cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Kienenberger <mkien...@gmail.com>
Subject Re: Encrypted Fields
Date Tue, 10 Feb 2009 15:03:00 GMT
Bug in login rehash:

user.setPassword(plainTextPassword);

Should be

user.setPassword(hashedPassword);

Also, your fetchUserBySSN() method assumes that encryption repeatedly
returns the same value.   Is that always true?  I know that hashing
passwords typically has a random salt to increase security, resulting
in different hashed values for the same key.   You have to know the
random salt in order to recreate the same hash key.  In unix
passwords, this is done by reading the random salt off the front of
the previous hashed value.

On Tue, Feb 10, 2009 at 8:35 AM, Michael Gentry <mgentry@masslight.net> wrote:
> I updated the document.  I tried to simplify the key protection stuff
> (hopefully it makes a bit more sense) and added an example at the
> bottom on how you might do a search and fetch using encrypted field
> values.
>
> http://people.apache.org/~mgentry/Security_Manifesto.pdf
>
>
> mrg
>

Mime
View raw message