Administrator

Hashing Customer Credentials

Any customer (consumer, merchant, agent, or system user) credentials are stored, in a hashed format, in MOB_CUSTOMER_CREDENTIALS. SAP Mobile Platform supports different hashing algorithms. The STR_CREDENTIAL is always prefixed with the hashing algorithm in curly brackets, for example, {<HASH-ALGORITH>}<HASHVALUE>.

Configuration of hashing algorithms is controlled through preferences.

  • Preferences node: /businesslayer/com/sybase365/mobiliser/money/businesslogic/umgr/impl/SmartPasswordEncoder
  • ConfigAdmin PID: com.sybase365.mobiliser.money.businesslogic.umgr.impl.SmartPasswordEncoder
You can set these configuration options:
Key Value Description
algorithms SHA,SHA-256,SHA-512,SHA-512:1,SHA- 512:10000,PBKDF2WithHmacSHA1:10000,BCRYPT:10, SSHA-512:10000,SPBKDF2WithHmacSHA1:10000 Indicates a comma-separated list of supported hashing algorithms.
encodeAlgorithm SSHA-512:10000 Defines the algorithm to use for storing and encoding new credentials.
defaultAlgorithm SHA Defines the algorithm to use for credential validation if the algorithm is not specified with the stored credential.

You can change the default configurations within certain boundaries. You can add new hashing algorithms only when they are provided through JCE—that is, the hashing algorithms come with your JDK. However, you can change the number of iterations, which is the numeric value after the colon, to either increase or decrease performance or security if required.

Security Logic

Each time a customer's credential is checked, Mobiliser validates whether the hashing algorithm is configured to be updated with the 'encodeAlgorithm'.

  • Preferences node: /businesslayer/com/sybase365/mobiliser/money/businesslogic/umgr/impl/SecurityLogic
  • ConfigAdmin PID: com.sybase365.mobiliser.money.businesslogic.umgr.impl.SecurityLogic
You can set this configuration option:
Key Description
hashUpdatePattern Identifies the hash upgrade pattern, which is a Java regular expression (regex) pattern class. If set to <null>, no password upgrade is performed; otherwise, any hashed password that matches this pattern is rehashed using the current 'encodeAlgorithm'. By default, this value is not configured. SAP suggestes that if you use this key, write a negated regex. For example, to transition all hashes to BCRYPT:10, use:
^(?:(?!\{BCRYPT:10\})).+$ 

Spring Security

You must reconfigure Spring Security to allow access to the plain text password for rehashing. Update this node: com.sybase365.mobiliser.framework.gateway.security.filters.standard

Set the osgiProviderManager.eraseCredentialsAfterAuthentication key to FALSE, which means credentials are not cleared from the authentication object returned from Spring Security, allowing the plain text password to be rehashed.

The actual value stored in STR_CREDENTIAL depends on the hashing algorithm. All hash values are Base64-encoded. For all algorithms that do not use random salt values, the customer ID is used as the salt value. Random salts are always 16 byte.
SHA: BASE64(HASH(<SALT>|<HASH>))   
SSHA: BASE64(<SALT>HASH(<SALT><HASH>))   
PBKDF2: BASE64(HASH(<SALT>,<HASH>))   
SPBKDF2: BASE64(<SALT>HASH(<SALT>,<HASH>))   
BCrypt: $2a$<ROUNDS#>$BASE64(<SALT><HASH>) 
SAP Mobile Platform comes with a Java executable for computing hash values:
./tools> java-jar com.sybase365.mobiliser.vanilla.cli-tools-5.1.3.RELEASE-CLIPasswordEncoderClient.jar