cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Tunnicliffe (JIRA)" <>
Subject [jira] [Commented] (CASSANDRA-13626) Check hashed password matches expected bcrypt hash format before checking
Date Wed, 30 Aug 2017 09:54:00 GMT


Sam Tunnicliffe commented on CASSANDRA-13626:

bq.checkpw does an even worse job of failing nicely

In what way(s)? Checking with a few strings that would be caught by this validation, {{checkpw}}
seems to behave as expected. 
This validation would help us detect that we have stored invalid hash values, so that could
be useful in diagnosing unexpected auth failures & debugging their causes. That will obviously
require logging when the validation fails before throwing the {{AuthenticationException}},
so we should separate it from the actual {{checkPw}} call.  

On the actual validation, the 22 character component is actually the salt, not the cost -
the bcrypt format is {{$<id>$<cost>$<salt><digest>}}. Cost, salt and
digest are all fixed length (2, 22 & 31 chars repectively), whereas id may be 1 or 2 chars,
though we have only ever used a version of jbcrypt that generates the 2 char variant. So we
could simplify that check to {{length == 60}}. If {{checkpw}} *is* correctly returning false
when the stored hash is invalid though, we only really need to do the validation on failure,
in which case we could a more thorough check than simply looking at the length, if that's

> Check hashed password matches expected bcrypt hash format before checking
> -------------------------------------------------------------------------
>                 Key: CASSANDRA-13626
>                 URL:
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Auth
>            Reporter: Jeff Jirsa
>            Assignee: Jeff Jirsa
>            Priority: Minor
>             Fix For: 3.0.x, 3.11.x, 4.x
> We use {{Bcrypt.checkpw}} in the auth subsystem, but do a reasonably poor job of guaranteeing
that the hashed password we send to it is really a hashed password, and {{checkpw}} does an
even worse job of failing nicely. We should at least sanity check the hash complies with the
expected format prior to validating.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message