This makes sense indeed, thanks Paul
I'd suggest 5 rather than 0? (still random length)
Jacques
From: "Paul Foxworthy" <p...@cohsoft.com.au>
Hi Adam,
Maybe I'm missing something, but if the salt is a random length and might be
0 characters, doesn't that mean that some passwords, randomly, won't get the
benefit of a salt? Why not make the salt a fixed length, or a random length
with a reasonable minimum?
Cheers
Paul Foxworthy
Adam Heath-2 wrote
On 04/20/2012 12:53 AM, Pierre Smits wrote:
Hi Adam,
How would that be? That would be one per tenant in a multi-tenant setup?
I
can imagine in a multi-tenant setup with the db backend not on derby (as
we
all recommend) the upgrade/migration aspect can be enormous. Even more so
in a HAFO-setup.
Moving EntityKeyStore to a separate database would not be hard, no code
changes at all. Just a new entitygroup mapping, and updating
entityengine.xml(or TenantDataSource) to point it at a different
database. This would then mean running pg_dump(or whatever) would not
see the keys.
I currently have the new crypto storage done. It uses base64 to store
the hashed keyname, the key value, and the encrypted column values
scattered around the database. A random-length(0-15) random-value salt
is pre-pended to each value during encryption, so if you continually set
the same value, you'll get different encrypted values.
I do not yet have key-encrypting-key(KEK) support working. I'm
currently thinking there would be one 'master' KEK. This is what
EntityCrypto would use by default. In sub-tenant delegators, the sub
EntityCrypto would fetch a key from it's parent delegator. The parent
delegator would be using the master KEK to encode it's keys. The
sub-delegator would be using a unique KEK stored in the base delegator.
The base delegator has it's own EntityCrypto.
So, the master KEK could be stored in entityengine.xml(base64 encoded, I
can provide a cmdline tool to generate it), or some other file.
-----
--
Coherent Software Australia Pty Ltd
http://www.cohsoft.com.au/
Bonsai ERP, the all-inclusive ERP system
http://www.bonsaierp.com.au/
--
View this message in context:
http://ofbiz.135035.n4.nabble.com/recent-HashCrypt-changes-and-using-salt-based-password-hashing-tp4571241p4583331.html
Sent from the OFBiz - Dev mailing list archive at Nabble.com.