Re: svn commit: r763782 [1/2] - in /ofb iz/trunk: applications/accounting/ appl ications/accounting/config/ application s/accounting/data/ applications/account ing/entitydef/ applications/accounting/ script/org/ofbiz/accounting/payment/ ap plications/accounting/

Wed, 15 Apr 2009 02:59:11 -0700 

Hi to all,

if I understand correctly it's enough to use the encrypt attribute on the 
password fields.

for example in PaymentGatewayPayfloPro could be :

<field name="pwd" type="short-varchar" encrypt="true">

Have I understood correctly ?

Thanks
Marco


>
> On Apr 14, 2009, at 1:57 PM, Jacques Le Roux wrote:
>
> > From: "David E Jones" <david.jo...@hotwaxmedia.com>
> >> On Apr 14, 2009, at 11:21 AM, Jacques Le Roux wrote:
> >>
> >>> From: "Ashish Vijaywargiya" <ashish.vijaywarg...@hotwaxmedia.com>
> >>> Hello Marco,
> >>>
> >>> Thanks for your wonderful work in this area.
> >>> I truly appreciate your efforts.
> >>>
> >>> Here are few thoughts / comments :
> >>>
> >>> 1) We are saving password as it is.
> >>> https://localhost:8443/accounting/control/ViewGatewayConfiguration?paymentGatewayConfigId=PAYFLOWPRO_CONFIG
> >>> I think we should encrypt the password before saving it to
> >>> database  and
> >>> will not show the password as it is while fetching it from database.
> >>> Thoughts ?
> >>>
> >>> +1, using what we already use (also SHA that should be salted at   
> >>> some point in the future)
> >>
> >> These are all good changes, so thanks to Jacques and especially
> >> Ashish  for the comments.
> >>
> >> For the gateway password encryption we'll want to use the Entity
> >> Engine's built-in two-way encryption. We can't use SHA/hash
> >> encryption  because we have to be able to decrypt these passwords
> >> to send them to  the payment gateway (ie they would never accept a  
> >> hashed form of the  password, that is a big security hole and
> >> basically nullifies most of  the benefit of the hash, which is why  
> >> by default we don't allow that  in OFBiz either).
> >>
> >> -David
> >
> > Hi David,
> >
> > I understand that we need a 2 ways encryption for a payment gateway.
> > But about SHA I'm not quite sure to understand. SHA means Secure
> > Hash Algorithm, so why do you add /ash after SHA ?
> > I know we use SHA for login password, so I'm no sure of what you
> > mean. Do you mean that we should not use salted SHA  in OFBiz at all ?
>
> SHA is a hash algorithm, but there are other hash algorithms and that  
> is why I wrote "SHA/hash".
>
> My main point is that a normal password hash algorithm is not relevant 
> here as it can't be used when 2-way encryption is needed, that's all.
>
> -David
>
>

Reply via email to