DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26978>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26978 Add support for 'salt' to all Realms Summary: Add support for 'salt' to all Realms Product: Tomcat 5 Version: Unknown Platform: All OS/Version: Other Status: NEW Severity: Enhancement Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Generating a password digest is an enhancement compared to storing plaintext passwords, but digests are still very vulnerable to security attacks that compare the password digest list with a 'hacker' list of digests of 'commonly used passwords'. This comparison can be done by a simple SELECT-statement in case of a relational database: SELECT User.name, CommonPasswords.passwordPlain FROM User, CommonPasswords WHERE User.passwordDigest = CommonPasswords.passwordDigest A common technique to avoid such attacks is to use "salt" to avoid that two identical passwords have the same digest. This technique should be supported by the tomcat's standard realms. (A) To generate a 'salted' password digest: 1) Generate digest A from plain password 2) Generate salt (random number sequence) 3) Generate digest B from digest A and salt 4) Store digest B and salt (B) To check if a given password matches the stored password 1) Load digest and salt 2) Generate digest A from given password 3) Generate digest B from digest A and salt 4) Compare loaded digest with digest B To avoid that two values have to be stored and loaded (digest and salt), both values could be concatenated and encoded using base 64. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
