Feature AAA JDBC password hashing
Hi, I got a question/remark regarding this page: http://www.ovirt.org/Features/AAA_JDBC It states: Account Password Hash function, default sha256 Well this is not a secure default. I don't know if nothing better can be used but here are some viable alternatives, in decreasing order (when we talk about security): scrypt, bcrypt, PBKDF2 Would it be possible to use one of these as a default? -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: devel@ovirt.org Sent: Thursday, April 24, 2014 3:36:40 PM Subject: [ovirt-devel] Feature AAA JDBC password hashing
Hi,
I got a question/remark regarding this page:
http://www.ovirt.org/Features/AAA_JDBC
It states: Account Password Hash function, default sha256
Well this is not a secure default.
I don't know if nothing better can be used but here are some viable alternatives, in decreasing order (when we talk about security): scrypt, bcrypt, PBKDF2
Would it be possible to use one of these as a default?
Why do you need cipher when you can use hash?
-- Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
scrypt is no cipher, it's a key derivation function based on a hash. see [1] or [2] for details. I know that http://www.ovirt.org/Features/AAA_JDBC states there will be additional anti brute force mechanics, but those don't apply e.g. if a database gets stolen. HTH Am 24.04.2014 14:39, schrieb Alon Bar-Lev:
Why do you need cipher when you can use hash?
PS: This is just a general remark regarding security. I don't know about the scope of this feature as it is neither stated in the BZ nor on the wiki, so I might be wrong. [1] https://en.wikipedia.org/wiki/Scrypt [2] http://tools.ietf.org/html/draft-josefsson-scrypt-kdf-01 -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: devel@ovirt.org Sent: Thursday, April 24, 2014 4:01:52 PM Subject: Re: [ovirt-devel] Feature AAA JDBC password hashing
scrypt is no cipher, it's a key derivation function based on a hash. see [1] or [2] for details.
I know that http://www.ovirt.org/Features/AAA_JDBC states there will be additional anti brute force mechanics, but those don't apply e.g. if a database gets stolen.
We relay on what Java JCE can provide natively to avoid US export regulations issues. I believe that the basic implementation of random + hash(random, password) should be sufficient for 99% of cases. If someone needs additional security he can always fork this extension and enhance it or just use LDAP which complies with the requirements he may have.
HTH
Am 24.04.2014 14:39, schrieb Alon Bar-Lev:
Why do you need cipher when you can use hash?
PS: This is just a general remark regarding security.
I don't know about the scope of this feature as it is neither stated in the BZ nor on the wiki, so I might be wrong.
[1] https://en.wikipedia.org/wiki/Scrypt [2] http://tools.ietf.org/html/draft-josefsson-scrypt-kdf-01
-- Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
Well I honestly don't know about export regulations regarding scrypt and I'm no lawyer and can't advise on it, but it seems there is a java implementation for scrypt (same license as ovirt :) ): https://github.com/wg/scrypt Maybe you can give it a try. As I already said, I don't know if the SHA-256 value is enough or not. This depends on a lot of factors, which will differ for various users. I just thought I bring it up here on the list. In the end, you must decide what to do best :) Am 24.04.2014 15:14, schrieb Alon Bar-Lev:
We relay on what Java JCE can provide natively to avoid US export regulations issues.
-- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: devel@ovirt.org Sent: Thursday, April 24, 2014 4:31:45 PM Subject: Re: [ovirt-devel] Feature AAA JDBC password hashing
Well I honestly don't know about export regulations regarding scrypt and I'm no lawyer and can't advise on it, but it seems there is a java implementation for scrypt (same license as ovirt :) ): https://github.com/wg/scrypt
Maybe you can give it a try.
License and cryptographic regulations are two separate things.
As I already said, I don't know if the SHA-256 value is enough or not.
This depends on a lot of factors, which will differ for various users.
I just thought I bring it up here on the list. In the end, you must decide what to do best :)
Thanks!
Am 24.04.2014 15:14, schrieb Alon Bar-Lev:
We relay on what Java JCE can provide natively to avoid US export regulations issues.
-- Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Sven Kieske" <S.Kieske@mittwald.de> Cc: devel@ovirt.org Sent: Thursday, April 24, 2014 4:46:43 PM Subject: Re: [ovirt-devel] Feature AAA JDBC password hashing
----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: devel@ovirt.org Sent: Thursday, April 24, 2014 4:31:45 PM Subject: Re: [ovirt-devel] Feature AAA JDBC password hashing
Well I honestly don't know about export regulations regarding scrypt and I'm no lawyer and can't advise on it, but it seems there is a java implementation for scrypt (same license as ovirt :) ): https://github.com/wg/scrypt
Maybe you can give it a try.
License and cryptographic regulations are two separate things.
OK, I modified the page with example of usage PBE instead of HMAC. It should be clearer now that it is all about password. But only in jdk-8 there will be stronger methods[1]. The scrypt is not among these, but if you register this as crypto provider you should be able to use it. [1] http://openjdk.java.net/jeps/121
As I already said, I don't know if the SHA-256 value is enough or not.
This depends on a lot of factors, which will differ for various users.
I just thought I bring it up here on the list. In the end, you must decide what to do best :)
Thanks!
Am 24.04.2014 15:14, schrieb Alon Bar-Lev:
We relay on what Java JCE can provide natively to avoid US export regulations issues.
-- Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
_______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
participants (2)
-
Alon Bar-Lev -
Sven Kieske