cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vijayendra Bhamidipati <vijayendra.bhamidip...@citrix.com>
Subject Re: Review Request: Make SHA256Salt the default password encoding and authentication mechanism for cloudstack
Date Mon, 01 Apr 2013 18:30:16 GMT
Putting in a new authenticator/encoder for SHA512 would be good - I'll log
a ticket to track it as a separate effort and work on it when time
permits. Until then, let's use SHA256 as the default since it's the best
we've got implemented as of now.

Regards,
Vijay

On 3/29/13 5:56 PM, "Justin Grudzien" <grudzien@gmail.com> wrote:

>Understandable that SHA256 is good for today but SHA512 is good for
>tomorrow and has excellent support in all major languages, products, etc.
>Oracle is the only thing I can think of that doesn't support it out of
>the box.
>
>I agree on balance but I can certainly spare the 32 bytes of storage. :)
>
>Justin
>
>On Mar 29, 2013, at 7:23 PM, John Kinsella <jlk@stratosec.co> wrote:
>
>> Never too late. :)
>> 
>> Looking at [1], it'll take about 2E64 days to search the SHA256
>>keyspace with a brute forcer written for a GPU accelerator. Even with
>>10,000 of them, it'll take way, way too long. Bitcoin coin uses SHA256,
>>so I think it's safe for a while. :)
>> 
>> Yes, SHA512 would be "more safe," but ya gotta ask what you're really
>>getting by going to the bigger keyĆ security is about a balance. If
>>you're using ACS to run a cloud cracking SHA256 passwords, then maybe
>>you should use SHA512 passwords in ACS. ;)
>> 
>> John
>> http://www.insidepro.com/eng/egb.shtml
>> 
>> On Mar 29, 2013, at 4:36 PM, Justin Grudzien
>><grudzien@gmail.com<mailto:grudzien@gmail.com>>
>> wrote:
>> 
>> I apologize for jumping into this conversation late, but I am new to
>>the developer mailing list. Why would we choose SHA256+salt over
>>SHA512+salt? SHA512+salt's storage is insignificant when compared to
>>SHA256 and the chances of a birthday attack are significantly reduced.
>>As a security professional I would argue for the best possible hashing
>>algorithm available, especially when there is little to no cost.
>> 
>> Justin
>> 
>> On Mar 29, 2013, at 6:00 PM, "Min Chen"
>><min.chen@citrix.com<mailto:min.chen@citrix.com>> wrote:
>> 
>> 
>> -----------------------------------------------------------
>> This is an automatically generated e-mail. To reply, visit:
>> https://reviews.apache.org/r/10039/#review18548
>> -----------------------------------------------------------
>> 
>> 
>> 
>> client/tomcatconf/componentContext.xml.in
>> <https://reviews.apache.org/r/10039/#comment38873>
>> 
>>  This componentContext.xml.in and nonossComponentContext.xml.in should
>>be put into applicationContext.xml since they are the same for nonoss
>>and oss versions.
>> 
>> 
>> - Min Chen
>> 
>> 
>> On March 28, 2013, 8:26 p.m., Venkata Siva Vijayendra Bhamidipati wrote:
>> 
>> -----------------------------------------------------------
>> This is an automatically generated e-mail. To reply, visit:
>> https://reviews.apache.org/r/10039/
>> -----------------------------------------------------------
>> 
>> (Updated March 28, 2013, 8:26 p.m.)
>> 
>> 
>> Review request for cloudstack, Hugo Trippaers, Kelven Yang, and Min
>>Chen.
>> 
>> 
>> Description
>> -------
>> 
>> Changing default password encoding mechanism from MD5 to SHA256Salted.
>> 
>> 
>> This addresses bug CS-1734.
>> 
>> 
>> Diffs
>> -----
>> 
>> 
>>api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.
>>java 89673ea
>> api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java
>>fb29e1a
>> api/src/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java
>>1f31662
>> client/tomcatconf/componentContext.xml.in 016df0a
>> client/tomcatconf/nonossComponentContext.xml.in 8f8dae5
>> developer/developer-prefill.sql 6300d35
>> 
>>plugins/user-authenticators/ldap/src/com/cloud/server/auth/LDAPUserAuthen
>>ticator.java 61eebe5
>> 
>>plugins/user-authenticators/md5/src/com/cloud/server/auth/MD5UserAuthenti
>>cator.java 026125e
>> 
>>plugins/user-authenticators/plain-text/src/com/cloud/server/auth/PlainTex
>>tUserAuthenticator.java 52e7cb3
>> 
>>plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256
>>SaltedUserAuthenticator.java 1b29f69
>> server/src/com/cloud/server/ManagementServerImpl.java b689f93
>> server/src/com/cloud/user/AccountManagerImpl.java b69f314
>> 
>> Diff: https://reviews.apache.org/r/10039/diff/
>> 
>> 
>> Testing
>> -------
>> 
>> Manual testing done for both oss and nonoss components. Both admin and
>>users added later are encoded according to the scheme configured, and
>>authenticated by the same scheme.
>> 
>> To change the order of the schemes, modify the following list
>>properties in client/tomcatconf/nonossComponentContext.xml.in or
>>client/tomcatconf/componentContext.xml.in as applicable, to the desired
>>order:
>> 
>>  <property name="UserAuthenticators">
>>       <list>
>>          <ref bean="SHA256SaltedUserAuthenticator"/>
>>          <ref bean="MD5UserAuthenticator"/>
>>          <ref bean="LDAPUserAuthenticator"/>
>>          <ref bean="PlainTextUserAuthenticator"/>
>>      </list>
>>  </property>
>> 
>>  <property name="UserPasswordEncoders">
>>      <list>
>>          <ref bean="SHA256SaltedUserAuthenticator"/>
>>           <ref bean="MD5UserAuthenticator"/>
>>           <ref bean="LDAPUserAuthenticator"/>
>>          <ref bean="PlainTextUserAuthenticator"/>
>>       </list>
>> 
>> 
>> Thanks,
>> 
>> Venkata Siva Vijayendra Bhamidipati
>> 
>> 
>> Stratosec<http://stratosec.co> - Secure Infrastructure as a Service
>> o: 415.315.9385
>> @johnlkinsella<http://twitter.com/johnlkinsella>
>> 


Mime
View raw message