Hashing Customer Credentials

Any customer (consumer, merchant, agent, or system user) credentials are stored, in a hashed format, in MOB_CUSTOMER_CREDENTIALS. SAP Mobile Platform supports different hashing algorithms. The STR_CREDENTIAL is always prefixed with the hashing algorithm in curly brackets, for example, {<HASH-ALGORITH>}<HASHVALUE>.

Configuration of hashing algorithms is controlled through preferences.

Preferences node: – /businesslayer/com/sybase365/mobiliser/money/businesslogic/umgr/impl/SmartPasswordEncoder
ConfigAdmin PID: – com.sybase365.mobiliser.money.businesslogic.umgr.impl.SmartPasswordEncoder

You can set these configuration options:

Key	Value	Description
algorithms	SHA,SHA-256,SHA-512,SHA-512:1,SHA- 512:10000,PBKDF2WithHmacSHA1:10000,BCRYPT:10, SSHA-512:10000,SPBKDF2WithHmacSHA1:10000	Indicates a comma-separated list of supported hashing algorithms.
encodeAlgorithm	SSHA-512:10000	Defines the algorithm to use for storing and encoding new credentials.
defaultAlgorithm	SHA	Defines the algorithm to use for credential validation if the algorithm is not specified with the stored credential.

You can change the default configurations within certain boundaries. You can add new hashing algorithms only when they are provided through JCE—that is, the hashing algorithms come with your JDK. However, you can change the number of iterations, which is the numeric value after the colon, to either increase or decrease performance or security if required.

Security Logic

Each time a customer's credential is checked, Mobiliser validates whether the hashing algorithm is configured to be updated with the 'encodeAlgorithm'.

Preferences node: – /businesslayer/com/sybase365/mobiliser/money/businesslogic/umgr/impl/SecurityLogic
ConfigAdmin PID: – com.sybase365.mobiliser.money.businesslogic.umgr.impl.SecurityLogic

You can set this configuration option:

Key	Description
hashUpdatePattern	Identifies the hash upgrade pattern, which is a Java regular expression (regex) pattern class. If set to <null>, no password upgrade is performed; otherwise, any hashed password that matches this pattern is rehashed using the current 'encodeAlgorithm'. By default, this value is not configured. SAP suggestes that if you use this key, write a negated regex. For example, to transition all hashes to BCRYPT:10, use: ^(?:(?!\{BCRYPT:10\})).+$ Note: BCrypt tremendously decreases performance, so use it only if it is a strong security requirement.

Key

Description

hashUpdatePattern

Identifies the hash upgrade pattern, which is a Java regular expression (regex) pattern class. If set to <null>, no password upgrade is performed; otherwise, any hashed password that matches this pattern is rehashed using the current 'encodeAlgorithm'. By default, this value is not configured. SAP suggestes that if you use this key, write a negated regex. For example, to transition all hashes to BCRYPT:10, use:

^(?:(?!\{BCRYPT:10\})).+$

Note: BCrypt tremendously decreases performance, so use it only if it is a strong security requirement.

Spring Security

You must reconfigure Spring Security to allow access to the plain text password for rehashing. Update this node: com.sybase365.mobiliser.framework.gateway.security.filters.standard

Set the osgiProviderManager.eraseCredentialsAfterAuthentication key to FALSE, which means credentials are not cleared from the authentication object returned from Spring Security, allowing the plain text password to be rehashed.

The actual value stored in STR_CREDENTIAL depends on the hashing algorithm. All hash values are Base64-encoded. For all algorithms that do not use random salt values, the customer ID is used as the salt value. Random salts are always 16 byte.

SHA: BASE64(HASH(<SALT>|<HASH>))   
SSHA: BASE64(<SALT>HASH(<SALT><HASH>))   
PBKDF2: BASE64(HASH(<SALT>,<HASH>))   
SPBKDF2: BASE64(<SALT>HASH(<SALT>,<HASH>))   
BCrypt: $2a$<ROUNDS#>$BASE64(<SALT><HASH>)

SAP Mobile Platform comes with a Java executable for computing hash values:

./tools> java-jar com.sybase365.mobiliser.vanilla.cli-tools-5.1.3.RELEASE-CLIPasswordEncoderClient.jar