[security-dev] PicketLink 3 - IDM API - Credential Management
Darran Lofthouse
darran.lofthouse at jboss.com
Mon Dec 3 04:27:41 EST 2012
On 12/02/2012 11:09 PM, Shane Bryzak wrote:
> On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
>> * Multiple Representations of Same Credential *
>>
>> Another requirement I may have is storing multiple representations of
>> the same Credential against the same user - this is just thinking out
>> loud at the moment so not sure if this would be a responsibility of the
>> IdentityStore.
>>
>> The situation here is that the user has one password but we want to
>> support two different hashes with Digest authentication - if we want to
>> choose to pre-hash the password with the username and realm we would
>> need to do that once per type of hash supported.
>>
>> The benefit of pre-hashing in this way is that if the user has used the
>> same password but for a different realm someone gaining access to the
>> hashed form does not necessarily get access to all of that users accounts.
>
> I'm not quite sure I understand this one. In the latest design of the
> identity model, a User belongs to a single Realm. What's the definition
> of a realm in the context of your use case?
In this case the user is still a single user in a single realm but we
may support two hash mechanisms for Digest authentication e.g. MD5 and
SHA-256 - if we are choosing to not store the password in a recoverable
format we may instead store a MD5 hash of "username : realm : password"
AND a SHA-256 hash of "username : realm : password".
Both hashes are based on the exact same data so it is only the hash
algorithm that differs.
More information about the security-dev
mailing list