password encryption

Posted by a.noteboom on 24-Jun-2014 14:51

Our method of encrypting user passwords needs some (major) improvement. using the PBKDF2 algoritme seems to be the industry standard on the internet nowadays, but Openedge 11.3 doesn't support that if i understand the knowledgebase correctly. What type of algoritmes are you using to meet the ever increasing compliancy rules?

OpenEdge Development - Forum

All Replies

Posted by Michael Jacobs on 25-Jun-2014 04:29

OpenEdge does not encrypt passwords except in its _user table test accounts and the Domain access code used for Client-Pirncipal token generation, neither of which do not meet any industry standard.   The language does support, for general use, some algorithms for message digest, symmetric encryption, and simple key generation.   The language does not support any of the asymmetric algorithms, including the one you mention.

You will need to query OpenEdge product management for information relating to future plans in this space.

Posted by Mike Fechner on 25-Jun-2014 04:39

I'm not a crypto expert at all. But on Windows (GUI, TTY, AppServer) you could use .NET Libraries:

stackoverflow.com/.../hash-password-in-c-bcrypt-pbkdf2 or www.shawnmclean.com/.../simplecrypto-net-a-pbkdf2-hashing-wrapper-for-net-framework

It should be fairly simple to either build a custom .NET library to do so or translate the code into ABL.

Posted by Michael Jacobs on 25-Jun-2014 05:09


As Mike says, if you have a Windows system available to you it can function as an AppServer who’s only task is to use .NET to manage the authentication process and its storage/handling of account passwords.   All of your ABL application modules would call in to that Windows AppServer for login and logout operations.    It may be more complex than what you currently do, but it is a recognized model for distributed applications.

Mike - I am sure this would work, but have you worked with .NET security libraries in an OE AppServer running on Windows.   Curious if there is any examples out there.

Mike J.

[collapse]
From: Mike Fechner <bounce-mikefechner@community.progress.com>
Reply-To: "TU.OE.Development@community.progress.com" <TU.OE.Development@community.progress.com>
Date: Wednesday, June 25, 2014 at 5:40 AM
To: "TU.OE.Development@community.progress.com" <TU.OE.Development@community.progress.com>
Subject: RE: [Technical Users - OE Development] password encryption

Reply by Mike Fechner

I'm not a crypto expert at all. But on Windows (GUI, TTY, AppServer) you could use .NET Libraries:

stackoverflow.com/.../hash-password-in-c-bcrypt-pbkdf2 or www.shawnmclean.com/.../simplecrypto-net-a-pbkdf2-hashing-wrapper-for-net-framework

It should be fairly simple to either build a custom .NET library to do so or translate the code into ABL.

Stop receiving emails on this subject.

Flag this post as spam/abuse.

[/collapse]

Posted by Mike Fechner on 25-Jun-2014 05:13

No, Mike, not a sample at hand. But never have been negatively surprised. The Cryptography side of things is not mine J
 
I used .NET Code for Active Directory Access on Windows. Related,
 

Posted by agent_008_nl on 25-Jun-2014 06:31

A couple of years ago I got some recommendations from Julio Vassallo on the peg. Allas, I never worked it out because the need for expired.

Julio Vassallo

2/14/13

to peg

Do not hash passwords with SHA.  It wasn't meant for that.  It's not a

*cryptographic* hashing algorithm.  If you care about your users'

security you should use bcrypt: http://bcrypt.codeplex.com/

A salt is just something that gets added to the plaintext before you

call the hash function.  E.g. instead of hash(password), you can salt

with the username by doing hash(username + password).  In practice,

salts are usually some secret token that only you know about,

generated per-user (e.g. a UUID that gets stored as a column in the

User table).  The main point of them is to break rainbow tables so

pretty much anything works for a salt.

to Julio, peg

Thanks Julio. Still thinking about this.

FYI: www.unlimitednovelty.com/.../dont-use-bcrypt.html

Julio Vassallo

2/20/13

to me, peg

Yeah, I saw that on HN when it was posted:

news.ycombinator.com/item (some great comments

there, including from Moxie Marlinspike and Thomas Ptacek)

You can use scrypt if you want, and it's theoretically stronger, but

it hasn't been out for as long as bcrypt and implementations are not

as widely available. PBKDF2 is worse than bcrypt.

This thread is closed