tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 51966] Tomcat does not support ssha hashed passwords in all contexts
Date Thu, 06 Feb 2014 09:42:43 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966

--- Comment #21 from S <blama@gmx.net> ---
In order to illustrate how I understood possibilities and their use in Tomcat,
I made a list of authentication mechanisms:

0) Compare the sent PW to the stored PW
1) Hashing the sent PW on the server, compare it to stored hash (Tomcat
default)
2) Hashing the PW n times on the client, hashing the sent hashed PW once more
on the server, compare it to stored n+1 rounds hash
3) Hashing the PW n times on the client (with [fixed and user known] salt),
hashing the sent hashed PW once more on the server, compare it to stored n+1
rounds hash (n with salt, 1 without salt)
4) Using jBCrypt / scrypt

All these come in http / https flavors.
As far as I understand, only 1, 2 and 3 are possible today without changing
Tomcat.
Do you agree?

In terms of security it is
0<<<<<<<<<<<<<<<<<<1<<<<<<<<<<<<<<<<<<2<3<<<<<<<<<<<<<<<<<<
.....
<<<<<<<<<<<<<<<<<<4
A support for jBCrypt / scrypt would really be great!

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message