From xl24@duke.edu Wed Jan 28 16:38:07 2009 Return-Path: Received: from psychopathy.seas.upenn.edu (psychopathy-s25.seas.private.invalid [10.0.25.101]) by kinetic.seas.upenn.edu (8.13.6/8.12.8) with ESMTP id n0SLc7Ei004863 for ; Wed, 28 Jan 2009 16:38:07 -0500 Received: from snowball.pcbi.upenn.edu (SNOWBALL.PCBI.upenn.edu [128.91.62.2]) by psychopathy.seas.upenn.edu (8.13.6/8.13.6) with ESMTP id n0SLacE1008855 for ; Wed, 28 Jan 2009 16:36:43 -0500 Received: from smtp.duke.edu (smtp-01.oit.duke.edu [152.3.174.14]) by snowball.pcbi.upenn.edu (8.12.11.20060308/8.12.11) with ESMTP id n0SLbs1Q013282 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 28 Jan 2009 16:37:55 -0500 Received: from smtp.duke.edu (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id B46D0309116; Wed, 28 Jan 2009 16:37:54 -0500 (EST) Received: from xianhua.nescent.org (xianhua.nescent.org [152.3.59.120]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.duke.edu (Postfix) with ESMTP id 685F230901B; Wed, 28 Jan 2009 16:37:54 -0500 (EST) Cc: Hilmar Lapp , Mark Dominus Message-Id: <8840BD00-AFE1-4FCB-91F9-4D53034C6EA6@duke.edu> From: Xianhua Liu To: "Rutger A. Vos" In-Reply-To: Content-Type: multipart/alternative; boundary=Apple-Mail-14--679080833 Mime-Version: 1.0 (Apple Message framework v929.2) Subject: Re: encrypting user passwords Date: Wed, 28 Jan 2009 16:37:53 -0500 References: <4605999D-8863-4D90-8D66-372EB4F041C8@nescent.org> <2bb9b24a0901210029l37888159wa1346f763f9f67c3@mail.gmail.com> <49932D07-101A-4D8B-A6BA-07AE0E509718@nescent.org> <2bb9b24a0901280352r60e8c988j45d2f8f5c706243e@mail.gmail.com> X-Mailer: Apple Mail (2.929.2) X-PMX-Version: 5.4.2.338381, Antispam-Engine: 2.6.0.325393, Antispam-Data: 2009.1.28.212232 X-Spam-Status: 0.001 HTML_MESSAGE X-Scanned-By: MIMEDefang 2.57 on 158.130.67.191 X-Evolution-Source: imap://mjd@mjd.mail.seas.upenn.edu/ --Apple-Mail-14--679080833 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 8bit Rutger: We are using the function of the MessageDigest class in the java security package to encrypt the password. In the attached java source file is a java class we developed to encrypt the password with the public function 'encrypt'. First, we use this function to encrypt password before saving the password into the database, e.g., during new user registration. Secondly, during log in process, we use this function to encrypt user's input password and compare it with the one stored in the database to authenticate the user. To reset password, we generate an random password to replace the old one and send an email to the user to notify the change. The random password of course should be encrypted too. Please let me know if I can help more. Xianhua On Jan 28, 2009, at 3:15 PM, Hilmar Lapp wrote: > Xianhua: > > The TreeBASE2 web application features user accounts and hence needs > to handle, store, and verify user passwords. > > Could you send Rutger (cc'ed) the source code for those classes > (and, as applicable, JSPs) that implement this in our web- > applications in a secure, encrypted fashion? For example, PLHDB > should have that, or choose NEAD. Could you also please describe to > Rutger how to implement this in general terms, and what the possible > pitfalls to avoid are. > > Rutger - if you need to let people reset their password and have the > system email them a new one (the system being able to recover a > user's current password is a security hole - it means a hacker can > do it too), we have example code for that too. Just let Xianhua know. > > -hilmar > > On Jan 28, 2009, at 6:52 AM, Rutger Vos wrote: > >>> 3) The database dumps that are in the repository contain the >>> TreeBASE2 user >>> accounts and passwords in clear text. [...] I would use something >>> like MD5 encryption when storing passwords. [...] We can help with >>> fixing this too (we're storing usernames/passwords too for our own >>> applications), just let me know if you want us to do that. >> >> You're very right. How do you recommend we address this (i.e. how do >> you do it in your apps)? Thanks, that would be very helpful. > > > > -- > =========================================================== > : Hilmar Lapp -:- Durham, NC -:- informatics.nescent.org : > =========================================================== > > > --Apple-Mail-14--679080833 Content-Type: multipart/mixed; boundary=Apple-Mail-15--679080832 --Apple-Mail-15--679080832 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: 8bit Rutger:

We are using the function of the  MessageDigest class in the java security package to encrypt the password. In the attached java source file is a java class we developed to encrypt the password with the public function 'encrypt'.  First, we use this function to encrypt password before saving the password into the database, e.g., during new user registration. Secondly, during log in process, we use this function to encrypt user's input password and compare it with the one stored in the database to authenticate the user.

To reset password, we generate an random password to replace the old one and send an email to the user to notify the change. The random password of course should be encrypted too. 

Please let me know if I can help more.

Xianhua

--Apple-Mail-15--679080832 Content-Disposition: attachment; filename=PasswordService.java Content-Type: application/octet-stream; x-unix-mode=0644; name="PasswordService.java" Content-Transfer-Encoding: quoted-printable package=20org.nescent.nead.util;=0D=0Aimport=20= java.io.UnsupportedEncodingException;=0D=0Aimport=20= java.security.MessageDigest;=0D=0Aimport=20= java.security.NoSuchAlgorithmException;=0D=0A=0D=0Aimport=20= sun.misc.BASE64Encoder;=0D=0Apublic=20final=20class=20PasswordService=0D=0A= {=0D=0A=20=20private=20static=20PasswordService=20instance;=0D=0A=20=20=0D= =0A=20=20private=20PasswordService(){=0D=0A=20=20}=0D=0A=20=20=0D=0A=20=20= public=20synchronized=20String=20encrypt(String=20plaintext)=20throws=20= NoSuchAlgorithmException,=20UnsupportedEncodingException=20{=20=0D=0A=20=20= =20=20=20=20MessageDigest=20md=20=3D=20null;=0D=0A=20=20=20=20=20=20md=20= =3D=20MessageDigest.getInstance("SHA");=20=0D=0A=20=20=20=20=20=20= md.update(plaintext.getBytes("UTF-8"));=20=0D=0A=20=20=20=20=20=20byte=20= raw[]=20=3D=20md.digest();=0D=0A=20=20=20=20=20=20String=20hash=20=3D=20= (new=20BASE64Encoder()).encode(raw);=0D=0A=20=20=20=20=20=20return=20= hash;=0D=0A=20=20}=0D=0A=20=20=0D=0A=20=20public=20static=20synchronized=20= PasswordService=20getInstance()=20{=0D=0A=20=20=20=20if(instance=20=3D=3D=20= null){=0D=0A=20=20=20=20=20=20return=20new=20PasswordService();=0D=0A=20=20= =20=20}else{=0D=0A=20=20=20=20=20=20return=20instance;=0D=0A=20=20=20=20= }=0D=0A=20=20}=0D=0A}=0D=0A=0D=0A=0D=0A= --Apple-Mail-15--679080832 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: 8bit
 
On Jan 28, 2009, at 3:15 PM, Hilmar Lapp wrote:

Xianhua:

The TreeBASE2 web application features user accounts and hence needs to handle, store, and verify user passwords.

Could you send Rutger (cc'ed) the source code for those classes (and, as applicable, JSPs) that implement this in our web-applications in a secure, encrypted fashion? For example, PLHDB should have that, or choose NEAD. Could you also please describe to Rutger how to implement this in general terms, and what the possible pitfalls to avoid are.

Rutger - if you need to let people reset their password and have the system email them a new one (the system being able to recover a user's current password is a security hole - it means a hacker can do it too), we have example code for that too. Just let Xianhua know.

-hilmar

On Jan 28, 2009, at 6:52 AM, Rutger Vos wrote:

3) The database dumps that are in the repository contain the TreeBASE2 user
accounts and passwords in clear text. [...] I would use something like MD5 encryption when storing passwords. [...] We can help with fixing this too (we're storing usernames/passwords too for our own applications), just let me know if you want us to do that.

You're very right. How do you recommend we address this (i.e. how do
you do it in your apps)? Thanks, that would be very helpful.



--
===========================================================
: Hilmar Lapp  -:- Durham, NC -:- informatics.nescent.org :
===========================================================




--Apple-Mail-15--679080832-- --Apple-Mail-14--679080833--