You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by "Francesco Chicchiriccò (JIRA)" <ji...@apache.org> on 2014/06/25 15:24:26 UTC

[jira] [Updated] (SYNCOPE-513) Make value encryption parametric

     [ https://issues.apache.org/jira/browse/SYNCOPE-513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Francesco Chicchiriccò updated SYNCOPE-513:
-------------------------------------------

      Description: 
In {{PasswordEncoder}} (1.1.X) / {{Encryptor}} (1.2.X) class the salt mechanism configuration is hardcoded
If the LDAP server doesn't use the same salt mechanism configuration, the password can't be matched during authentication.

For example SSHA digest from OpenDJ uses a suffixed 8 bytes salt (in hash and plan)

Original:
            digester.setIterations(100000);
            digester.setSaltSizeBytes(16);

Modified for OpenDJ
            digester.setIterations(1);
            digester.setSaltSizeBytes(8);
            digester.setInvertPositionOfPlainSaltInEncryptionResults(true);
            digester.setInvertPositionOfSaltInMessageBeforeDigesting(true);

{{Encryptor}} can read from global configuration parameters so that you can configure some aspect of the way how ciphered values (not only password values in 1.2.X).

  was:
In PasswordEncoder class the salt mechanism configuration is hardcoded
If the LDAP doesn't use the same salt mechanism configuration, the password can't be matched during authentication.

For example SSHA digest from OpenDJ uses a suffixed 8 bytes salt (in hash and plan)

Original:
            digester.setIterations(100000);
            digester.setSaltSizeBytes(16);

Modified for OpenDJ
            digester.setIterations(1);
            digester.setSaltSizeBytes(8);
            digester.setInvertPositionOfPlainSaltInEncryptionResults(true);
            digester.setInvertPositionOfSaltInMessageBeforeDigesting(true);

Maybe adding a way to configure custom cipher algorithms will allow more widespread interoperability with existing LDAPv3 implementations in the market



      Environment:     (was: OpenDJ as LDAP)
    Fix Version/s: 1.2.0
       Issue Type: Improvement  (was: Bug)
          Summary: Make value encryption parametric  (was: Salted cipher algorithms incompatible interoperability with OpenDJ)

> Make value encryption parametric
> --------------------------------
>
>                 Key: SYNCOPE-513
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-513
>             Project: Syncope
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 1.1.8
>            Reporter: Yann Diorcet
>             Fix For: 1.2.0
>
>
> In {{PasswordEncoder}} (1.1.X) / {{Encryptor}} (1.2.X) class the salt mechanism configuration is hardcoded
> If the LDAP server doesn't use the same salt mechanism configuration, the password can't be matched during authentication.
> For example SSHA digest from OpenDJ uses a suffixed 8 bytes salt (in hash and plan)
> Original:
>             digester.setIterations(100000);
>             digester.setSaltSizeBytes(16);
> Modified for OpenDJ
>             digester.setIterations(1);
>             digester.setSaltSizeBytes(8);
>             digester.setInvertPositionOfPlainSaltInEncryptionResults(true);
>             digester.setInvertPositionOfSaltInMessageBeforeDigesting(true);
> {{Encryptor}} can read from global configuration parameters so that you can configure some aspect of the way how ciphered values (not only password values in 1.2.X).



--
This message was sent by Atlassian JIRA
(v6.2#6252)