Re: [wildfly-dev] On the WildFly Elytron PasswordFactory API
On 06/12/2014 10:55 AM, Anil Saldhana wrote:
I also want to highlight the difference between PBE and PBKDF2
(http://en.wikipedia.org/wiki/PBKDF2).
Developers keep pushing for PBKDF2 which is essentially a one way
process. You cannot get the password back.
In the case of an application server, there is a need to get access to
the configured database password to talk to
a database or another EIS system. So it is a two way process. Not all
databases can do a hashed/digest mechanism.
I hope we can document this in Elytron documentation somewhere.
The Password SPI in fact has OneWayPassword and TwoWayPassword
sub-interfaces.
At present, the only TwoWayPassword implementation we have is "clear",
which, as the name says, is a clear password (and thus is trivially
"reversible"). We recently were discussing that there seem to be very
few (if any) good, reliable two-way password strategies (which do not
involve a keystore, which is *not* the same thing).
I've deliberately been referring to non-clear TwoWayPassword schemes as
"obfuscation" rather than "encryption" since few (if any) two-way
algorithms will actually make the password "secure" in the event of
theft. More likely this is for the "accidental printout" kind of case.
That said, if anyone knows of any good two-way password obfuscation
algorithms they think should be supported, please comment here and/or
open an issue at https://issues.jboss.org/browse/ELY describing the
algorithm (preferably with a link to a specification if possible).
--
- DML