[
https://issues.apache.org/jira/browse/OFBIZ-3006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14037612#comment-14037612 ]
Adam Heath commented on OFBIZ-3006:
-----------------------------------
This issue is about using salt for one-way hashes. That particular feature has been implemented for 2 years. I'll be verifying the demo data, to see how much of the hashed passwords are the same, and changing them if that is the case.
As for using salt for bi-directional encryption, that's more problematic. If you want to be able to do exact-match lookups on encrypted values, then you can't use salt, as the stored value, and the encrypted value in the database WHERE clause, would end up being different(due to random salt bytes being pre-pended). See OFBIZ-5659 for a more detailed discussion.
> entity encrypt columns not using encryption salt value?
> -------------------------------------------------------
>
> Key: OFBIZ-3006
> URL:
https://issues.apache.org/jira/browse/OFBIZ-3006> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: SVN trunk
> Reporter: chris snow
> Assignee: Adam Heath
>
> It looks as though no salt data is used when saving encrypted entity data making the stored data susceptible to dictionary attacks.
> If you look through the stored demo data, you can see all the demo accounts passwords are the same:
> {code}
> UserLogin:
> admin {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
> flexadmin {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
> ...
> {code}
> As a comparison, if you create a two unix accounts, "ofbiz1" and "ofbiz2" and set both passwords to "ofbiz"
> {code}
> ofbiz1:$6$3.mYZg9u$0E...:14524:0:99999:7:::
> ofbiz2:$6$MJhYeMqO$Jf...:14524:0:99999:7:::
> {code}
> You can see that on unix, even though the passwords are the same, the encrypted values are completely different.
> For more information see:
> [
http://en.wikipedia.org/wiki/Salt_(cryptography)]
--
This message was sent by Atlassian JIRA
(v6.2#6252)
Locked
