ofbiz-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adam Heath (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-3006) entity encrypt columns not using encryption salt value?
Date Tue, 24 Jun 2014 01:36:25 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-3006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14041578#comment-14041578
] 

Adam Heath commented on OFBIZ-3006:
-----------------------------------

Jacques, SHA1 and MD5 are the same kind of technology; they are both one-way hashes.  Either
could be used for password-type fields.  Originally, it was MD5.  I added an ability to have
different hashes(I stored the hash type in the database), then added salt ability(as a prefix).

The examples given are for password-type fields.  As that support has been around for quite
a while now, this issue can be closed.

Additionally, if you really are concerned about *encrypted* fields not having a salt, then
svn trunk now supports such a feature.  In the entitymodel definition, you can set encrypt="salt",
and the value saved to the database will have a salt pre-pended.  Note, that if you do this,
then you will not be able to do direct lookups against that value.

> entity encrypt columns not using encryption salt value?
> -------------------------------------------------------
>
>                 Key: OFBIZ-3006
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-3006
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: chris snow
>            Assignee: Adam Heath
>
> It looks as though no salt data is used when saving encrypted entity data making the
stored data susceptible to dictionary attacks.
> If you look through the stored demo data, you can see all the demo accounts passwords
are the same:
> {code}
> UserLogin:
> admin     {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
> flexadmin {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
> ...
> {code}
> As a comparison, if you create a two unix accounts, "ofbiz1" and "ofbiz2" and set both
passwords to "ofbiz"
> {code}
> ofbiz1:$6$3.mYZg9u$0E...:14524:0:99999:7:::
> ofbiz2:$6$MJhYeMqO$Jf...:14524:0:99999:7:::
> {code}
> You can see that on unix, even though the passwords are the same, the encrypted values
are completely different.
> For more information see:
> [http://en.wikipedia.org/wiki/Salt_(cryptography)]



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message