Bug 990263 - Insufficent Cryptography Of Hashed User Passwords
Insufficent Cryptography Of Hashed User Passwords
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
All All
unspecified Severity medium
: ---
: ---
Assigned To: Darran Lofthouse
Josef Cacek
Russell Dickenson
Depends On:
  Show dependency treegraph
Reported: 2013-07-30 14:00 EDT by Kevin franklin
Modified: 2014-07-08 09:50 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-07-08 09:50:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kevin franklin 2013-07-30 14:00:40 EDT
Description of problem:
Currently the included hashing for the user passwords in the user propertites files is via MD-5. This is a insufficent crypto algorithm and it would be desireable to have a FIPS-140 compliant algorithm in it's place.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. N/A
Comment 1 Darran Lofthouse 2013-07-31 06:29:10 EDT
There is a lot more to this than just changing the contents of the properties file.

Upstream within WildFly work is underway to enable stronger hashes for Digest authentication - this will allow us to use stronger hashed in these properties files.
Comment 2 Toufic Arabi 2013-07-31 09:23:06 EDT

In the push to get the U.S gov to embrace open source technologies more, we have to obide to STIG (define stig here) requirements that mandate that passwords follow FIPS 140-2 alogorithms.

We know that the Vault is getting a FIPS 140-2 compliant algorithm in 6.1.1. We wanted t raise an issue about the hashed passwords in the properties files as well.

While our clients might get by with getting waivers for a short period of time, this would put EAP at a risk of staying in production mode once the waivers expire.

Of course there are technical challenges to accomplish this, however the solution implemented would allow to ensure EAP's presence in the DoD space.

Comment 3 Darran Lofthouse 2013-07-31 09:41:51 EDT
The other options are that those users can also either provide their own plug-in for the realm that meets their needs to delegate to JAAS and a login module that meets their needs.

The current properties files should not be seen as a barrier, they are just a default initial configuration.
Comment 4 Toufic Arabi 2013-07-31 09:49:18 EDT
Your comment is correct.

However the clients that we have will either use the properties files or move to LDAP. No databases are used to host passwords and usernames.

Their end clients are military sites with different budgets/restrictions... Therefore not all of them are able to use LDAP.

I understand your frustration,  but this is a complaint that we have received from DoD clients for a while. (EAP 5 included)

Note You need to log in before you can comment on or make changes to this bug.