DO NOT REPLY [Bug 45871] New: Support for salted and digested patches in DataSourceRealm

Tue, 23 Sep 2008 21:47:27 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=45871

           Summary: Support for salted and digested patches in
                    DataSourceRealm
           Product: Tomcat 6
           Version: unspecified
          Platform: PC
        OS/Version: All
            Status: NEW
          Keywords: PatchAvailable
          Severity: enhancement
          Priority: P2
         Component: Catalina
        AssignedTo: [EMAIL PROTECTED]
        ReportedBy: [EMAIL PROTECTED]


Created an attachment (id=22627)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=22627)
Patch for DataSourceRealm (trunk)

Simple hashing of passwords stored in databases is no longer sufficient
security for passwords. The root of the issue is that users are bad at
remembering strong passwords, so they choose weak ones. Weak passwords when
hashed can be reversed using available rainbow tables and cracking software. To
combat this, passwords should be uniquely "salted" before being hashed and
stored in the database. 

The attached patch enhances DataSourceRealm to allow it to authenticate against
a salted digested password. If configured to use salt, the user's salt is
queried from the database and then combined with the user's provided
credentials using a configurable MessageFormat before digesting. Authentication
proceeds otherwise unchanged.

A similar patch could, and arguably should, be applied to JDBCRealm, but based
on some discussion on the list about deprecating JDBCRealm (and because I don't
use JDBCRealm personally), I did not work on JDBCRealm. I would be happy to
port this patch to JDBCRealm if that's desired.

Limitation(s):

This patch does not impact the behavior of the RFC 2069 authentication method
in RealmBase.

If/when this patch is accepted, the documentation for DataSourceRealm will need
to be updated. I'll gladly volunteer to do those updates as well.

http://en.wikipedia.org/wiki/Salt_(cryptography)
http://en.wikipedia.org/wiki/Rainbow_table


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to