Eclipse Community Forums: EMF » [CDO] server-side password hashing

Home » Modeling » EMF » [CDO] server-side password hashing

[CDO] server-side password hashing [message #1833208]

Tue, 06 October 2020 10:36

Eclipse User

We would like to improve our security and store all user passwords hashed on the server.
I could not find any FAQ or tutorial on how to setup the server accordingly.

There seems to exist some "encrypt" methods associated with the passwords, but I do not see a way how to use this.

Can anyone help on this?

Re: [CDO] server-side password hashing [message #1833229 is a reply to message #1833208]

Wed, 07 October 2020 07:22

Eclipse User

Please submit an enhancement request and I'll see what I can do ;-)

Re: [CDO] server-side password hashing [message #1833267 is a reply to message #1833229]

Thu, 08 October 2020 03:59

Eclipse User

I've submitted and resolved Bug 567696 - [DB] Make it easier to customize ITypeMappings, https://bugs.eclipse.org/bugs/show_bug.cgi?id=567696

To be picky, I think "hashing" is not a good term because the encoding function for user passwords must be bijective (invertible), and hash functions are not necessarily injective, typically they are not. The code example that I pushed to Git uses a symmetric PBEWithMD5AndDES cypher. The example is described in the bugzilla.

Note that the entire approach to encrypting the stored passwords is implemented on the DBStore level. In memory the UserPassword objects contain the plain text passwords.

Re: [CDO] server-side password hashing [message #1833301 is a reply to message #1833267]

Thu, 08 October 2020 10:51

Eclipse User

Wow, thanks for the fast implementation!

On the topic of hashing vs encoding. Why do you see it necessary to be able to decode the passwords?
Usually if a user forgets their password, a new one needs to be created anyways?

Re: [CDO] server-side password hashing [message #1833319 is a reply to message #1833301]

Fri, 09 October 2020 02:13

Eclipse User

In general it's possible, and probably good, to store the result of a one-way function (hash, digest). And in theory the authenticator (org.eclipse.emf.cdo.server.internal.security.SecurityManager.Authenticator) would be able to apply the same one-way function to the clear-text password that is received from the client (the wire protocol uses Diffie-Hellman key exchange, i.e., no clear-text password over the wire), and then compare the result to the stored hash. But the SecurityManager is built on top of the Security model, and the Security model, which keeps the user credentials in memory, does not know about the SecurityManager. If you open the Call Hierarchy on the following two methods you'll see that there are a few paths that don't necessarily go through the higher SecurityManager:

org.eclipse.emf.cdo.security.UserPassword.getEncrypted()
org.eclipse.emf.cdo.security.UserPassword.setEncrypted(String)

I see no easy way to inject a one-way function into the Security model itself. Note that there may be many copies of this model, each managed by its own CDOView/CDOTransaction. If you find a way I'll be happy to review a respective patch.

The storage layer-only approach that I proposed is fully symmetric and requires an attacker to gain control over the running VM. In that case, in theory, she could decrypt the user passwords. But then that's probably not the only problem. If your users' passwords must be safe even in this case, I'd need funding to implement and test a more complex solution.

Re: [CDO] server-side password hashing [message #1833340 is a reply to message #1833319]

Fri, 09 October 2020 08:50

Eclipse User

Ok! We will investigate on this a little.
If we find a good solution, I will post it here.

Previous Topic:	Handling references to XML datatypes uniformly
Next Topic:	[CDO] Guidelines for upgrading from CDO 4.1 to 4.11

Goto Forum:

-=] Back to Top [=-

Current Time: Sun Jul 13 11:27:26 EDT 2025

.:: Contact :: Home ::.

Breadcrumbs

Sign up to our Newsletter