[ovirt-devel] Feature AAA JDBC password hashing
Alon Bar-Lev
alonbl at redhat.com
Thu Apr 24 13:14:06 UTC 2014
----- Original Message -----
> From: "Sven Kieske" <S.Kieske at mittwald.de>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: devel at ovirt.org
> Sent: Thursday, April 24, 2014 4:01:52 PM
> Subject: Re: [ovirt-devel] Feature AAA JDBC password hashing
>
> scrypt is no cipher, it's a key derivation function
> based on a hash.
> see [1] or [2] for details.
>
> I know that http://www.ovirt.org/Features/AAA_JDBC
> states there will be additional anti brute force
> mechanics, but those don't apply e.g. if a database
> gets stolen.
We relay on what Java JCE can provide natively to avoid US export regulations issues.
I believe that the basic implementation of random + hash(random, password) should be sufficient for 99% of cases.
If someone needs additional security he can always fork this extension and enhance it or just use LDAP which complies with the requirements he may have.
>
> HTH
>
> Am 24.04.2014 14:39, schrieb Alon Bar-Lev:
> > Why do you need cipher when you can use hash?
>
> PS:
> This is just a general remark regarding security.
>
> I don't know about the scope of this feature
> as it is neither stated in the BZ nor on the
> wiki, so I might be wrong.
>
> [1] https://en.wikipedia.org/wiki/Scrypt
> [2] http://tools.ietf.org/html/draft-josefsson-scrypt-kdf-01
>
> --
> Mit freundlichen Grüßen / Regards
>
> Sven Kieske
>
> Systemadministrator
> Mittwald CM Service GmbH & Co. KG
> Königsberger Straße 6
> 32339 Espelkamp
> T: +49-5772-293-100
> F: +49-5772-293-333
> https://www.mittwald.de
> Geschäftsführer: Robert Meyer
> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
More information about the Devel
mailing list