[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15728688#comment-15728688 ] Shi Jinghai commented on OFBIZ-8537: Thank you Junyuan! Your patch is in rev.1773066. Please check if it's right. If yes, please close this issue for now. You can open a new issue if there's any further improvement such as auto upgrading password from SHA/MD5 to PBKDF2 after user logged in successfully. Kind Regards, > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch, HashCrypt_new.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15725729#comment-15725729 ] Michael Brohl commented on OFBIZ-8537: -- Thanks, [~shi.jinghai]! > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15725615#comment-15725615 ] Shi Jinghai commented on OFBIZ-8537: Hi Michael, I have reverted the framework/security/data/PasswordSecurityDemoData.xml. Kind Regards, > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15724795#comment-15724795 ] Michael Brohl commented on OFBIZ-8537: -- Hi [~shi.jinghai], can you please correct this as we currently have an inconsistency between configuration and data. Thanks and best regards, Michael > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15722402#comment-15722402 ] Jacques Le Roux commented on OFBIZ-8537: Done at http://markmail.org/message/vtwktynlecx7lczl > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15722234#comment-15722234 ] Jacques Le Roux commented on OFBIZ-8537: I concur, thanks Junyuan, this is much appreciated :) > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15722019#comment-15722019 ] Michael Brohl commented on OFBIZ-8537: -- Agree, thanks Jacques. > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15722017#comment-15722017 ] Jacques Le Roux commented on OFBIZ-8537: I concur, thanks Junyuan, this is much appreciated :) > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15722016#comment-15722016 ] Jacques Le Roux commented on OFBIZ-8537: When it comes to security it's better to rely on last improvements than an old RFC from year 2000. There is also an improvement on PBKDF2, but at least PBKDF2 is better than SHA-1. I also agree with Pierre that we should better discuss this on the dev ML, notably by asking Grégory (ou security expert) about what he thinks about that. I'll do... > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15721938#comment-15721938 ] Pierre Smits commented on OFBIZ-8537: - That discussion is much broader than this issue tries to solve. It is also more fitting to be discussed in the dev ML as it should pobably be part of http://ofbiz.markmail.org/message/bjcwhitfd3elutgi , > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15721925#comment-15721925 ] Michael Brohl commented on OFBIZ-8537: -- I ask myself if we should introduce PBKDF2 if it is not RFC compliant and has known weaknesses and/or better solutions are available? > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15721921#comment-15721921 ] Jacques Le Roux commented on OFBIZ-8537: Also this is interesting https://cryptosense.com/parameter-choice-for-pbkdf2/ That's why I suggest we use PBKDF2 rather than the old SHA-1 > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15721910#comment-15721910 ] Jacques Le Roux commented on OFBIZ-8537: Hi Guys we crossed on wire, see my comments at http://markmail.org/message/n6mpoklnecsmmuwi I was not aware that "PBKDF2 is not compliant with RFC standard" as you said Jinghai. Where can I find this information? BTW note that it has already been superceded https://en.wikipedia.org/wiki/PBKDF2#Alternatives_to_PBKDF2 > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15721836#comment-15721836 ] Michael Brohl commented on OFBIZ-8537: -- Thank you, [~shi.jinghai]! > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15721834#comment-15721834 ] Michael Brohl commented on OFBIZ-8537: -- Noone said that, I guess. For this issue, the entry should be changed back because it introduces an inconsistency in the commit. If you want to remove the flexadmin entries, this is another case and should be filed in another JIRA. It has nothing to do with this issue. > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15721830#comment-15721830 ] Shi Jinghai commented on OFBIZ-8537: Thanks Michael for reviewing and Pierre for the suggestion on password format (see https://github.com/hamano/openldap-pbkdf2)! I'll change flexadmin's password back to SHA as currently the password format of PBKDF2 is not complied with RFC standard. > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15721812#comment-15721812 ] Pierre Smits commented on OFBIZ-8537: - Hi [~wangjunyuan], [~shi.jinghai], I wonder who said that OFBiz could *not* be volatile, and *not* be breaking with the past... I suggest not to change back, but rather remove the flexadmin references everywhere. Preferably in a new JIRA issue. We're talking about demo data > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15721786#comment-15721786 ] Michael Brohl commented on OFBIZ-8537: -- Hi [~wangjunyuan], [~shi.jinghai], thanks for your contributions! I briefly reviewed the patch and think that we should change back the change of the demo data flexadmin password. The encryption configuration is still SHA (as it should be for backwards compatibility) and the demo data should be consistent with the configuration. If you want to provide an example for PBKDF2 I'd suggest to put it in the documentation or as a comment in the demo data. Thanky, Michael > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15720956#comment-15720956 ] Shi Jinghai commented on OFBIZ-8537: Thank you Junyuan! Your patch is in rev.1772589. I changed currentPassword from short-varchar to long-varchar as a PBKDF2 hashed password is longer than 60 charactors. > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[ https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15713799#comment-15713799 ] wangjunyuan commented on OFBIZ-8537: Thank for Mr Jinghai's guidance with patience! I have solved the above problem and submitted a new patch. > LoginWorker HashCrypt the type of hash for one-way encryption > - > > Key: OFBIZ-8537 > URL: https://issues.apache.org/jira/browse/OFBIZ-8537 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: Trunk >Reporter: wangjunyuan >Assignee: Shi Jinghai >Priority: Minor > Labels: HashCrypt, PBKDF2, security.properties > Attachments: HashCrypt.patch > > > PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA > Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically > PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. > It replaces an earlier key derivation function, PBKDF1, which could only > produce derived keys up to 160 bits long.Add this function to ofbiz ,this > PBKDF2 has four types in > Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512' -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-8537) LoginWorker HashCrypt the type of hash for one-way encryption
[
https://issues.apache.org/jira/browse/OFBIZ-8537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15712382#comment-15712382
]
Shi Jinghai commented on OFBIZ-8537:
Thank you Junyuan for this fuction! (谢谢王军元!)
Well done!
It would be better if the following errors be corrected:
1. I have to remove the first 2 lines of the patch to apply it in my local
environment as my project is not named as "trunk"
2. the getIterations() should be removed, simply using this line would be ok:
private static final int PBKDF2_Iterations =
UtilProperties.getPropertyAsInteger("security.properties",
"password.encrypt.pbkdf2.iterations", 1000);
3. change PBKDF2_SHA1 and other variables from public to private.
4. remove TODOs.
5. change flexadmin's password from 'admin' to our brand 'ofbiz' :)
Please DO submit a new patch tomorrow. Thanks again!
> LoginWorker HashCrypt the type of hash for one-way encryption
> -
>
> Key: OFBIZ-8537
> URL: https://issues.apache.org/jira/browse/OFBIZ-8537
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
>Affects Versions: Trunk
>Reporter: wangjunyuan
>Assignee: Shi Jinghai
>Priority: Minor
> Labels: HashCrypt, PBKDF2, security.properties
> Attachments: HashCrypt.patch
>
>
> PBKDF2 (Password-Based Key Derivation Function 2) is part of RSA
> Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically
> PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898.
> It replaces an earlier key derivation function, PBKDF1, which could only
> produce derived keys up to 160 bits long.Add this function to ofbiz ,this
> PBKDF2 has four types in
> Java:'PBKDF2WithHmacSHA1','PBKDF2WithHmacSHA256','PBKDF2WithHmacSHA384','PBKDF2WithHmacSHA512'
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
