5:55 a.m.
I am currently looking into using the IDM API as I am authenticating
some HTTP requests and I am running into a couple of questions, the
aspect of the API I am currently looking at is: -
// Credential management
boolean validateCredential(User user, Credential credential);
void updateCredential(User user, Credential credential);
Correct me if I am wrong as it is the foundation of what I am thinking
about but I am seeing the 'validateCredential' as the method to call to
validate that the Credential supplied by the user is valid so that we
can verify the user is who they claim to be.
There is quite a lot below so it may make sense to subsequently break
these out into their own discussions.
* Userless Validation *
As mentioned on the other thread something I would find really useful is
something along the lines of: -
User validateCredential(Credential credential);
This would be for situations where there is a direct mapping from the
Credential to the user it relates to, my main example being a
X509Certificate.
I am looking at this from the perspective of - The IDM is already
managing the association of User to Certificate so to call
validateCredential I would see it as better that the calling code is not
forced to map it to the user first.
* Multiple Credentials *
The validateCredential method potentially allows many different types of
Credential to be used - however the updateCredential method seems to
apply a 1:1 mapping of User and Credential.
I can see situations where a user would have multiple Credentials, an
immediate example being both a Password and a X509Certificate.
* Ambiguous Meaning to Credentials *
This is just something I am not as clear on how the two relate and think
it has the potential to be confusing using the same Credential interface
for validation and for association with the user.
For Credentials such as the PasswordCredential and
X509CertificateCredential these do make sense to both be validated and
associated.
But then there are Credentials like the DigestCredential which only make
sense to be validated but not associated.
* Multiple Representations of Same Credential *
Another requirement I may have is storing multiple representations of
the same Credential against the same user - this is just thinking out
loud at the moment so not sure if this would be a responsibility of the
IdentityStore.
The situation here is that the user has one password but we want to
support two different hashes with Digest authentication - if we want to
choose to pre-hash the password with the username and realm we would
need to do that once per type of hash supported.
The benefit of pre-hashing in this way is that if the user has used the
same password but for a different realm someone gaining access to the
hashed form does not necessarily get access to all of that users accounts.
* Access To The Credential *
The next issue is where access to the credential is required or at the
very least something is needed to be generated from the credential -
this is used in client/server scenarios where the server also proves to
the client that it knows the users password.
Keeping the Credential so that it can not be retrieved from the IDM is
good but it does open up the need to be able to generate some response
values within the IDM based on additional information supplied.
The example I currently have is regarding Digest authentication, I have
a need for the following two hashes to be generated: -
"username : realm : password"
"username : realm : password : nonce : cnonce"
The first could be the pre-hashed password I mention above but the
second definitely needs generating on demand as we have both the nonce
that was generated from the server and the nonce the client has sent to
challenge the server.
Regards,
Darran Lofthouse.
5:09 p.m.
On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
I am currently looking into using the IDM API as I am authenticating
some HTTP requests and I am running into a couple of questions, the
aspect of the API I am currently looking at is: -
// Credential management
boolean validateCredential(User user, Credential credential);
void updateCredential(User user, Credential credential);
Correct me if I am wrong as it is the foundation of what I am thinking
about but I am seeing the 'validateCredential' as the method to call to
validate that the Credential supplied by the user is valid so that we
can verify the user is who they claim to be.
There is quite a lot below so it may make sense to subsequently break
these out into their own discussions.
* Userless Validation *
As mentioned on the other thread something I would find really useful is
something along the lines of: -
User validateCredential(Credential credential);
This would be for situations where there is a direct mapping from the
Credential to the user it relates to, my main example being a
X509Certificate.
I am looking at this from the perspective of - The IDM is already
managing the association of User to Certificate so to call
validateCredential I would see it as better that the calling code is not
forced to map it to the user first.
Keep in mind that the credential validation and management features
provided by the IDM API are totally optional. There's nothing
preventing anyone from writing their own custom authentication logic
which is capable of interacting with the IDM identity model but doesn't
necessarily depend on its credential validation. In fact, the
authentication API in PicketLink Core is designed this way from the
ground up - IDM credential validation will only be used if a) IDM has
been configured in the application, and b) a custom validator hasn't
already been provided - so IDM password-based authentication is only
ever used as a last resort. With this in mind, and considering the
bazillion different possibilities when it comes to authentication I'd
like to suggest that we perhaps restrict IDM-based authentication to the
simplest possible use case, i.e. username/email and password.
Having said all that though, we probably need to review the credential
management methods that we currently provide. I'm guessing that for
certificate-based authentication (I'm a little rusty on this) we would
have to store some kind of custom credentials against the User, in which
case the current API for credential management doesn't actually support
reading any of the credential values that might be required by a custom
authenticator.
* Multiple Credentials *
The validateCredential method potentially allows many different types of
Credential to be used - however the updateCredential method seems to
apply a 1:1 mapping of User and Credential.
I can see situations where a user would have multiple Credentials, an
immediate example being both a Password and a X509Certificate.
This is an implementation detail - all IdentityStore implementations
should support the storing of multiple credential types. Out of the box
we support PasswordCredential, DigestCredential and
X509CertificateCredential and two separate calls to updateCredential()
with different credential types should persist both credentials.
* Ambiguous Meaning to Credentials *
This is just something I am not as clear on how the two relate and think
it has the potential to be confusing using the same Credential interface
for validation and for association with the user.
For Credentials such as the PasswordCredential and
X509CertificateCredential these do make sense to both be validated and
associated.
But then there are Credentials like the DigestCredential which only make
sense to be validated but not associated.
Agreed, we need to fix this.
* Multiple Representations of Same Credential *
Another requirement I may have is storing multiple representations of
the same Credential against the same user - this is just thinking out
loud at the moment so not sure if this would be a responsibility of the
IdentityStore.
The situation here is that the user has one password but we want to
support two different hashes with Digest authentication - if we want to
choose to pre-hash the password with the username and realm we would
need to do that once per type of hash supported.
The benefit of pre-hashing in this way is that if the user has used the
same password but for a different realm someone gaining access to the
hashed form does not necessarily get access to all of that users accounts.
I'm not quite sure I understand this one. In the latest design of the
identity model, a User belongs to a single Realm. What's the definition
of a realm in the context of your use case?
* Access To The Credential *
The next issue is where access to the credential is required or at the
very least something is needed to be generated from the credential -
this is used in client/server scenarios where the server also proves to
the client that it knows the users password.
Keeping the Credential so that it can not be retrieved from the IDM is
good but it does open up the need to be able to generate some response
values within the IDM based on additional information supplied.
The example I currently have is regarding Digest authentication, I have
a need for the following two hashes to be generated: -
"username : realm : password"
"username : realm : password : nonce : cnonce"
The first could be the pre-hashed password I mention above but the
second definitely needs generating on demand as we have both the nonce
that was generated from the server and the nonce the client has sent to
challenge the server.
+1, as I stated above we need to review the credential management API,
which since the start of this project has remained relatively
untouched. I'll spend some time working on this over the next couple of
days to come up with a better design.
Regards,
Darran Lofthouse.
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
3:21 a.m.
On 12/02/2012 11:09 PM, Shane Bryzak wrote:
On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
> * Userless Validation *
>
> As mentioned on the other thread something I would find really useful is
> something along the lines of: -
>
> User validateCredential(Credential credential);
>
> This would be for situations where there is a direct mapping from the
> Credential to the user it relates to, my main example being a
> X509Certificate.
>
> I am looking at this from the perspective of - The IDM is already
> managing the association of User to Certificate so to call
> validateCredential I would see it as better that the calling code is not
> forced to map it to the user first.
Keep in mind that the credential validation and management features
provided by the IDM API are totally optional. There's nothing
preventing anyone from writing their own custom authentication logic
which is capable of interacting with the IDM identity model but doesn't
necessarily depend on its credential validation. In fact, the
authentication API in PicketLink Core is designed this way from the
ground up - IDM credential validation will only be used if a) IDM has
been configured in the application, and b) a custom validator hasn't
already been provided - so IDM password-based authentication is only
ever used as a last resort. With this in mind, and considering the
bazillion different possibilities when it comes to authentication I'd
like to suggest that we perhaps restrict IDM-based authentication to the
simplest possible use case, i.e. username/email and password.
That could be useful, from an AS7 perspective and a HTTP authentication
perspective we have a lot of complex scenarios - however this would mean
that we would need to be able to access the underlying Credential(s)
associated with a user - would that be possible?
Having said all that though, we probably need to review the
credential
management methods that we currently provide. I'm guessing that for
certificate-based authentication (I'm a little rusty on this) we would
have to store some kind of custom credentials against the User, in which
case the current API for credential management doesn't actually support
reading any of the credential values that might be required by a custom
authenticator.
3:23 a.m.
On 12/02/2012 11:09 PM, Shane Bryzak wrote:
On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
> * Multiple Credentials *
>
> The validateCredential method potentially allows many different types of
> Credential to be used - however the updateCredential method seems to
> apply a 1:1 mapping of User and Credential.
>
> I can see situations where a user would have multiple Credentials, an
> immediate example being both a Password and a X509Certificate.
This is an implementation detail - all IdentityStore implementations
should support the storing of multiple credential types. Out of the box
we support PasswordCredential, DigestCredential and
X509CertificateCredential and two separate calls to updateCredential()
with different credential types should persist both credentials.
I would suggest if reviewing the Credential APIs one thing that we would
need to be sure of it that we can operate on the individual Credentials
- we may need to be choosing which one to update or remove.
Also for Certificates we may want the ability to have a new Certificate
set before an old one expires possibly with or without an overlap.
3:37 a.m.
On 12/03/2012 09:23 AM, Darran Lofthouse wrote:
On 12/02/2012 11:09 PM, Shane Bryzak wrote:
> On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
>> * Multiple Credentials *
>>
>> The validateCredential method potentially allows many different types of
>> Credential to be used - however the updateCredential method seems to
>> apply a 1:1 mapping of User and Credential.
>>
>> I can see situations where a user would have multiple Credentials, an
>> immediate example being both a Password and a X509Certificate.
>
> This is an implementation detail - all IdentityStore implementations
> should support the storing of multiple credential types. Out of the box
> we support PasswordCredential, DigestCredential and
> X509CertificateCredential and two separate calls to updateCredential()
> with different credential types should persist both credentials.
I would suggest if reviewing the Credential APIs one thing that we would
need to be sure of it that we can operate on the individual Credentials
- we may need to be choosing which one to update or remove.
Also for Certificates we may want the ability to have a new Certificate
set before an old one expires possibly with or without an overlap.
Also if looking at Certificates as I mentioned on another thread if the
APIs from the IDM allow us to wrap it with an X509TrustManager
implementation that would potentially provide us with the capability to
tie in the SSL negotiation as connections are established with the
identity store.
In current AS releases this can be a bit disjointed getting the two tied
together.
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
12:07 p.m.
Here's a PDF [1] of a session I attended at RWX this past week. Start
looking at page 25 onward for some ideas on how we can better store
passwords with something other than just a salted hash, it may also give us
a good advantage with other competitors. If you can't get to the PDF, let
me know and I'll attach it.
[1]
http://therichwebexperience.com/s/slides/current/speaker/Les_Hazlewood/in...
On Mon, Dec 3, 2012 at 2:37 AM, Darran Lofthouse <darran.lofthouse(a)jboss.com
wrote:
On 12/03/2012 09:23 AM, Darran Lofthouse wrote:
> On 12/02/2012 11:09 PM, Shane Bryzak wrote:
>> On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
>>> * Multiple Credentials *
>>>
>>> The validateCredential method potentially allows many different types
of
>>> Credential to be used - however the updateCredential method seems to
>>> apply a 1:1 mapping of User and Credential.
>>>
>>> I can see situations where a user would have multiple Credentials, an
>>> immediate example being both a Password and a X509Certificate.
>>
>> This is an implementation detail - all IdentityStore implementations
>> should support the storing of multiple credential types. Out of the box
>> we support PasswordCredential, DigestCredential and
>> X509CertificateCredential and two separate calls to updateCredential()
>> with different credential types should persist both credentials.
>
> I would suggest if reviewing the Credential APIs one thing that we would
> need to be sure of it that we can operate on the individual Credentials
> - we may need to be choosing which one to update or remove.
>
> Also for Certificates we may want the ability to have a new Certificate
> set before an old one expires possibly with or without an overlap.
Also if looking at Certificates as I mentioned on another thread if the
APIs from the IDM allow us to wrap it with an X509TrustManager
implementation that would potentially provide us with the capability to
tie in the SSL negotiation as connections are established with the
identity store.
In current AS releases this can be a bit disjointed getting the two tied
together.
> _______________________________________________
> security-dev mailing list
> security-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
--
Jason Porter
http://lightguard-jp.blogspot.com
http://twitter.com/lightguardjp
Software Engineer
Open Source Advocate
PGP key id: 926CCFF5
PGP key available at: keyserver.net, pgp.mit.edu
4:45 a.m.
Actually this is generally an excellent presentation, and we should make sure that
PicketLink addresses all these points.
We should also build a similar deck for PL.
On 3 Dec 2012, at 19:07, Jason Porter wrote:
Here's a PDF [1] of a session I attended at RWX this past week.
Start looking at page 25 onward for some ideas on how we can better store passwords with
something other than just a salted hash, it may also give us a good advantage with other
competitors. If you can't get to the PDF, let me know and I'll attach it.
[1]
http://therichwebexperience.com/s/slides/current/speaker/Les_Hazlewood/in...
On Mon, Dec 3, 2012 at 2:37 AM, Darran Lofthouse <darran.lofthouse(a)jboss.com>
wrote:
On 12/03/2012 09:23 AM, Darran Lofthouse wrote:
> On 12/02/2012 11:09 PM, Shane Bryzak wrote:
>> On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
>>> * Multiple Credentials *
>>>
>>> The validateCredential method potentially allows many different types of
>>> Credential to be used - however the updateCredential method seems to
>>> apply a 1:1 mapping of User and Credential.
>>>
>>> I can see situations where a user would have multiple Credentials, an
>>> immediate example being both a Password and a X509Certificate.
>>
>> This is an implementation detail - all IdentityStore implementations
>> should support the storing of multiple credential types. Out of the box
>> we support PasswordCredential, DigestCredential and
>> X509CertificateCredential and two separate calls to updateCredential()
>> with different credential types should persist both credentials.
>
> I would suggest if reviewing the Credential APIs one thing that we would
> need to be sure of it that we can operate on the individual Credentials
> - we may need to be choosing which one to update or remove.
>
> Also for Certificates we may want the ability to have a new Certificate
> set before an old one expires possibly with or without an overlap.
Also if looking at Certificates as I mentioned on another thread if the
APIs from the IDM allow us to wrap it with an X509TrustManager
implementation that would potentially provide us with the capability to
tie in the SSL negotiation as connections are established with the
identity store.
In current AS releases this can be a bit disjointed getting the two tied
together.
> _______________________________________________
> security-dev mailing list
> security-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
--
Jason Porter
http://lightguard-jp.blogspot.com
http://twitter.com/lightguardjp
Software Engineer
Open Source Advocate
PGP key id: 926CCFF5
PGP key available at: keyserver.net, pgp.mit.edu
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
6:44 a.m.
RWX have removed access to this presentation. Does anyone have it cached?
On 3 Dec 2012, at 13:07, Jason Porter wrote:
Here's a PDF [1] of a session I attended at RWX this past week.
Start looking at page 25 onward for some ideas on how we can better store passwords with
something other than just a salted hash, it may also give us a good advantage with other
competitors. If you can't get to the PDF, let me know and I'll attach it.
[1]
http://therichwebexperience.com/s/slides/current/speaker/Les_Hazlewood/in...
On Mon, Dec 3, 2012 at 2:37 AM, Darran Lofthouse <darran.lofthouse(a)jboss.com>
wrote:
On 12/03/2012 09:23 AM, Darran Lofthouse wrote:
> On 12/02/2012 11:09 PM, Shane Bryzak wrote:
>> On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
>>> * Multiple Credentials *
>>>
>>> The validateCredential method potentially allows many different types of
>>> Credential to be used - however the updateCredential method seems to
>>> apply a 1:1 mapping of User and Credential.
>>>
>>> I can see situations where a user would have multiple Credentials, an
>>> immediate example being both a Password and a X509Certificate.
>>
>> This is an implementation detail - all IdentityStore implementations
>> should support the storing of multiple credential types. Out of the box
>> we support PasswordCredential, DigestCredential and
>> X509CertificateCredential and two separate calls to updateCredential()
>> with different credential types should persist both credentials.
>
> I would suggest if reviewing the Credential APIs one thing that we would
> need to be sure of it that we can operate on the individual Credentials
> - we may need to be choosing which one to update or remove.
>
> Also for Certificates we may want the ability to have a new Certificate
> set before an old one expires possibly with or without an overlap.
Also if looking at Certificates as I mentioned on another thread if the
APIs from the IDM allow us to wrap it with an X509TrustManager
implementation that would potentially provide us with the capability to
tie in the SSL negotiation as connections are established with the
identity store.
In current AS releases this can be a bit disjointed getting the two tied
together.
> _______________________________________________
> security-dev mailing list
> security-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
--
Jason Porter
http://lightguard-jp.blogspot.com
http://twitter.com/lightguardjp
Software Engineer
Open Source Advocate
PGP key id: 926CCFF5
PGP key available at: keyserver.net, pgp.mit.edu
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
8:54 a.m.
I'll send it over when I get home
Sent from my iPhone
On Feb 9, 2013, at 7:44, Pete Muir <pmuir(a)redhat.com> wrote:
RWX have removed access to this presentation. Does anyone have it
cached?
On 3 Dec 2012, at 13:07, Jason Porter wrote:
> Here's a PDF [1] of a session I attended at RWX this past week. Start looking at
page 25 onward for some ideas on how we can better store passwords with something other
than just a salted hash, it may also give us a good advantage with other competitors. If
you can't get to the PDF, let me know and I'll attach it.
>
> [1]
http://therichwebexperience.com/s/slides/current/speaker/Les_Hazlewood/in...
>
>
> On Mon, Dec 3, 2012 at 2:37 AM, Darran Lofthouse <darran.lofthouse(a)jboss.com>
wrote:
> On 12/03/2012 09:23 AM, Darran Lofthouse wrote:
>> On 12/02/2012 11:09 PM, Shane Bryzak wrote:
>>> On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
>>>> * Multiple Credentials *
>>>>
>>>> The validateCredential method potentially allows many different types of
>>>> Credential to be used - however the updateCredential method seems to
>>>> apply a 1:1 mapping of User and Credential.
>>>>
>>>> I can see situations where a user would have multiple Credentials, an
>>>> immediate example being both a Password and a X509Certificate.
>>>
>>> This is an implementation detail - all IdentityStore implementations
>>> should support the storing of multiple credential types. Out of the box
>>> we support PasswordCredential, DigestCredential and
>>> X509CertificateCredential and two separate calls to updateCredential()
>>> with different credential types should persist both credentials.
>>
>> I would suggest if reviewing the Credential APIs one thing that we would
>> need to be sure of it that we can operate on the individual Credentials
>> - we may need to be choosing which one to update or remove.
>>
>> Also for Certificates we may want the ability to have a new Certificate
>> set before an old one expires possibly with or without an overlap.
>
> Also if looking at Certificates as I mentioned on another thread if the
> APIs from the IDM allow us to wrap it with an X509TrustManager
> implementation that would potentially provide us with the capability to
> tie in the SSL negotiation as connections are established with the
> identity store.
>
> In current AS releases this can be a bit disjointed getting the two tied
> together.
>
>> _______________________________________________
>> security-dev mailing list
>> security-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
> _______________________________________________
> security-dev mailing list
> security-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
>
>
> --
> Jason Porter
> http://lightguard-jp.blogspot.com
> http://twitter.com/lightguardjp
>
> Software Engineer
> Open Source Advocate
>
> PGP key id: 926CCFF5
> PGP key available at: keyserver.net, pgp.mit.edu
> _______________________________________________
> security-dev mailing list
> security-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
12:22 p.m.
Looks like they weren't on the USB drive either :( I emailed Les to see if
I could get a copy from him to review. I also noticed Stormpath (his
security consulting company) has a ruby interface:
https://github.com/stormpath I think this is something we should closely
look into for Torquebox, Immutant and Escalante.
On Sat, Feb 9, 2013 at 7:54 AM, Jason Porter <lightguard.jp(a)gmail.com>wrote:
I'll send it over when I get home
Sent from my iPhone
On Feb 9, 2013, at 7:44, Pete Muir <pmuir(a)redhat.com> wrote:
> RWX have removed access to this presentation. Does anyone have it cached?
>
> On 3 Dec 2012, at 13:07, Jason Porter wrote:
>
>> Here's a PDF [1] of a session I attended at RWX this past week. Start
looking at page 25 onward for some ideas on how we can better store
passwords with something other than just a salted hash, it may also give us
a good advantage with other competitors. If you can't get to the PDF, let
me know and I'll attach it.
>>
>> [1]
http://therichwebexperience.com/s/slides/current/speaker/Les_Hazlewood/in...
>>
>>
>> On Mon, Dec 3, 2012 at 2:37 AM, Darran Lofthouse <
darran.lofthouse(a)jboss.com> wrote:
>> On 12/03/2012 09:23 AM, Darran Lofthouse wrote:
>>> On 12/02/2012 11:09 PM, Shane Bryzak wrote:
>>>> On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
>>>>> * Multiple Credentials *
>>>>>
>>>>> The validateCredential method potentially allows many different
types of
>>>>> Credential to be used - however the updateCredential method seems
to
>>>>> apply a 1:1 mapping of User and Credential.
>>>>>
>>>>> I can see situations where a user would have multiple Credentials,
an
>>>>> immediate example being both a Password and a X509Certificate.
>>>>
>>>> This is an implementation detail - all IdentityStore implementations
>>>> should support the storing of multiple credential types. Out of the
box
>>>> we support PasswordCredential, DigestCredential and
>>>> X509CertificateCredential and two separate calls to updateCredential()
>>>> with different credential types should persist both credentials.
>>>
>>> I would suggest if reviewing the Credential APIs one thing that we
would
>>> need to be sure of it that we can operate on the individual Credentials
>>> - we may need to be choosing which one to update or remove.
>>>
>>> Also for Certificates we may want the ability to have a new Certificate
>>> set before an old one expires possibly with or without an overlap.
>>
>> Also if looking at Certificates as I mentioned on another thread if the
>> APIs from the IDM allow us to wrap it with an X509TrustManager
>> implementation that would potentially provide us with the capability to
>> tie in the SSL negotiation as connections are established with the
>> identity store.
>>
>> In current AS releases this can be a bit disjointed getting the two tied
>> together.
>>
>>> _______________________________________________
>>> security-dev mailing list
>>> security-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/security-dev
>> _______________________________________________
>> security-dev mailing list
>> security-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
>>
>>
>> --
>> Jason Porter
>> http://lightguard-jp.blogspot.com
>> http://twitter.com/lightguardjp
>>
>> Software Engineer
>> Open Source Advocate
>>
>> PGP key id: 926CCFF5
>> PGP key available at: keyserver.net, pgp.mit.edu
>> _______________________________________________
>> security-dev mailing list
>> security-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>
--
Jason Porter
http://en.gravatar.com/lightguardjp
3:27 a.m.
On 12/02/2012 11:09 PM, Shane Bryzak wrote:
On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
> * Multiple Representations of Same Credential *
>
> Another requirement I may have is storing multiple representations of
> the same Credential against the same user - this is just thinking out
> loud at the moment so not sure if this would be a responsibility of the
> IdentityStore.
>
> The situation here is that the user has one password but we want to
> support two different hashes with Digest authentication - if we want to
> choose to pre-hash the password with the username and realm we would
> need to do that once per type of hash supported.
>
> The benefit of pre-hashing in this way is that if the user has used the
> same password but for a different realm someone gaining access to the
> hashed form does not necessarily get access to all of that users accounts.
I'm not quite sure I understand this one. In the latest design of the
identity model, a User belongs to a single Realm. What's the definition
of a realm in the context of your use case?
In this case the user is still a single user in a single realm but we
may support two hash mechanisms for Digest authentication e.g. MD5 and
SHA-256 - if we are choosing to not store the password in a recoverable
format we may instead store a MD5 hash of "username : realm : password"
AND a SHA-256 hash of "username : realm : password".
Both hashes are based on the exact same data so it is only the hash
algorithm that differs.
3:32 a.m.
On 12/02/2012 11:09 PM, Shane Bryzak wrote:
On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
> * Access To The Credential *
>
> The next issue is where access to the credential is required or at the
> very least something is needed to be generated from the credential -
> this is used in client/server scenarios where the server also proves to
> the client that it knows the users password.
>
> Keeping the Credential so that it can not be retrieved from the IDM is
> good but it does open up the need to be able to generate some response
> values within the IDM based on additional information supplied.
>
> The example I currently have is regarding Digest authentication, I have
> a need for the following two hashes to be generated: -
>
> "username : realm : password"
> "username : realm : password : nonce : cnonce"
>
> The first could be the pre-hashed password I mention above but the
> second definitely needs generating on demand as we have both the nonce
> that was generated from the server and the nonce the client has sent to
> challenge the server.
+1, as I stated above we need to review the credential management API,
which since the start of this project has remained relatively
untouched. I'll spend some time working on this over the next couple of
days to come up with a better design.
Feel free to set something up if you want to talk to me further about
where I am coming from with some of these requirements.
If we can find a way to access some of this sensitive data then for the
more complex server authentication scenarios these requirements aren't
going to leak into the IDM - of course then we introduce the problem of
ensuring access to the sensitive values can be restricted ;-)
4303
days inactive
4373
days old
11 comments
4 participants
participants (4)
-
Darran Lofthouse -
Jason Porter -
Pete Muir -
Shane Bryzak