Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-3006

entity encrypt columns not using encryption salt value?

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Trunk
    • Fix Version/s: Trunk
    • Component/s: framework
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      It looks as though no salt data is used when saving encrypted entity data making the stored data susceptible to dictionary attacks.

      If you look through the stored demo data, you can see all the demo accounts passwords are the same:

      UserLogin:
      admin     {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
      flexadmin {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
      ...
      

      As a comparison, if you create a two unix accounts, "ofbiz1" and "ofbiz2" and set both passwords to "ofbiz"

      ofbiz1:$6$3.mYZg9u$0E...:14524:0:99999:7:::
      ofbiz2:$6$MJhYeMqO$Jf...:14524:0:99999:7:::
      

      You can see that on unix, even though the passwords are the same, the encrypted values are completely different.

      For more information see:

      http://en.wikipedia.org/wiki/Salt_(cryptography)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                doogie Adam Heath
                Reporter:
                snowch chris snow
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: