see https://en.wikipedia.org/wiki/ChaCha20-Poly1305#Performance
[2] IPSec, TLS 1.2, DTLS 1.2, TLS 1.3, Wireguard, OTRv4 and multipe other protocols (according to https://en.wikipedia.org/wiki/ChaCha20-Poly1305#Use)

This might be in a companion library but Clevis and Tang implement a protocol for automated decryption (remote unlock).

It might be useful for tempel to support at least the client part if not more.

Clevis and Tang provide a way for a system to decrypt secrets if it's in a specific network or has access to TPM.
Seemed quite ingenious to me and worth mentioning in the context of tempel.

Might be useful for starting an application that needs to decrypt a bunch of service (the admin) credentials without requiring user input.

https://github.com/latchset/clevis
https://github.com/latchset/tang