Hi Adam, Maybe I'm missing something, but if the salt is a random length and might be 0 characters, doesn't that mean that some passwords, randomly, won't get the benefit of a salt? Why not make the salt a fixed length, or a random length with a reasonable minimum?
Cheers Paul Foxworthy Adam Heath-2 wrote > > On 04/20/2012 12:53 AM, Pierre Smits wrote: >> Hi Adam, >> >> How would that be? That would be one per tenant in a multi-tenant setup? >> I >> can imagine in a multi-tenant setup with the db backend not on derby (as >> we >> all recommend) the upgrade/migration aspect can be enormous. Even more so >> in a HAFO-setup. > > Moving EntityKeyStore to a separate database would not be hard, no code > changes at all. Just a new entitygroup mapping, and updating > entityengine.xml(or TenantDataSource) to point it at a different > database. This would then mean running pg_dump(or whatever) would not > see the keys. > > I currently have the new crypto storage done. It uses base64 to store > the hashed keyname, the key value, and the encrypted column values > scattered around the database. A random-length(0-15) random-value salt > is pre-pended to each value during encryption, so if you continually set > the same value, you'll get different encrypted values. > > I do not yet have key-encrypting-key(KEK) support working. I'm > currently thinking there would be one 'master' KEK. This is what > EntityCrypto would use by default. In sub-tenant delegators, the sub > EntityCrypto would fetch a key from it's parent delegator. The parent > delegator would be using the master KEK to encode it's keys. The > sub-delegator would be using a unique KEK stored in the base delegator. > The base delegator has it's own EntityCrypto. > > So, the master KEK could be stored in entityengine.xml(base64 encoded, I > can provide a cmdline tool to generate it), or some other file. > ----- -- Coherent Software Australia Pty Ltd http://www.cohsoft.com.au/ Bonsai ERP, the all-inclusive ERP system http://www.bonsaierp.com.au/ -- View this message in context: http://ofbiz.135035.n4.nabble.com/recent-HashCrypt-changes-and-using-salt-based-password-hashing-tp4571241p4583331.html Sent from the OFBiz - Dev mailing list archive at Nabble.com.
