[security-dev] PicketLink 3 - IDM API - Credential Management

[Darran Lofthouse]

On 12/02/2012 11:09 PM, Shane Bryzak wrote:
> On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
>> * Multiple Representations of Same Credential *
>>
>> Another requirement I may have is storing multiple representations of
>> the same Credential against the same user - this is just thinking out
>> loud at the moment so not sure if this would be a responsibility of the
>> IdentityStore.
>>
>> The situation here is that the user has one password but we want to
>> support two different hashes with Digest authentication - if we want to
>> choose to pre-hash the password with the username and realm we would
>> need to do that once per type of hash supported.
>>
>> The benefit of pre-hashing in this way is that if the user has used the
>> same password but for a different realm someone gaining access to the
>> hashed form does not necessarily get access to all of that users accounts.
>
> I'm not quite sure I understand this one.  In the latest design of the
> identity model, a User belongs to a single Realm.  What's the definition
> of a realm in the context of your use case?

In this case the user is still a single user in a single realm but we 
may support two hash mechanisms for Digest authentication e.g. MD5 and 
SHA-256 - if we are choosing to not store the password in a recoverable 
format we may instead store a MD5 hash of "username : realm : password" 
AND a SHA-256 hash of "username : realm : password".

Both hashes are based on the exact same data so it is only the hash 
algorithm that differs.