Skip to main content



      Home
Home » Modeling » EMF » [CDO] server-side password hashing
[CDO] server-side password hashing [message #1833208] Tue, 06 October 2020 10:36 Go to next message
Eclipse UserFriend
We would like to improve our security and store all user passwords hashed on the server.
I could not find any FAQ or tutorial on how to setup the server accordingly.

There seems to exist some "encrypt" methods associated with the passwords, but I do not see a way how to use this.

Can anyone help on this?
Re: [CDO] server-side password hashing [message #1833229 is a reply to message #1833208] Wed, 07 October 2020 07:22 Go to previous messageGo to next message
Eclipse UserFriend
Please submit an enhancement request and I'll see what I can do ;-)
Re: [CDO] server-side password hashing [message #1833267 is a reply to message #1833229] Thu, 08 October 2020 03:59 Go to previous messageGo to next message
Eclipse UserFriend
I've submitted and resolved Bug 567696 - [DB] Make it easier to customize ITypeMappings, https://bugs.eclipse.org/bugs/show_bug.cgi?id=567696

To be picky, I think "hashing" is not a good term because the encoding function for user passwords must be bijective (invertible), and hash functions are not necessarily injective, typically they are not. The code example that I pushed to Git uses a symmetric PBEWithMD5AndDES cypher. The example is described in the bugzilla.

Note that the entire approach to encrypting the stored passwords is implemented on the DBStore level. In memory the UserPassword objects contain the plain text passwords.
Re: [CDO] server-side password hashing [message #1833301 is a reply to message #1833267] Thu, 08 October 2020 10:51 Go to previous messageGo to next message
Eclipse UserFriend
Wow, thanks for the fast implementation!

On the topic of hashing vs encoding. Why do you see it necessary to be able to decode the passwords?
Usually if a user forgets their password, a new one needs to be created anyways?
Re: [CDO] server-side password hashing [message #1833319 is a reply to message #1833301] Fri, 09 October 2020 02:13 Go to previous messageGo to next message
Eclipse UserFriend
In general it's possible, and probably good, to store the result of a one-way function (hash, digest). And in theory the authenticator (org.eclipse.emf.cdo.server.internal.security.SecurityManager.Authenticator) would be able to apply the same one-way function to the clear-text password that is received from the client (the wire protocol uses Diffie-Hellman key exchange, i.e., no clear-text password over the wire), and then compare the result to the stored hash. But the SecurityManager is built on top of the Security model, and the Security model, which keeps the user credentials in memory, does not know about the SecurityManager. If you open the Call Hierarchy on the following two methods you'll see that there are a few paths that don't necessarily go through the higher SecurityManager:

org.eclipse.emf.cdo.security.UserPassword.getEncrypted()
org.eclipse.emf.cdo.security.UserPassword.setEncrypted(String)


I see no easy way to inject a one-way function into the Security model itself. Note that there may be many copies of this model, each managed by its own CDOView/CDOTransaction. If you find a way I'll be happy to review a respective patch.

The storage layer-only approach that I proposed is fully symmetric and requires an attacker to gain control over the running VM. In that case, in theory, she could decrypt the user passwords. But then that's probably not the only problem. If your users' passwords must be safe even in this case, I'd need funding to implement and test a more complex solution.
Re: [CDO] server-side password hashing [message #1833340 is a reply to message #1833319] Fri, 09 October 2020 08:50 Go to previous message
Eclipse UserFriend
Ok! We will investigate on this a little.
If we find a good solution, I will post it here.
Previous Topic:Handling references to XML datatypes uniformly
Next Topic:[CDO] Guidelines for upgrading from CDO 4.1 to 4.11
Goto Forum:
  


Current Time: Sun Jul 13 11:27:26 EDT 2025

Powered by FUDForum. Page generated in 0.03858 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top