Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Modeling » EMF » [CDO] server-side password hashing
[CDO] server-side password hashing [message #1833208] Tue, 06 October 2020 14:36 Go to next message
Robert Schulk is currently offline Robert SchulkFriend
Messages: 109
Registered: July 2015
Senior Member
We would like to improve our security and store all user passwords hashed on the server.
I could not find any FAQ or tutorial on how to setup the server accordingly.

There seems to exist some "encrypt" methods associated with the passwords, but I do not see a way how to use this.

Can anyone help on this?
Re: [CDO] server-side password hashing [message #1833229 is a reply to message #1833208] Wed, 07 October 2020 11:22 Go to previous messageGo to next message
Eike Stepper is currently offline Eike StepperFriend
Messages: 6556
Registered: July 2009
Senior Member
Please submit an enhancement request and I'll see what I can do ;-)

Re: [CDO] server-side password hashing [message #1833267 is a reply to message #1833229] Thu, 08 October 2020 07:59 Go to previous messageGo to next message
Eike Stepper is currently offline Eike StepperFriend
Messages: 6556
Registered: July 2009
Senior Member
I've submitted and resolved Bug 567696 - [DB] Make it easier to customize ITypeMappings, https://bugs.eclipse.org/bugs/show_bug.cgi?id=567696

To be picky, I think "hashing" is not a good term because the encoding function for user passwords must be bijective (invertible), and hash functions are not necessarily injective, typically they are not. The code example that I pushed to Git uses a symmetric PBEWithMD5AndDES cypher. The example is described in the bugzilla.

Note that the entire approach to encrypting the stored passwords is implemented on the DBStore level. In memory the UserPassword objects contain the plain text passwords.


Re: [CDO] server-side password hashing [message #1833301 is a reply to message #1833267] Thu, 08 October 2020 14:51 Go to previous messageGo to next message
Robert Schulk is currently offline Robert SchulkFriend
Messages: 109
Registered: July 2015
Senior Member
Wow, thanks for the fast implementation!

On the topic of hashing vs encoding. Why do you see it necessary to be able to decode the passwords?
Usually if a user forgets their password, a new one needs to be created anyways?
Re: [CDO] server-side password hashing [message #1833319 is a reply to message #1833301] Fri, 09 October 2020 06:13 Go to previous messageGo to next message
Eike Stepper is currently offline Eike StepperFriend
Messages: 6556
Registered: July 2009
Senior Member
In general it's possible, and probably good, to store the result of a one-way function (hash, digest). And in theory the authenticator (org.eclipse.emf.cdo.server.internal.security.SecurityManager.Authenticator) would be able to apply the same one-way function to the clear-text password that is received from the client (the wire protocol uses Diffie-Hellman key exchange, i.e., no clear-text password over the wire), and then compare the result to the stored hash. But the SecurityManager is built on top of the Security model, and the Security model, which keeps the user credentials in memory, does not know about the SecurityManager. If you open the Call Hierarchy on the following two methods you'll see that there are a few paths that don't necessarily go through the higher SecurityManager:

org.eclipse.emf.cdo.security.UserPassword.getEncrypted()
org.eclipse.emf.cdo.security.UserPassword.setEncrypted(String)


I see no easy way to inject a one-way function into the Security model itself. Note that there may be many copies of this model, each managed by its own CDOView/CDOTransaction. If you find a way I'll be happy to review a respective patch.

The storage layer-only approach that I proposed is fully symmetric and requires an attacker to gain control over the running VM. In that case, in theory, she could decrypt the user passwords. But then that's probably not the only problem. If your users' passwords must be safe even in this case, I'd need funding to implement and test a more complex solution.


Re: [CDO] server-side password hashing [message #1833340 is a reply to message #1833319] Fri, 09 October 2020 12:50 Go to previous message
Robert Schulk is currently offline Robert SchulkFriend
Messages: 109
Registered: July 2015
Senior Member
Ok! We will investigate on this a little.
If we find a good solution, I will post it here.
Previous Topic:Handling references to XML datatypes uniformly
Next Topic:[CDO] Guidelines for upgrading from CDO 4.1 to 4.11
Goto Forum:
  


Current Time: Tue Apr 20 08:36:49 GMT 2021

Powered by FUDForum. Page generated in 0.02772 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top