Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-3006

entity encrypt columns not using encryption salt value?

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Trunk
    • Trunk
    • framework
    • None
    • Bug Crush Event - 21/2/2015

    Description

      It looks as though no salt data is used when saving encrypted entity data making the stored data susceptible to dictionary attacks.

      If you look through the stored demo data, you can see all the demo accounts passwords are the same:

      UserLogin:
admin     {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
flexadmin {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
...

      As a comparison, if you create a two unix accounts, "ofbiz1" and "ofbiz2" and set both passwords to "ofbiz"

      ofbiz1:$6$3.mYZg9u$0E...:14524:0:99999:7:::
ofbiz2:$6$MJhYeMqO$Jf...:14524:0:99999:7:::

      You can see that on unix, even though the passwords are the same, the encrypted values are completely different.

      For more information see:

      http://en.wikipedia.org/wiki/Salt_(cryptography)

      Attachments

        Issue Links

          blocks

          Sub-task - The sub-task of the issue OFBIZ-1151 Passwords are not salted

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              doogie Adam Heath
              snowch chris snow
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: