2

In my database I've a field for the user password (User.UserPassword), I'm using SHA1 algorithm to hash the user input and then I hash it with a salt. Ok, that's fine.

But now I'm authenticating CIFS users too. One protocol of CIFS is NTLMv1, which uses MD4 16 bits (very insecure) for my Samba Java Server.

I can't convert MD4 to SHA1 or compare those hash results. So, I need to save two hashs or compare them. So, I can:

  • Save the MD4 hash into User.UserPasswordMD4.

  • Save the MD4 hash into some other table, like ExternalAuthenticators

  • Save the user full text password and convert it (Blargh)

  • Spring Security (I don't know how to do it, yet)

  • Your option goes here...

Can anyone help me?

Sergio Figueras
  • 297
  • 1
  • 6
  • 18

1 Answers1

1

Looks like you should store somewhere that RC4 hash, because both client and server should do the same actions on challenge bytes and than server should compare results.

  • Saving plain text password - bad idea, forget about it.
  • If you save it as PasswordMD4 in database - it not add security more then PC4 by self.
  • Saving in other table - no different with previous variant.
  • Spring security - don't know how it can be apply here.

You can store important or all DB data on encrypted partition, but it degrade performance a little.

I can suggest store RC4 password into SHA-1 field, but encrypted. 3DES will be enough, maybe with some salt. You already should have salt somewhere for your SHA-1 hash. When you need RC4 hash, simple decrypt value from DB, subtract (or XOR) salt and do usual authentication procedure.

And don't use NTLM v1, it is old and unsecure.

user1516873
  • 5,060
  • 2
  • 37
  • 56