Re: recent HashCrypt changes, and using salt-based password hashing

Tue, 24 Apr 2012 06:41:37 -0700 

This makes sense indeed, thanks Paul

I'd suggest 5 rather than 0? (still random length)

Jacques

From: "Paul Foxworthy" <p...@cohsoft.com.au>

Hi Adam,

Maybe I'm missing something, but if the salt is a random length and might be
0 characters, doesn't that mean that some passwords, randomly, won't get the
benefit of a salt? Why not make the salt a fixed length, or a random length
with a reasonable minimum?

Cheers

Paul Foxworthy


Adam Heath-2 wrote


On 04/20/2012 12:53 AM, Pierre Smits wrote:

Hi Adam,

How would that be? That would be one per tenant in a multi-tenant setup?
I
can imagine in a multi-tenant setup with the db backend not on derby (as
we
all recommend) the upgrade/migration aspect can be enormous. Even more so
in a HAFO-setup.


Moving EntityKeyStore to a separate database would not be hard, no code
changes at all.  Just a new entitygroup mapping, and updating
entityengine.xml(or TenantDataSource) to point it at a different
database.  This would then mean running pg_dump(or whatever) would not
see the keys.

I currently have the new crypto storage done.  It uses base64 to store
the hashed keyname, the key value, and the encrypted column values
scattered around the database.  A random-length(0-15) random-value salt
is pre-pended to each value during encryption, so if you continually set
the same value, you'll get different encrypted values.

I do not yet have key-encrypting-key(KEK) support working.  I'm
currently thinking there would be one 'master' KEK.  This is what
EntityCrypto would use by default.  In sub-tenant delegators, the sub
EntityCrypto would fetch a key from it's parent delegator.  The parent
delegator would be using the master KEK to encode it's keys.  The
sub-delegator would be using a unique KEK stored in the base delegator.
  The base delegator has it's own EntityCrypto.

So, the master KEK could be stored in entityengine.xml(base64 encoded, I
can provide a cmdline tool to generate it), or some other file.




-----
--
Coherent Software Australia Pty Ltd
http://www.cohsoft.com.au/

Bonsai ERP, the all-inclusive ERP system
http://www.bonsaierp.com.au/

--
View this message in context: http://ofbiz.135035.n4.nabble.com/recent-HashCrypt-changes-and-using-salt-based-password-hashing-tp4571241p4583331.html Sent from the OFBiz - Dev mailing list archive at Nabble.com.

Reply via email to