[QPID-6993] [Java Broker] Improve security of SCRAM-* authentication managers by not storing the salted passwords - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: qpid-java-6.0.1, qpid-java-6.1
Component/s: Broker-J
Labels:
None

Description

Currently the SCRAM-* authentication managers store the salted hashed password. If this information is somehow leaked then the possesor of the information could use this value to log in to the broker without knowing the plain test password.

We can change the storage mechanism to store instead the "storedKey" and "serverKey" which will not allow the possesor of the leaked configuration to authenticate - they will need to know either the plain text password or the hashed slated password - which cannot be recovered from the password file.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

0001-QPID-6993-Java-Broker-Refactoring.patch
18/Jan/16 15:19
12 kB
Lorenz Quack

Issue Links

is related to

QPID-7067 Scram SHA upgrader loses the original password

Closed

Activity

People

Assignee:: Lorenz Quack

Reporter:: Robert Godfrey

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 12/Jan/16 14:45

Updated:: 15/Feb/16 14:30

Resolved:: 12/Jan/16 15:51