Use of TA_WS_SOAP_HEADER in SALT

Similar Messages

• Validating a SHA hash with a 4byte salt in ldap

  I am using Sun Directory version 5.2 patch 6 on Solaris (5.10 Generic_118833-36)
  Is it possible to store and verify a 4 byte salted SHA in userPassword field in ldap?
  I compute a SHA-1 digest for the password using a 4byte salt. The digest and salt are then Base64 encoded and stored in ldap.
  However, when I try to verify the password, it fails and says invalid credentials.
  Is there any limitation in ldap that it can only use SSHA-1 with salt of 8 bytes?
  Or can we configure the ldap to use salt of 4 bytes
  Thanks

  I have to ask, why are you manually doing the comparison? Why not just bind and let the directory server do the heavy lifting? Anyway, DSEE uses an 8 byte random salt and cannot be configured to use a 4 byte salt. It's not a limitation, rather a security measure to make it harder to use a rainbow table to guess the password.

• MD5 Password and Salt strategy

  Hey all.
  I'm about to implement encyrypting our application passwords into the db using MD5.
  It was brought to my attention that I should use some 'salt' on the password to help avoid a dictionary attack on the encrypted passwords in the db. This is not a big concern, as our db is protected, and if someone is running queries against it, they pretty much have the whole system. I do however want to do a good a job as possible, so if it adds some security to it, then why not.
  So what is a realistic approach for this situation. Would I just encyrpt 'password' + 'username', where 'username' is the salt. I've seen some mention of using something random for salt, but how would I track that when I need to check the password when the user logs in?
  Any advice on the topic would be appreciated.
  Regards,
  Vic

  I recommend reading the PKCS#5 standard which is available at http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/index.html. Chapter PBKDF2 describes just what you are looking for with the addition of an iteration count. If you have just one field to store the hashed (not encrypted) password you can concatenate the salt and the password hash to form one field.
  The salt has to be unique among the users, so using the user name as the salt is quite appropriate.
  Oh, and remember to store the hash as something readable like in Base64 encoding or as a hex string.
  Regards,
  Frank

• Cryptography - salt

  I have a question about what peoples views are on storing salts when using them in combination with a cryptographic hash function (let me say SHA-512 for my example).
  Pseudocode
  final byte[] salt = // get 64 bit salt
  MessageDigest md = MessageDigest.getInstance("SHA-512");
  md.update(salt); // salt
  byte[] bytes = md.digest( // etc ..., including iterating the hash operation
  My question is to the "get salt" part.
  Is it acceptable to store a secret salt in a file, separate from the passwords in the database, and use the same salt for every password? The alternative is to use a different salt each time and store the salt with the password in the database.
  Surely if your database is compromised it is better that the attacker has the hashed passwords without the salt than the hashed passwords with the salt? But I have heard different view when looking on the internet.
  Imagine you are looking for the most secure way.

  jakain2 wrote:
  Is it acceptable to store a secret salt in a file, separate from the passwords in the database, and use the same salt for every password?No, that's not acceptable.
  A salt has two functions:
  First: it avoids simple rainbow-table attacks on your database. This can kind-of be avoided by using a secret salt, but is better done by using a random "public" salt for each password
  Second: it avoids two identical passwords in your system to show up as identical hashes. Using a secret, common salt would defeat that purpose.
  Don't underestimate the second element. Assume that the attacker gets access to the system via an account with a weak password (let's say it's "test"). Now he gets access to the DB via some attack. Suddenly he has the names and data of all other users that use the same weak password. And since people are likely to re-use passwords (even very weak ones), this suddenly means that he can probably compromise a lot more than "just" your system.
  The alternative is to use a different salt each time and store the salt with the password in the database.That's what you should do.
  Surely if your database is compromised it is better that the attacker has the hashed passwords without the salt than the hashed passwords with the salt?What you suggest here is security through obscurity.
  If you assume that your database is compromised, then it's also pretty likely that the attacker has access to the code doing the checks, i.e. he has access to the salt value.
  Then this scheme breaks down again, because you're back to a pretty much salt-less system

• Encrypt / Decrypt password

  Hi
  I'm new in Java and I need to create a function to encrypt / decrypt passwords using the Blowfish algorithm. I know how to create a key, but I don't know how to recover it to decrypt the password.
  Another question, Is it possible to use public/private keys in this case???.
  Can you give some links or examples please???
  Regards
  J.C.

  This is typically done either one of two ways:
  1) PBE based encryption. This uses a password or pass phrase to derive
  a key to use with a symmetric algorithm.
  2) Asymmetric using something like RSA. Typically RSA is used to wrap
  the actual symmetric key used to do the encryption but for very short
  plaintext it can be used directly on the plaintext. Passwords are a
  good example of short plaintext.
  Obviously symmetric encryption is a great deal faster than asymmetric
  encryption. So if your plaintext was large you would want to use
  symmetric. Also Asymmetric encryption is length dependant. AKA if your
  public key's modulus is 1024 bits then you could encrypt any plaintext
  that was 121 bytes or shorter.
  PBE takes a salt (a random byte array) and an iteration count and
  hashes a passphrase with the salt iteration number of times to generate
  a key that can be reproduced over and over again and used with a
  symmetric algorithm. The issue here is that your salt/ic either need
  to be hard coded and reused or the values for any single encryption
  need to be saved along with the ciphertext. Using the same ic/salt for
  a large number of plaintext to ciphertext operations can lead to a
  weakening of the pass phrase (aka the key) and aids a cryptoanalyst in
  breaking the code. Although it is still difficult it becomes easier
  with each successive encryption.
  Its upto you which route you take but you should note that private keys
  used in asymmetric encryption use PBE to keep them private anyway so in
  a sense if you use asymmetric encryption you are really using both
  asymmetric encryption and PBE...

• How to encrypt password with hash function in Java?

  Hello, everybody!
  I will need to store user passwords in a database, but for stronger security I want to store these passwords hashed, so I know I will need a column for the password and for the salt value.
  So, I'd like that you indicate me a very good article or tutorial (preferable from Sun) that shows me how to use Java to encrypt and decrypt passwords with hash. It doesn't necessarily need to deal with database. I can implement this part myself after seeing how Java manage encryption with hash functions.
  Thank you very much.
  Marcos

  I will tell you more precisely what I want to get better for you to help me.
  As I said I implemented in .NET what I need to implement in Java now. In my
  database I have a table with this structure (I omitted that columns that are not
  necessary to our discussion):
  CREATE TABLE EMPLOYEES
  ID NOT NULL PRIMARY KEY,
  PASSWORD VARCHAR(40), -- password encrypted
  HASH_SALT VARCHAR(10) -- salt value used to encrypt password
  So, in the table I have a column to store the password encrypted and a column to
  store the salt value.
  Below is a little utility class (in C#) that I use to generate the salt and
  the hashed password.
  public static class PasswordUtilities
      public static string GenerateSalt()
          RNGCryptoServiceProvider encoder = new RNGCryptoServiceProvider();
          byte[] buffer = new byte[5];
          encoder.GetBytes(buffer);
          return Convert.ToBase64String(buffer);
      public static string EncryptPassword(string password, string salt)
          string encryptedPassword =
              FormsAuthentication.HashPasswordForStoringInConfigFile(
              password + salt, "SHA1");
          return encryptedPassword;
  }As you can see, the class is fairly simple. It only has two methods: one to
  generate the salt value that will be used to encrypt the password and another
  one to encrypt the password. The method HashPasswordForStoringInConfigFile of
  the FormsAuthentication class is what really hash the password with the salt
  value. This class belongs to the .NET library, so we can't see its source code,
  but it doesn't matter for our discussion as I know that we can implement
  something similar in Java.
  Below is a little sample code showing the use of the utility class above to
  encrypt a password.
  public class Encrypt
      public static void Main(string args[])
          string password = "Secret";
          string salt = PasswordUtilities.GenerateSalt();
          string encryptedPassword = PasswordUtilities.EncryptPassword(password, salt);
          // now I store 'encryptedPassword' in the PASSWORD column and 'salt'
          // in the HASH_SALT column in the EMPLOYEES table.
  }To verify if a password is correct I can use the code below:
  public class VerifyPassword
      public static void Main(string args[])
          string password = GetPasswordFromUser();
          // Let's assume that employee is an instance that corresponds to a row
          // in the database and the properties HashSalt and Password correspond
          // to the HASH_SALT and PASSWORD columns respectively.
          Employee employee = GetEmployeeFromDatabase(1);
          string salt = employee.HashSalt;
          string encryptedPassword = PasswordUtilities.EncryptPassword(password, salt);
          bool passwordMatch = employee.Password.Equals(encryptedPassword);
          System.Console.WriteLine(passwordMatch);
  }The only thing that interest me in this discussion is the PasswordUtilities class.
  As you saw its code is in C#, using the .NET framework libraries.
  What I want is to have this same little class coded in Java, to generate the salt
  value and to encrypt the password passed in using salt value generated. If you could
  help me to do that with articles that have what I want or with code that already do
  that I would really appreciate.
  Thank you in advance.
  Marcos

• A Brand New Breed of FREE, Online Events for Oracle Tuxedo Users

  Sorry for the plug, but I'll be giving the keynote at this virtual conference. :-) I would encourage you to register as I believe there will be a lot of new and interesting material covered, as well as some instructional hands on labs. You will be able to download a VirtualBox VM with all the necessary components on it, or run the labs in the Rackspace hosting environment.
  Oracle Tuxedo, a strategic component of Oracle Fusion Middleware, has significantly evolved during last several years to meet requirements of today's enterprise applications. With introduction of features such as, native Web services, an extremely easy-to-use new programming model, metadata driven development, support for Python/Ruby programming languages and much more, Oracle Tuxedo provides a complete platform for enterprise application development. How do you keep up with all the advances in Oracle Tuxedo?
  Join us at this free, online, multi-language event series to learn how you can get the most out of your existing Tuxedo services and quickly develop new Web applications.
  •     Learn new Oracle Tuxedo features from the comfort of your laptop
  •     Learn what Python, Ruby, and PHP have to do with Oracle Tuxedo
  •     Get Hands-on either locally with VirtualBox or hosted via the Cloud
  •     Network Online with Peers, Oracle Tuxedo architects and developers worldwide
  •     Live Chat in virtual chatroom
  •     Sessions, Labs, and Live Help in LOCAL Language!
  •     Post-event access to conference material
  •     Cloud Hands on Labs powered by Rackspace
  Review the agenda details, dates, and language support options.
  Space is limited, so register for this event now!
  For information and to register go to: http://www.oracle.com/goto/otnvdd
  Regards,
  Todd Little
  Oracle Tuxedo Chief Architect

  Hi,
  Tuxedo is unable to make any HTTPS calls other than SOAP/HTTPS. So if you are using web services, then SALT can perform SOAP/HTTPS calls, although I don't believe we support the message signing feature of WS-Security (although you might want to check the SALT 10gR3 or later documentation.)
  We are considering adding support for HTTP/HTTPS directly in Tuxedo, but that feature is not available in any current version of Tuxedo. What exactly are you trying to accomplish?
  Regards,
  Todd Little
  Oracle Tuxedo Chief Architect
  PS It would have been better to start a new thread for this question. :-)

• Calling one WTC service from another WTC service

  Hi,
  We have a service called COLLECT defined in our WTC server.
  Recently we've added a second service called SUM in the same WTC server.
  We were wondering if it's possible to call SUM from COLLECT, and if it is, what configuration changes should be made in order to do it?
  Currently both services are exported by the WTC server (and imported by our Tuxedo).
  Thanks,
  Shy

  Hi Shy,
  Although I haven't tried it, I'm fairly certain you cannot call a Tuxedo EJB using tpcall() within a WTC based application. What I normally advise customers to do when writing a Tuxedo EJB is to implement two separate interfaces. One is obviously the TuxedoService interface that all Tuxedo EJBs must implement. In particular you must implement the service() method that accepts a TPServiceInformation instance that provides access to the typed buffer passed to the EJB. Normally one then extracts the necessary fields or information from the typed buffer, performs whatever necessary business logic needs to be performed, and then constructs a reply typed buffer.
  What I recommend is that you separate out the business logic into a separate interface and have your class implement both interfaces. The service() method would only deal with the marshalling/unmarshalling of the information contained in the typed buffers, and leave all business processing to methods on the second interface. Then if you need to access another "service", you would use the second interface, thus saving you from all the typed buffer manipulation.
  So in your case, the business logic in the second interface of the COLLECT implementation would simply call the SUM implementations second interface (the EJB's business logic) instead of trying to call a Tuxedo service. While this helps in reuse of the business logic, it doesn't address the issue of trying to transparently move a service implementation from say Tuxedo to WLS. If that's what you are trying to do, you might try exporting the SUM service from WTC to the Tuxedo domain gateway, and then importing the SUM service from that gateway. This would likely cause a network round trip if it works, but it's something to consider.
  Another alternative is to use something like the Apache Tuscany/Java project and build your Java applications using SCA. Tuxedo SALT includes a Tuscany/Java binding extension that allows Tuscany/Java applications to transparently call Tuxedo services. The choice of whether to actually call a Tuxedo service or call a Tuscany/Java based SCA service is determine by the binding selection and not changes in your code. Just a thought...
  Regards,
  Todd Little
  Oracle Tuxedo Chief Architect

• From MD5-string to byte array

  Hi fellows, I'm writing a simple cracker for MD5. The hash value has to be passed at command line as argument.
  e.g.
  java Cracker 0cc175b9c0f1b6a831c399e269772661In order to decode the hash value I'm using a brute force approach: therefore I compare a series of strings with the hash value by using the method of the class MessageDigest isEqual(byte[] a, byte[] b). So I encode each string and compare the byte array I get with the byte array of the hash value.
  Here it comes the trouble I'm in:
  when I try to get a bytes array of the MD5 hash value passed as argument of the program , I do get something, but it's not something that the isEqual method of MessageDigest can use to compare. As a result any attempt during the execution of brute force fails, even though the key is one of the string being checked.
  Perhaps am I facing a format problem? Any idea?
  Sorry for my english, it's not my first language
  Thanks to whoever will help

  Almost all questions in these forums about brute force attack on MD5 (or SHA1 or SHA256 etc etc etc) are school, college or university projects and of no practical use. This is almost certainly such a project.
  Unless things have changed in the last year, there is no practical brute force attack on MD5 whereby an input can be generated from an arbitrary output even though two inputs with the same output can be fabricated. A dictionary attack is feasible if no salt is used or a known salt is used since one only has to build the dictionary for one salt value. If a different salt is used for each entry being attacked then a dictionary will be need for each salt being used. Of course if one takes the simple precaution of not using anything that is likely to be in a dictionary then the dictionary attack will likely fail.

• Keyword search with exact phrase

  When I use the filter bar to search for photos I normally don't find myself in this situation. But now when the photos reaches 10 000+ this will be a problem. The searchfunction in LR does not support serching for an exact phrase like the exact phras "Tom". Exactly "Tom" not "Tommy" or "Romtomtom" or anything else containing "Tom".
  The problem appears when I want to search for this exact phrase. I have a real example. I took picture on a golfcompetition called Roland Cup. The founder of the Cup is called Roland. He is not on all pictures of course. The problem occurs when I want to search for the pictures of the founder Roland. If I search with the textfield with is by far the fastest way and type "Roland" I get all the pictures from the competition. That's not how I want it.
  Another example for clearance. Let's say that I take pictures of tomatoes and of course set the keyword "tomato". Later I take pictoures of tomato soup. And keyword it just "tomato soup". Then I want to search for the tomato soup pictures. Of course I now get all the pictures of the soup and the tomatoes.
  Does anyone have any tip how to do without changing the persons keyword to "Roland Andersson" which is the obvious solution?

  Thanks Ian,
  Your answer is part of my answer. Let's say that I took photos in Salt Lake City (classic example huh?). And in Salt Lake City I took pictures of a lake. I keyworded all my photos from Salt Lake City with "Salt Lake City" of course and all my pictures of lakes with lake, of course.
  Now I want to filter all my photos of lakes from all over the world. I then search for - what? If I search for "lake" I get all pictures of lakes and all pictures from Salt Lake City. Not good.
  And if I want to see the lakephotos in Salt Lake City, how do I perform that search in a good way?
  Maybe I'm getting you wrong with the + and !. If I do, can you give me an example how to use them in this Salt Lake City problem.

• Secure XE DB field data

  I have a table in which I need to secure/encrypt the data for one field (salary). The DB is 10G XE, so my options are limited to just what we can create around this free version.
  Ideally, I want to hand off the APEX development and maintenance to someone who should not see this detail, but who will need to access all of the DB using SQL Developer as well as the APEX gui.. in their duties as administrator/developer.
  Right now, the detail is protected within the Apex application by Apex groups and Authorization Scheme's - so only those in the correct group can view the field once logged in. There are currently no DB ID's or Groups created outside of those that come with the DB or that are created during the Apex install.
  Any direction you can provide to protect this field from prying eyes thru Apex or via SQL Developer (like) external DB Mgmt tools?
  Thanks,
  Rich

  Hello,
  About the best you're going to be able to do in that scenario is use the DBMS_CRYPTO package (http://download.oracle.com/docs/cd/B19306_01/appdev.102/b14258/d_crypto.htm) to encrypt the field before storing it, using a key (with salt) and decrypt it on the fly when you need to display it etc. Use a packaged routine to perform the encrypt/decrypt process and then make sure you wrap the package so that the source code (i.e. the key/salt you've used) can't be easily determined.
  Of course...if the people you give the DB to have DBA privileges, it then becomes pretty easy to defeat this protection (almost trivial infact), so you can only protect yourself so far.
  Some of the other database editions/features etc make this sort of protection much easier/safer (but that's why you pay for those options..).
  Hope this helps,
  John.
  Blog: http://jes.blogs.shellprompt.net
  Work: http://www.apex-evangelists.com
  Author of Pro Application Express: http://tinyurl.com/3gu7cd
  REWARDS: Please remember to mark helpful or correct posts on the forum, not just for my answers but for everyone!

• I made this in dreamweaver, can i slap some CSS on it?

  Hi everyone,
  A friend of mine asked me to do a webpage for her, and for
  the most part, I made the page. Its not yet cmpleted, but here's
  the link:
  http://www.helenbwilson.com
  The html pages are already made, but I wanted to format the
  text in the cells in the "About" and "Contact" section, as the
  leading and padding need to be fixed (The text aligns way too close
  to the border of the table/cell). Is it possible to have a CSS
  document where I can put it and all the text in the cells will be
  formatted to my liking?
  And that leads me to my next question of : how difficult is
  it to make this in straight up CSS?
  Any help would be appreciated.
  Thanks, and go easy on me, Im a noob
  -Cesar

  > Is it
  > possible to have a CSS document where I can put it and
  all the text in the
  > cells will be formatted to my liking?
  Certainly.
  > And that leads me to my next question of : how difficult
  is it to make
  > this in
  > straight up CSS?
  Learning how to effectively create pages without using tables
  is an arduous
  process for most people. Although Nick's suggestion is right
  on target,
  it's not very practical for someone asking the questions you
  are asking. I
  suggest you begin to use CSS for content styling and slowly
  migrate into the
  more advanced usages, like floats and other page-placement
  techniques as
  your knowledge increases.
  And learn how to use a grain of salt with the recommendations
  that you do
  this transition instantly, and never use tables for anything
  but tabular
  content. Get pragmatic. If a table works best for a
  praticular purpose,
  there's no shame in using it. Browsers will support tables
  'till the cows
  come home.
  Murray --- ICQ 71997575
  Adobe Community Expert
  (If you *MUST* email me, don't LAUGH when you do so!)
  ==================
  http://www.dreamweavermx-templates.com
  - Template Triage!
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  http://www.macromedia.com/support/search/
  - Macromedia (MM) Technotes
  ==================
  "psypent81" <[email protected]> wrote in
  message
  news:[email protected]...
  > Hi everyone,
  >
  > A friend of mine asked me to do a webpage for her, and
  for the most part,
  > I
  > made the page. Its not yet cmpleted, but here's the
  link:
  >
  >
  http://www.helenbwilson.com
  >
  > The html pages are already made, but I wanted to format
  the text in the
  > cells
  > in the "About" and "Contact" section, as the leading and
  padding need to
  > be
  > fixed (The text aligns way too close to the border of
  the table/cell). Is
  > it
  > possible to have a CSS document where I can put it and
  all the text in the
  > cells will be formatted to my liking?
  >
  > And that leads me to my next question of : how difficult
  is it to make
  > this in
  > straight up CSS?
  >
  > Any help would be appreciated.
  > Thanks, and go easy on me, Im a noob
  >
  > -Cesar
  >
  >
  >
  >

• A new breed of free email! Worldwide access including WWW, Outlook, mobiles/PDAs etc.!

  Being a gadget freak I own a T68I, T39, 6310I, 7650, 8310, and an IPAQ 3970. I've spent many an hour looking for a unified email solution that would enable me to access my email from not only my favorite email client & web browser but also my mobile devices as well. Eventually I found a solution offered by UPO, here's the link :
  http://www.universalpostoffice.com
  They also offer you a variety of available email addresses including such as mymobile.net, and various other phone/PDA type domains. They're even including 10mb of storage and POP3 access and aren't charging a cent. For how long I don't know. BTW, easy access via GPRS/CSD with any built-in phone email client like the 7650 or T68(I) has!

  Hi,
  Tuxedo is unable to make any HTTPS calls other than SOAP/HTTPS. So if you are using web services, then SALT can perform SOAP/HTTPS calls, although I don't believe we support the message signing feature of WS-Security (although you might want to check the SALT 10gR3 or later documentation.)
  We are considering adding support for HTTP/HTTPS directly in Tuxedo, but that feature is not available in any current version of Tuxedo. What exactly are you trying to accomplish?
  Regards,
  Todd Little
  Oracle Tuxedo Chief Architect
  PS It would have been better to start a new thread for this question. :-)

• MessageDigest.update

  Hello,
  I'm currently writing an iPhone app which connects and authenticates with a server written in Java. Due to security, I want to send the user data encrypted.
  On the server I use:
  byte[] bSalt = base64ToByte(salt);
  MessageDigest digest = MessageDigest.getInstance("SHA-256");
  digest.reset();
  digest.update(bSalt);
  byte[] bToHash = digest.digest(toHash.getBytes("UTF-8"));
  for (int i = 0; i < 3; i++) {
  System.out.println(byteToBase64(bToHash));
  digest.reset();
  digest.update(bSalt); // More secure?
  bToHash = digest.digest(bToHash);
  By now, I managed to hash in Objective C, too, but the salt is the problem. For getting the same hashing results in ObjC, I need to know what MessageDigest.update does. Does it simply compute an OR with the current digest and the salt or what does it do? Thanks for your help.
  Greetings
  Naznaz

  MessageDigest digest = MessageDigest.getInstance("SHA-256");
  digest.reset();The reset() is unnecessary here. You've just created the MessageDigest object. Resetting it won't change anything - there is nothing to change yet.
  digest.update(bSalt);
  byte[] bToHash = digest.digest(toHash.getBytes("UTF-8"));
  for (int i = 0; i < 3; i++) {There is little to gain from repeating the digesting algorithm three times.
  System.out.println(byteToBase64(bToHash));
  digest.reset();Almost certainly wrong. You are throwing away all prior state here, including the salt.
  digest.update(bSalt); // More secure?More secure than what? I suspect you can omit this too.
  bToHash = digest.digest(bToHash);That should almost certainly be update(), not digest(). digest() is the last thing you call, when you get to the last piece of input.
  I need to know what MessageDigest.update does.It's algorithm-dependent, obviously. In this case you are using SHA-256 so you would need to look up that algorithm. It's lengthy!
  Does it simply compute an OR with the current digest and the saltDefinitely not. It applies the specified digest algorithm to its current state and the next piece of input you provide. This code should mirror the code you say you already have working in Objective-C.
  But none of this is encryption. It is message-digesting. The result cannot be decrypted.

• How do I tranform a string that was strored in binary/hex in SQL back to hex/binary to store it in another location

  I have a local database where the password is stored as binary for security.  I do not want the original.  I need to be able to restore a person's password if they don't login for a long time (two onths or more...the system deletes their password). 
  If I store the binary/hex password by name, I should be able restore the hex/binary to the table and they can login.  How do I convert the string back to a hex value to set into the tble again ?

  I have a local database where the password is stored as binary for security. 
  That's not secure, never store passwords, use (store) only hash (+salt) values for compare:
  http://en.wikipedia.org/wiki/Cryptographic_hash_function
  http://en.wikipedia.org/wiki/Salt_(cryptography)
  Olaf Helper
  [ Blog] [ Xing] [ MVP]