agreement password security

[loberste]

hash algorithm:

• sha 256 + salt

create profie:

• hash password locally, save hash locally
• upload hash

login:

• send hash to server, server checks if hashes are similar

edit profile:

• if password was changed, new password hash will be saved locally and sent to server
• if not, everything but the password will be saved locally and sent to server

[loberste]

@inf2381 do you think this is a good practice? Because we thought about this being higher security by not sending the password plain via web requests

[inf2381]

Common practise is to add a "salt" to the hash. My instructor for IT-Security suggested the following website: https://crackstation.net/hashing-security.htm

[loberste]

Okay cool! Should we take this extension? https://github.com/krzyzanowskim/CryptoSwift Salt function is even implemented :-)

[horsson]

Hi, The CryptoSwift is good to use. As there're huge stars on it. If the server is configured with TLS/SSL, sending password/hash value isn't a problem, as the communication is encrypted.

[horsson]

By the way, if you have TLS setup on the server side, it should be better transport the password directly to the server instead of doing hash on the client side. Just image that, if you have another type of client, you should implement the hash again and again.

[loberste]

Cool! Thank you, @horsson ! That means if the encrypted communication is safe, we could do it like: @BartoszWilkusz is the connection TLS/SSL encrypted?

To Store a Password

• Generate a long random salt using a CSPRNG. (cryptoswift supports AES IV?)
• Prepend the salt to the password and hash it with a standard password hashing function like Argon2, bcrypt, scrypt, or PBKDF2. (CryptoSwift: SHA256
• Save both the salt and the hash in the user's database record.

To Validate a Password

• Retrieve the user's salt and hash from the database.
• Prepend the salt to the given password and hash it using the same hash function.
• Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect.

[horsson]

Hi @loberste , Please have a look at a nice article: https://crackstation.net/hashing-security.htm

[BartoszWilkusz]

Following the documentation https://help.sap.com/viewer/6b94445c94ae495c83a19646e7c3fd56/2.0.00/en-US/d33b259c567441aa97e99228dc0f2088.html I don't have the role sap.hana.xs.wdisp.admin::WebDispatcherAdmin to access the configuration.

But we are using https for communication with Hana, so it should have at least SSL, right?

[horsson]

yes. SAP Cloud Platform offers you the security infrastructure

[BartoszWilkusz]

I have a technical question about sha256 hashing in xsjs and SAP Hana. In this exclusive "documentation" about the crypto namespace, we have the choice between MD5, sha1 and sha256. We will use sha256.

When using the API, i get an ArrayBuffer as a result. Does someone has a hint how i can compare hashed password? Because something like this dosn't work (hashBool is still false):

var hashBool = false;
var hashedPassword = $.security.crypto.sha256(user.password);
var secondhashed = $.security.crypto.sha256(user.password);
if (hashedPassword === secondhashed) {
      hashBool = true;
}

Another point is, how i store an ArrayBuffer in the database? What is the right data type? Is it VARBINARY? SHA256 is always 256 bits long, equivalent to 32 bytes, or 64 bytes in an hexadecimal string format. I will try this solution.

Sorry for the lack of skill. I searched about this, but couldn't resolve the problem.

Thanks!

[horsson]

Hi, It seems that hashedPassword and secondhashed are the type of ArrayBuffer. The === comparison will compare the reference of the two objects. Please searching for "ArrayBuffer comparison" on google.