OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss-comment] Password Digest

I'd have to agree. A reversible hash really doesn't provide additional
security in terms of physical access or unprotected over the wire
security gaps compared to clear text. At best it simply slows down the
discovery by a negligible amount for any electronic attack. Granted a
human viewing the info can't decode SHA-1 in their head (at least not
most humans <g>).


>>> Ronald van Kuijk <rvkuijk@abz.nl> 10/6/2003 7:20:01 PM >>>
I'm no real security expert but as you describe it, aren't the
risks the same with both?
1.  Base64(SHA-1(nonce + created + password))
2.  Base64(SHA-1(nonce + created + SHA-1(password)))  
In case 1 you store it cleartext on the server and and use it
on the client side
In case 2 you store it sha-1 on the server and use it sha-1 on the
client side

In both cases you could steal the content of e.g. the ldap server and
get into the system. The issue, imho, IS what is send over the network
and not (mainly) what is stored. You own the machine it is stored on
most cases) you do not however own the network.


> -----Oorspronkelijk bericht-----
> Van: eclogue chang [mailto:e1bridge@yahoo.com] 
> Verzonden: dinsdag 7 oktober 2003 0:24
> Aan: wss-comment@lists.oasis-open.org 
> Onderwerp: [wss-comment] Password Digest 
> UsernameToken Profile, working draft 4, 11/08/2003,  
> Line 106-108 talks about digested password offers no
> additional security. Did I miss something here? The
> issue is not what is sent over the network; instead it
> is how the services side compares the password. If the
> clear text password is used, then the Services
> Provider has to store the clear text password for
> password validation. This is a security issue. 
> Also, Line 119 Password_Digest = Base64(SHA-1(nonce +
> created + password))  has the same problem. In this
> case, the Service Provider unable to store hashed
> password, instead it has to store the clear text
> password in its database. This will create a big
> security issue. 
> If the password digest change to the follow, then this
> issue goes away.  
> Password_Digest = Base64(SHA-1(nonce + created +
> SHA-1(password)))  
> Can this suggestion be considered? 
> Eclouge  Chang 
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com 
> To unsubscribe from this list, send a post to 
> wss-comment-unsubscribe@lists.oasis-open.org, or visit 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]