The password and salt are indeed stored in the same database in different columns. The only encoding I ever seem to see is base64, so the hex actually surprised me! (I've next to no experience with hashing passwords, but my googling has tended to yield results that base64-encode hashes and salts.)
As far as ordering of digest inputs goes, that I couldn't say, since it's all done by an Apache Shiro object: Sha512Hash shaHasher = new Sha512Hash(password, salt, iterations); (And the next time shaHasher is mentioned, it's to get the bytes to pass to String.format.) Regards, Richard -----Original Message----- From: Marvin Addison [mailto:[email protected]] Sent: 14 July 2014 15:54 To: [email protected] Subject: Re: [cas-user] Using SHA512 >An example hash is: 4d8d39a8283a53aeb51061457edc32c6a8e5404864b7571bf7b33d2c3bd5c580869ac1635be0d8ee57581f28b8aa9799729244852eb7aa010e7ac7b1cd69638f > > And an example salt is: > 91f3c641110b2ded640c418046b3cb5af257da06ca98f192085cb10c7443e5e9 I think hex encoding is common and safe to assume generally. Just to clarify, these values are stored in separate columns in the same table? I would hope that's common and a safe assumption. Supporting values across separate tables is possible, but it's hopefully an edge case we could ignore. > I also have to be able to specify the number of iterations, of course, which > is another issue! That's a common input for salted hashing, so that would be an anticipated configuration point. The only concern you didn't address is whether the salt is the first input to the digest or the last; I have seen both approaches used in practice. I find it strange that there is no standard or guidance on the matter despite having researched it fairly extensively. It looks like it's simply an arbitrary choice and the CAS component would have to support both approaches. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
