You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by "Francesco Chicchiriccò (JIRA)" <ji...@apache.org> on 2014/06/23 09:12:24 UTC

[jira] [Commented] (SYNCOPE-513) Salted cipher algorithms incompatible interoperability with OpenDJ

    [ https://issues.apache.org/jira/browse/SYNCOPE-513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14040477#comment-14040477 ] 

Francesco Chicchiriccò commented on SYNCOPE-513:
------------------------------------------------

If you are proposing to make {{Encryptor}} (1.2.X) (is {{PasswordEncoder}} in 1.1.X) parametric so that you can configure some aspect of the way how ciphered values (not only password values in 1.2.X), I agree.
Then we can put some information on the wiki about how to set such parameters to generate salted password in a fashion that is compatible with some popular LDAP server implementations.

In this case, however, I would change the model (from Bug to Improvement) and the title of this issue into something like as "Make value encryption parametric". I would then say that such feature will be provided with 1.2.0.

Finally, given the discussion we had in SYNCOPE-313 about HEX and BASE64 encoding, you will be anyway not able to roughly copy over password values from LDAP to Syncope's internal storage - {{LDAPPasswordSyncActions}} will be taking care of this.

> Salted cipher algorithms incompatible interoperability with OpenDJ
> ------------------------------------------------------------------
>
>                 Key: SYNCOPE-513
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-513
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 1.1.8
>         Environment: OpenDJ as LDAP
>            Reporter: Yann Diorcet
>
> In PasswordEncoder class the salt mechanism configuration is hardcoded
> If the LDAP doesn't use the same salt mechanism configuration, the password can't be matched during authentication.
> For example SSHA digest from OpenDJ uses a suffixed 8 bytes salt (in hash and plan)
> Original:
>             digester.setIterations(100000);
>             digester.setSaltSizeBytes(16);
> Modified for OpenDJ
>             digester.setIterations(1);
>             digester.setSaltSizeBytes(8);
>             digester.setInvertPositionOfPlainSaltInEncryptionResults(true);
>             digester.setInvertPositionOfSaltInMessageBeforeDigesting(true);
> Maybe adding a way to configure custom cipher algorithms will allow more widespread interoperability with existing LDAPv3 implementations in the market



--
This message was sent by Atlassian JIRA
(v6.2#6252)