[
https://issues.apache.org/jira/browse/QPID-6993?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Keith Wall updated QPID-6993:
-----------------------------
Fix Version/s: qpid-java-6.0.1
> [Java Broker] Improve security of SCRAM-* authentication managers by not
> storing the salted passwords
> -----------------------------------------------------------------------------------------------------
>
> Key: QPID-6993
> URL: https://issues.apache.org/jira/browse/QPID-6993
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Rob Godfrey
> Assignee: Lorenz Quack
> Fix For: qpid-java-6.0.1, qpid-java-6.1
>
> Attachments: 0001-QPID-6993-Java-Broker-Refactoring.patch
>
>
> Currently the SCRAM-* authentication managers store the salted hashed
> password. If this information is somehow leaked then the possesor of the
> information could use this value to log in to the broker without knowing the
> plain test password.
> We can change the storage mechanism to store instead the "storedKey" and
> "serverKey" which will not allow the possesor of the leaked configuration to
> authenticate - they will need to know either the plain text password or the
> hashed slated password - which cannot be recovered from the password file.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
