-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Oc_credentials security? #17439
Comments
server/lib/private/Security/CredentialsManager.php Lines 53 to 69 in c54a59d
server/lib/private/Security/Crypto.php Lines 84 to 103 in be5c050
I would say yes.
Sure. Everything is open. Please use https://help.nextcloud.com for questions. |
Hi @kesselb Just to let you know, I told him to better ask the developers regarding these questions. We in the Forum don't have much of the insights. Especially when it comes to questions why certain hash functions have been chosen, the broader community is missing the information I think. |
Seems valid. Do you think the answer is sufficient? We can still ping some of the paid engineers. But the question is not specific. |
Thanks :) Well, I'm not sure; @tanguy-opendsi does this answer your question? And the DB table oc_credentials seems to save a value consisting of where "iv" seems to be a random number based on the length of an string. I don't understand what iv could mean or what ivLength is about. But maybe you understand that. |
@Schmuuu Thx for your reply yes i'm understanding the HMAC but same like you not the iv |
cc @nextcloud/security 🏓 |
IV = Initialization Vector, which is required as this is using AES in CBC mode. https://en.wikipedia.org/wiki/Initialization_vector has some more details. |
@LukasReschke that mean HMAC use AES? |
The HMAC is there to provide integrity. AES CBC alone doesn’t provide that. The answer at https://security.stackexchange.com/questions/63132/when-to-use-hmac-alongside-aes is describing this quite well. |
I guess it would be good if you could rephrase your original question so that we can give a better answer :-) What are your concerns? What do you want to protect against? |
@LukasReschke |
Isn't it futile to encrypt the password, considered that if an attacker compromises the system he can easily obtain the secret? |
Hi,
Can i get informations about the algorithm used to hash password inside oc_credentials.
I think this is synchronous hash because nextcloud need it with external storage but i’m not sure ?
Best regards
The text was updated successfully, but these errors were encountered: