3 Replies Latest reply on Oct 4, 2004 12:58 PM by starksm64

    salted password hashing

    danorris
    danorris Oct 2, 2004 11:19 PM

      All,

      I was delighted to discover that JBoss' built-in login modules now support password hashing. Is there a way to support *salted* hashes out of the box?

      On another note, I couldn't get the forum search tool to do "search for all terms" properly. For "passwordHash salt," it gave me the same results whether I searched for all terms or any. And none of the pages I could find contained the word "salt." It used to work... okay, no big deal, just thought I'd mention it.

      Many thanks, and to the development team, *great job* on 4.0!

      • 5224 Views
      • Tags:
        • 1. Re: salted password hashing
          starksm64
          starksm64 Oct 4, 2004 2:30 AM (in response to danorris)

          No, the password hash just uses the java.security.MessageDigest for the indicated algorithm and there is no salt added. Is there a specific mechanism for adding a salt your looking for?

            • Actions
          • 2. Re: salted password hashing
            danorris
            danorris Oct 4, 2004 3:50 AM (in response to danorris)

            We use the user ID (a UUID) as a salt by prepending it to the password before hashing. I know it's easy to subclass the stock module and control the way it tests passwords; I just wondered if it'd do it for me.

            I guess one problem with supporting this in the built-in modules is that there are so many ways of doing it. Use some random characters as a salt? Something else? Where does the salt get stored -- in its own database column or prepended / appended to the hash output a-la-crypt()?

            It might be worth implementing at least minimal support for it though, since in my opinion hashed passwords are completely useless without salts (too easy to precompute cracking tables and run them against a compromised database).

            Does JBoss accept code contributions from the community? I wouldn't mind adding basic crypt()-style salt support to the stock module for a future version...

              • Actions
            • 3. Re: salted password hashing
              starksm64
              starksm64 Oct 4, 2004 12:58 PM (in response to danorris)

              Right, there is any number of ways the salt could be incorporated. The most general approach would be to add an interface that allowed for arbitrary updating of the MessageDigest. The interface could be something like:

              public interface DigestCallback
{
 /** Pass through access to the login module options */
 public void init(Map options);
 /** Pre-hash callout to allow for content before the password */
 public void preDigest(MessageDigest digest);
 /** Post-hash callout afer the password has been added to allow for content after the password */
 public void postDigest(MessageDigest digest);
}


              and the implementation class would be specified as an option to the login module.

              Patches for suggested mods can be sumitted to sourceforge:
              http://sourceforge.net/tracker/?group_id=22866&atid=376687


                • Actions