Password Encryption

Last modified by RaffaelloPelagalli on 2006/12/28 02:02

principle

jguard can use a cryptographic hash function to avoid password to be stored in clear on the server.

this function has the charcateristic to produce a unique digest of any string. so, a password 'secret1' will produce with one of these functions a digest lik '1gE1r'. a password 'secret2' will produce a digest lik 'sF42'.

for each password, a different digest will be produced. so,__ each original password will have its unique digest.__

another characteristic is that it is very difficult to know which password is the origin of a related digest.

so, if we store 'digest' password and not the original, anyopne which will read these ones will not have the original password. but when we receive the password from the end user, we calculate the digest of it, and comapre it with the one stored on the webapp using jGuard.

supported algorithms

Cryptographic hash functions also called MessageDigest algorithms, are available in java. different algorithms are supported. you need to refer to the documentation of your JVM vendor, especially the Java Cryptography Architecture. for example, many JVM vendors provides these algorithms: MD2,MD5, SHA-1,SHA-256,SHA-384, and SHA-512. other ones are also availables. to use one algorithm in jGuard, you have to use the right code related to the algorithm chosen like the ones listed above.

to configure the algorithm chosen in jGuard, you have to uncomment the digestAlgorithm markup in the jGuardAuthentication.xml file and put into your messageDigest alogrithm code.

<digestAlgorithm>MD5</digestAlgorithm>

salted passwords

password salting is described on wikipedia. password are impossible to know if you have only the digest of them.

but if you store the digest of some popular passowrd and the origin in some big tables, you can lookup easily the origin based on the digest. these tables are called rainbow tables. password salting is used to prevent some attackers to use rainbow tables. these tables are based on a known password origin.

but if you modify the origin with a 'salt' specific to your application, it will be impossible to create raibow tables with all the possobilities of salt. for example, if you concatenate 'passord1' with the salt 'salt1' before to calculate the digest, the result will be different and very difficult to know.

to use salt in cunjunction of digest algorithm functions (you cannot only use salt without digest algorithm), you have to uncomment in the jGuardAuthentication.xml file the salt markup and put into it the salt chosen.

<salt>qsd846ss2q6ds4</salt>

Tags:
Created by diabolo512 on 2006/12/28 01:23

jGuard team copyright 2004-2009
3.1.1