[jira] [Updated] (SYNCOPE-513) Make value encryption parametric

Wed, 25 Jun 2014 06:24:56 -0700 

     [ 
https://issues.apache.org/jira/browse/SYNCOPE-513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Francesco Chicchiriccò updated SYNCOPE-513:
-------------------------------------------

      Description: 
In {{PasswordEncoder}} (1.1.X) / {{Encryptor}} (1.2.X) class the salt mechanism 
configuration is hardcoded
If the LDAP server doesn't use the same salt mechanism configuration, the 
password can't be matched during authentication.

For example SSHA digest from OpenDJ uses a suffixed 8 bytes salt (in hash and 
plan)

Original:
            digester.setIterations(100000);
            digester.setSaltSizeBytes(16);

Modified for OpenDJ
            digester.setIterations(1);
            digester.setSaltSizeBytes(8);
            digester.setInvertPositionOfPlainSaltInEncryptionResults(true);
            digester.setInvertPositionOfSaltInMessageBeforeDigesting(true);

{{Encryptor}} can read from global configuration parameters so that you can 
configure some aspect of the way how ciphered values (not only password values 
in 1.2.X).

  was:
In PasswordEncoder class the salt mechanism configuration is hardcoded
If the LDAP doesn't use the same salt mechanism configuration, the password 
can't be matched during authentication.

For example SSHA digest from OpenDJ uses a suffixed 8 bytes salt (in hash and 
plan)

Original:
            digester.setIterations(100000);
            digester.setSaltSizeBytes(16);

Modified for OpenDJ
            digester.setIterations(1);
            digester.setSaltSizeBytes(8);
            digester.setInvertPositionOfPlainSaltInEncryptionResults(true);
            digester.setInvertPositionOfSaltInMessageBeforeDigesting(true);

Maybe adding a way to configure custom cipher algorithms will allow more 
widespread interoperability with existing LDAPv3 implementations in the market



      Environment:     (was: OpenDJ as LDAP)
    Fix Version/s: 1.2.0
       Issue Type: Improvement  (was: Bug)
          Summary: Make value encryption parametric  (was: Salted cipher 
algorithms incompatible interoperability with OpenDJ)

> Make value encryption parametric
> --------------------------------
>
>                 Key: SYNCOPE-513
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-513
>             Project: Syncope
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 1.1.8
>            Reporter: Yann Diorcet
>             Fix For: 1.2.0
>
>
> In {{PasswordEncoder}} (1.1.X) / {{Encryptor}} (1.2.X) class the salt 
> mechanism configuration is hardcoded
> If the LDAP server doesn't use the same salt mechanism configuration, the 
> password can't be matched during authentication.
> For example SSHA digest from OpenDJ uses a suffixed 8 bytes salt (in hash and 
> plan)
> Original:
>             digester.setIterations(100000);
>             digester.setSaltSizeBytes(16);
> Modified for OpenDJ
>             digester.setIterations(1);
>             digester.setSaltSizeBytes(8);
>             digester.setInvertPositionOfPlainSaltInEncryptionResults(true);
>             digester.setInvertPositionOfSaltInMessageBeforeDigesting(true);
> {{Encryptor}} can read from global configuration parameters so that you can 
> configure some aspect of the way how ciphered values (not only password 
> values in 1.2.X).



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to