Thread: Encrypted Passwords

Encrypted Passwords

From
"Rob Abernethy IV"
Date:
How does postgres calculate the MD5 version of a password to store in the
database during user creation?  I am trying to set up a postgres JDBCRealm to
work with Tomcat.  The problem is that the resulting digest from Java is
different then the digest stored in the database for the same word.

clear-text: tomcat
java: 1b359d8753858b55befa0441067aaed3
postgres: md5efcc1c51a80be13b59cdb96d758a0184

--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460

Re: Encrypted Passwords

From
"Rob Abernethy IV"
Date:
Perl also came up with the same digest as Java.

--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460

> How does postgres calculate the MD5 version of a password to store
> in the database during user creation?  I am trying to set up a
> postgres JDBCRealm to work with Tomcat.  The problem is that the
> resulting digest from Java is different then the digest stored in
> the database for the same word.
>
> clear-text: tomcat
> java: 1b359d8753858b55befa0441067aaed3
> postgres: md5efcc1c51a80be13b59cdb96d758a0184
>
> --
> Robert Abernethy IV
> Dynamic Edge, Inc.
> 734.975.0460
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org



Re: Encrypted Passwords

From
Bruce Momjian
Date:
Rob Abernethy IV wrote:
> How does postgres calculate the MD5 version of a password to store in the
> database during user creation?  I am trying to set up a postgres JDBCRealm to
> work with Tomcat.  The problem is that the resulting digest from Java is
> different then the digest stored in the database for the same word.
>
> clear-text: tomcat
> java: 1b359d8753858b55befa0441067aaed3
> postgres: md5efcc1c51a80be13b59cdb96d758a0184

What did you use as salt?  PostgreSQL users the user name as salt.
When I run /contrib/pgcrypto's MD5 I get the same value as PostgreSQL.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: Encrypted Passwords

From
"Rob Abernethy IV"
Date:
Can you tell postgres *NOT* to use a salt when calculating the MD5 digest?  I
found that it prepends the username to the password before making the calculation.

--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460

> Perl also came up with the same digest as Java.
>
> --
> Robert Abernethy IV
> Dynamic Edge, Inc.
> 734.975.0460
>
> > How does postgres calculate the MD5 version of a password to store
> > in the database during user creation?  I am trying to set up a
> > postgres JDBCRealm to work with Tomcat.  The problem is that the
> > resulting digest from Java is different then the digest stored in
> > the database for the same word.
> >
> > clear-text: tomcat
> > java: 1b359d8753858b55befa0441067aaed3
> > postgres: md5efcc1c51a80be13b59cdb96d758a0184
> >
> > --
> > Robert Abernethy IV
> > Dynamic Edge, Inc.
> > 734.975.0460
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly




Re: Encrypted Passwords

From
Tom Lane
Date:
"Rob Abernethy IV" <abernethy@dynedge.com> writes:
> Can you tell postgres *NOT* to use a salt when calculating the MD5
> digest?

No, and you wouldn't want to.  The salt is an essential security
feature.

            regards, tom lane

Re: Encrypted Passwords

From
"Rob Abernethy IV"
Date:
Well, actually I *do* want to.  My goal is to be able to use my existing set
of database users to authenticate to web apps running in Tomcat.  Tomcat
allows you to set up a JDBC Realm for authentication, which lets you connect
to a database and use usernames and passwords from that database.  The problem
is that Tomcat computes the digest without a salt and, therefore,
authentication is failing because the two digested versions of the same
password are different.

Has anyone else used postgres to set up a JDBC Realm?  Can anyone suggest any
alternatives?

--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460


> "Rob Abernethy IV" <abernethy@dynedge.com> writes:
> > Can you tell postgres *NOT* to use a salt when calculating the MD5
> > digest?
>
> No, and you wouldn't want to.  The salt is an essential security
> feature.
>
>             regards, tom lane



Re: Encrypted Passwords

From
Tim Ellis
Date:
> The problem
> is that Tomcat computes the digest without a salt and, therefore,
> authentication is failing because the two digested versions of the same
> password are different.

If there is not a feature within Tomcat to allow adding the username as
a salt to the MD5 hash, then Tomcat is broken. This is so common, I
cannot imagine any product bothering to implement MD5 hashing without
allowing a fairly generic salting API call.

Thankfully, Tomcat comes with source, so it can be fixed if, indeed, it
is broken.

Do not waste any energy trying to get Postgres to not salt the hash,
you'd be using energy ruining one product instead of fixing another.

--
Tim Ellis
Senior Database Architect