[jira] Created: (OFBIZ-1406) make ofbiz recognize OSCommerce generated and imported encrypted passwords under Linux

make ofbiz recognize OSCommerce generated and imported encrypted passwords under Linux
--------------------------------------------------------------------------------------

                 Key: OFBIZ-1406
                 URL: https://issues.apache.org/jira/browse/OFBIZ-1406
             Project: OFBiz
          Issue Type: New Feature
          Components: party
    Affects Versions: SVN trunk
            Reporter: Hans Bakker
            Priority: Minor
             Fix For: SVN trunk
         Attachments: password.diff

If company replaces their OSCommerce systems with ofbiz, they would like to have the customer records imported including the OSCommerce generated encrypted passwords.

This patch will make ofbiz recognize these passwords and let OSCommerce users login to ofbiz successfully This patch is however linux based because it is making use of the Linux operating system command 'md5sum' which operates exactly the same as the php md5 'C' program.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Hans Bakker updated OFBIZ-1406:
-------------------------------

    Attachment: password.diff

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542963 ]

Scott Gray commented on OFBIZ-1406:
-----------------------------------

java.security.MessageDigest also produces the same md5 hash (in a byte array that you have to convert to hex) and is platform independent

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542974 ]

Hans Bakker commented on OFBIZ-1406:
------------------------------------

Scott, i tried that, but could not make the java MD5 give the same result as the php or md5sum linux command. (The last 2 were the same)

the code I used:
HashCrypt.getDigestHash(" salted entered password", "MD5")



--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542976 ]

Scott Gray commented on OFBIZ-1406:
-----------------------------------

Here's a snippet:
    MessageDigest md = null;
    try {
        md = MessageDigest.getInstance("MD5");
    } catch (NoSuchAlgorithmException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    md.update(password.getBytes());
    byte[] hashedPasswordBytes = md.digest();

you then need to convert hashPasswordBytes[] into a hex string, I just pulled a random example off google to try it out

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542978 ]

Jonathon Wong commented on OFBIZ-1406:
--------------------------------------

Hans Bakkar said:
> i tried that, but could not make the java MD5 give the same result as the php
> or md5sum linux command

Strange. If that's the case, this is a serious bug in Java MD5 implementation. The Java folks should be notified of this bug. But it's strange, because MD5 implementations are so straightforward, it's hard to believe they would get it wrong.

Try not to use shell commands (like `md5sum') in OFBiz. Might cause the whole container to abort. I experienced that with ImageMagick.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542980 ]

Scott Gray commented on OFBIZ-1406:
-----------------------------------

It looks like something to do with the way the byte array is converted into a hex string in OFBiz's HashCrypt class, I'm guessing the result of that conversion is non-standard.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542981 ]

Jonathon Wong commented on OFBIZ-1406:
--------------------------------------

Scott Gray said:
> It looks like something to do with the way the byte array is converted into a
> hex string in OFBiz's HashCrypt class, I'm guessing the result of that
> conversion is non-standard.

Well, at least the MD5 output (in byte array form) is correct. It has to be, or I'd apply for a job at Sun right away claiming I'm one of the few maths experts who can code MD5 correctly!

Converting a byte array into hex string is trivial. Check HashCrypt to see if it's correct. If not, correct it or use a BetterHashCrypt. No big deal.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542982 ]

Scott Gray commented on OFBIZ-1406:
-----------------------------------

Yeah not so trivial for an amateur like me, if only we had an expert reverse-engineer to help us!

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543021 ]

Jonathon Wong commented on OFBIZ-1406:
--------------------------------------

Scott Gray said:
> Yeah not so trivial for an amateur like me, if only we had an expert
> reverse-engineer to help us!

Oh, come on! You must be an expert manipulator! Very subtle "encouragement". :P

Fine, I'll take a quick look at HashCrypt to see if it's got a hairball we need to pull out.

So, before I plunge in, confirm that we want to fix HashCrypt (if necessary) and use it?


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543026 ]

Scott Gray commented on OFBIZ-1406:
-----------------------------------

Who said I was talking about you? :-P

Anyway, I really am no expert here so I'm not sure about a couple of things:
1.  OSCommerce is but one system people might migrate from, do we want code for each of them applied in this manner?
2.  If we change the current byte array to hex method, won't that break existing passwords?  Can we make it backwards compatible somehow?  Since the byte to hex conversion is reversible perhaps we could provide a service to correct the stored password hashes?

Perhaps we should leave things as is and code like Han's could do a conversion on the hex itself?  Perhaps an incorrect hex value is a security feature in itself?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543028 ]

Jonathon Wong commented on OFBIZ-1406:
--------------------------------------

Scott Gray said:
> Who said I was talking about you? :-P

Oops. Too late, I volunteered my time, you manipulator!

Anyway, it's confirmed. The Java MD5 implementation is correct. There is some deliberate translation when converting the byte array to hex string. Something like a "mangling algo" that mangles the original MD5 (SHA, in OFBiz's case?) when converting from byte array to hex string.

Scott Gray said:
> 1. OSCommerce is but one system people might migrate from, do we want code
> for each of them applied in this manner?

I think it was Hans who advised someone on ML to use a plug-in architecture approach to replace the existing "password generating and handling" algo in OFBiz?

That's the best way.

The original plug-in will use HashCrypt. The osCommerce plug-in will not.

Scott Gray said:
> 2. If we change the current byte array to hex method, won't that break
> existing passwords?

Definitely. Have 2 plug-ins (or algos), 1 for OFBiz passwords and the other for osCommerce passwords.

Scott Gray said:
> Can we make it backwards compatible somehow?

No need to. Just don't remove the original OFBiz "password generating and handling" algo.

Scott Gray said:
> Since the byte to hex conversion is reversible perhaps we could provide a
> service to correct the stored password hashes?

I think the original purpose was to convert all osCommerce password hashes into OFBiz password hashes. That's simple enough, if OFBiz receives the plain password. It does.

Once OFBiz receives the plain password, it'll:

1. Look at the stored password hash

2. Check the password (use the correct algo, depending on whether hash is
   osCommerce-format or not).

3. Convert password hash into OFBiz format if it isn't in that format already.

How to convert password into OFBiz format? Just use HashCrypt!

Scott Gray said:
> Perhaps an incorrect hex value is a security feature in itself?

It's not an effective security. It's what we usually call "security by obscurity", because we will be hoping no one gets the "mangling algo" that mangles the original MD5 (SHA, actually) digest when converting from byte array to hex string.

Note that a dictionary attack is still perfectly feasible. All the attacker has to do is to get a computer to generate the dictionary using the *exact* mangling algo. A random salt for every single password hash is an effective way to defeat dictionary attacks, this "security by obscurity" approach is not.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543037 ]

Jonathon Wong commented on OFBIZ-1406:
--------------------------------------

Commenting of Hans' patch.

The osCommerce salting algo seems correct. I believe testing will show that Hans' patch does let OFBiz recognize osCommerce password hashes, and verify plain passwords against them correctly. Anybody tested yet?

The only thing left to do is to replace the platform-specific `md5sum' part with Java's MessageDigest toolkit.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543042 ]

Hans Bakker commented on OFBIZ-1406:
------------------------------------

Thank you gentleman for all your help. I have tested this patch and it is working fine to recognize oscommerce passwords and correctly validate them when existing OSCommerce users log on. New passwords however are generated/validated the 'ofbiz' style.....
I think we only need plugins for existing converted password to validate against.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543045 ]

Scott Gray commented on OFBIZ-1406:
-----------------------------------

I'm still not sure of this, it seems too implementation specific.  What if another system comes along that has a ":" in the same position but adds the salt to the end of the password instead of the start?  Also a standard system is having to check for an OSCommerce password on every login even though none may exist.

I think this could be a perfect opportunity for a plug-in, we could keep a library of password migration classes.  When a customer needs to migrate from another system you just configure OFBiz to use the plugin for that system and as each user logs in it validates the existing password then updates it to the OFBiz version.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12545046 ]

Jonathon Wong commented on OFBIZ-1406:
--------------------------------------

So, are we moving ahead with this? It's confirmed that the Java library for MD5 works as expected, and we don't need the "C program" for `md5', right?

Yeah, this seems the right time for a plug-in architecture. I'm getting many clients asking the same old question: "is OFBiz secure?". It helps if I can tell them that the password hashes are salted.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12545107 ]

David E. Jones commented on OFBIZ-1406:
---------------------------------------

Where would a plugin fit into this, or how would a plugin help this? Also, what kind of plugin do you mean... like make this a service and use an ECA rule to extend it?

Really it seems like what is needed here is a few code changes that go right into the project.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12545152 ]

Jonathon Wong commented on OFBIZ-1406:
--------------------------------------

Some OFBiz users may not want the same salting algo. Some users may not have time or may not want to migrate to the new password hashes. Others may want some fanciful way to further obfuscate the password (much like how OFBiz also has its own mangling of password hashes).

There might be many opinions on how password hashes should be generated. Making the "password handling and hash generating" section of OFBiz changeable via plug-ins would serve many.

The "few code changes" also applies to making OFBiz receptive to plug-ins. It's not a huge refactor, since it all seems channeled through HashCrypt now.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12545175 ]

Jacques Le Roux commented on OFBIZ-1406:
----------------------------------------

Plugins sounds like a good idea to me for this issue. Jonathon or Hans have you a precise view of how to do it ?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Hans Bakker closed OFBIZ-1406.
------------------------------

    Resolution: Won't Fix

althought the attached patch makes it possible it will not be included in the general ofbiz distribution

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.