qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-6993) [Java Broker] Improve security of SCRAM-* authentication managers by not storing the salted passwords
Date Mon, 18 Jan 2016 15:51:39 GMT

    [ https://issues.apache.org/jira/browse/QPID-6993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15105452#comment-15105452
] 

ASF subversion and git services commented on QPID-6993:
-------------------------------------------------------

Commit 1725295 from [~lorenz.quack] in branch 'java/trunk'
[ https://svn.apache.org/r1725295 ]

QPID-6993: [Java Broker] Refactoring of SCRAM authentication manager

> [Java Broker] Improve security of SCRAM-* authentication managers by not storing the
salted passwords
> -----------------------------------------------------------------------------------------------------
>
>                 Key: QPID-6993
>                 URL: https://issues.apache.org/jira/browse/QPID-6993
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>            Reporter: Rob Godfrey
>            Assignee: Lorenz Quack
>             Fix For: qpid-java-6.1
>
>         Attachments: 0001-QPID-6993-Java-Broker-Refactoring.patch
>
>
> Currently the SCRAM-* authentication managers store the salted hashed password.  If this
information is somehow leaked then the possesor of the information could use this value to
log in to the broker without knowing the plain test password.
> We can change the storage mechanism to store instead the "storedKey" and "serverKey"
which will not allow the possesor of the leaked configuration to authenticate - they will
need to know either the plain text password or the hashed slated password - which cannot be
recovered from the password file.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message