Determine specifics of Crowd's password hashing scheme

Description

According to this post Crowd passwords are stored as text in the DB.

Based on investigation of the values stored in the DB, Crowd uses PKCS5S2 encryptions, which is explained here

Upon the switch away from Crowd, all three clients (web, Python, R) should send passwords only after applying the encryption scheme.

Environment

None

Activity

Show:
Joseph Wu
October 1, 2013, 12:14 AM
Edited

Password scheme (currently a guess):

  • Stored as a 48-byte, base64 encoded string, with a prefix of '{PKCS5S2}'

  • First 16 bytes are the salt used

  • Latter 32 bytes are the HMAC_SHA1 checksum of the password

  • The checksum is calculated via the standard PBKDF2 algorithm, with 10000 repetitions

Joseph Wu
October 1, 2013, 1:01 AM

The initial guess was not correct (still brute forcing the number of repetitions).

This suggests a different algorithm:
https://docs.atlassian.com/atlassian-user/1.7/xref/com/atlassian/user/impl/osuser/security/password/OSUPasswordEncryptor.html

Joseph Wu
October 1, 2013, 5:56 PM

This post suggests that the algorithm is correct:
https://jira.atlassian.com/browse/CWD-1137?focusedCommentId=485549&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-485549

Still brute-forcing the number of repetitions (almost to 27500 rounds)...

Joseph Wu
October 1, 2013, 8:54 PM

Oops, forgot that my Crowd-Dev password is different from my Crowd-Prod password
The password scheme in the first scheme is correct.

Joseph Wu
October 1, 2013, 8:59 PM

To validate:

Assignee

Joseph Wu

Reporter

Joseph Wu

Labels

None

Validator

Xavier Schildwachter

Development Area

None

Release Version History

None

Priority

Major
Configure