<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 02:59:44 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-2360] Add a stronger password authentication scheme (replace md5 with sha?)</title>
                <link>https://jira.mongodb.org/browse/SERVER-2360</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;Add a stronger authentication scheme, ideally something certificate-based. The current protocol for password authentication using Md5 looks reversible via rainbow (not confirmed).&lt;/p&gt;</description>
                <environment></environment>
        <key id="14222">SERVER-2360</key>
            <summary>Add a stronger password authentication scheme (replace md5 with sha?)</summary>
                <type id="2" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14711&amp;avatarType=issuetype">New Feature</type>
                                            <priority id="4" iconUrl="https://jira.mongodb.org/images/icons/priorities/minor.svg">Minor - P4</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="andreas.nilsson">Andreas Nilsson</assignee>
                                    <reporter username="dblock">Daniel Doubrovkine</reporter>
                        <labels>
                    </labels>
                <created>Fri, 14 Jan 2011 17:37:05 +0000</created>
                <updated>Tue, 12 Jul 2016 00:19:32 +0000</updated>
                            <resolved>Fri, 12 Sep 2014 15:29:34 +0000</resolved>
                                                    <fixVersion>2.7.7</fixVersion>
                                    <component>Security</component>
                                        <votes>6</votes>
                                    <watches>23</watches>
                                                                                                                <comments>
                            <comment id="259911" author="janpaul" created="Thu, 7 Feb 2013 11:52:05 +0000"  >&lt;p&gt;I agree with Tim ^&lt;/p&gt;

&lt;p&gt;md5 and sha1 are designed to be quick, which is just what many cracking methods rely upon and as such should be avoided.&lt;/p&gt;

&lt;p&gt;My 2p worth:&lt;/p&gt;

&lt;p&gt;A minimum length should be imposed to increase entropy.&lt;br/&gt;
Key stretching should be implemented to slow down cracking techniques.&lt;br/&gt;
A unique (and long) salt per database would also be advisable, at the moment it is username + &quot;:mongo:&quot; + pwd.  The &quot;:mongo:&quot; part should be different per database.&lt;/p&gt;


</comment>
                            <comment id="216812" author="davec" created="Mon, 17 Dec 2012 02:42:00 +0000"  >&lt;p&gt;David - regarding Keccak, this is a case where &quot;leading edge&quot; and &quot;compliance&quot; don&apos;t go hand in hand.  This algorithm is so new that I don&apos;t know that there are any implementations that have been certified as compliant.&lt;/p&gt;

&lt;p&gt;Daniel - yes, indeed, the server needs to use an implementation that has been FIPS certified, like those in the OpenSSL libraries.  Drivers also need to be able to use a FIPS compliant algorithm.  On Windows, for example, the .NET driver complies with the OS settings for FIPS compliance and will disable non-compliant algorithms, which aids in proving certification.&lt;/p&gt;</comment>
                            <comment id="216790" author="dblock" created="Mon, 17 Dec 2012 02:03:33 +0000"  >&lt;p&gt;I&apos;ve dealt with US govt and FIPS for many years. This is not just about the algorithm, even if you use one of the algos used on that list, you still need to prove that you&apos;re actually using the correct implementation, so the entire encryption infrastructure to be FIPS-certified. If you&apos;re going to use OpenSSL, read &lt;a href=&quot;http://www.openssl.org/docs/fips/fipsnotes.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://www.openssl.org/docs/fips/fipsnotes.html&lt;/a&gt;, and find a way to selectively compile with the OpenSSL FIPS Object Module.&lt;/p&gt;</comment>
                            <comment id="216706" author="david.hows" created="Sun, 16 Dec 2012 23:34:10 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=davec&quot; class=&quot;user-hover&quot; rel=&quot;davec&quot;&gt;davec&lt;/a&gt; while its not listed, do you know if SHA-3 (Keccak) would be suitable? The algorithm was selected in October when the testing finished and I can&apos;t tell if it has made it to the list of approved algo&apos;s in the toolkit you linked.&lt;/p&gt;</comment>
                            <comment id="216626" author="davec" created="Sun, 16 Dec 2012 21:00:58 +0000"  >&lt;p&gt;Whatever is chosen, please ensure it falls on the list of FIPS-140 compliant algorithms.  This is crucial for many federal government projects.  HMAC+SHA256 would be great.  PBKDF2 on top of that, even better.  BCRYPT, while excellent, is not FIPS compliant.&lt;/p&gt;

&lt;p&gt;From my comments in (related duplicate) &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-6977&quot; title=&quot;Support for alternative hashing algorithm for authentication&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-6977&quot;&gt;&lt;del&gt;SERVER-6977&lt;/del&gt;&lt;/a&gt;:&lt;br/&gt;
MD5 is not an approved algorithm for the Federal Information Processing Standards, however, FIPS-140 compliance is a requirement for many federal government software projects.  A list of approved algorithms may be found here:&lt;br/&gt;
&lt;a href=&quot;http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="216433" author="kuijsten" created="Sun, 16 Dec 2012 14:48:54 +0000"  >&lt;p&gt;I would suggest bcrypt over sha, since bcrypt is much slower than sha and that is exactly what you want in a password hashing scheme. Above that it&apos;s also adaptive, which plain sha is not.&lt;/p&gt;

&lt;p&gt;See &lt;a href=&quot;http://stackoverflow.com/questions/1561174/sha512-vs-blowfish-and-bcrypt&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://stackoverflow.com/questions/1561174/sha512-vs-blowfish-and-bcrypt&lt;/a&gt; and the links i gave above.&lt;/p&gt;

</comment>
                            <comment id="135016" author="kuijsten" created="Wed, 20 Jun 2012 22:26:50 +0000"  >&lt;p&gt;Actually, neither MD5 nor SHA1 are safe these days. Even with salts, attacks are only a matter of seconds with any random 7 character password and some generic GPU hardware.&lt;/p&gt;

&lt;p&gt;The current hashes are easily reversed once in bad hands. And although the data won&apos;t be protected by it, it would be nice if the used password should not be reversibele and leak.&lt;/p&gt;

&lt;p&gt;References:&lt;br/&gt;
&lt;a href=&quot;http://codahale.com/how-to-safely-store-a-password/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://codahale.com/how-to-safely-store-a-password/&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;http://throwingfire.com/storing-passwords-securely/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://throwingfire.com/storing-passwords-securely/&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;http://blog.jgc.org/2012/06/one-way-to-fix-your-rubbish-password.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://blog.jgc.org/2012/06/one-way-to-fix-your-rubbish-password.html&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;edit:&lt;br/&gt;
&quot;all 7 character password MD5s in 1 hour, 14 minutes with two ATI Radeon 7970 cards using the full range of a common US keyboard &#8211; that is, including uppercase, lowercase, numbers, and all possible symbols&quot;&lt;br/&gt;
&lt;a href=&quot;http://www.codinghorror.com/blog/2012/04/speed-hashing.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://www.codinghorror.com/blog/2012/04/speed-hashing.html&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="38666" author="dwight_10gen" created="Wed, 22 Jun 2011 06:13:10 +0000"  >&lt;p&gt;a min pwd length would be good too&lt;/p&gt;</comment>
                            <comment id="38665" author="dwight_10gen" created="Wed, 22 Jun 2011 06:10:43 +0000"  >&lt;p&gt;the digests are salted, so rainbow should not work well.&lt;/p&gt;

&lt;p&gt;this does bring to mind one improvement: system.users pwd field should be made unreadable, for non-admins at a minimum, before this ticket is closed.  i think the cleanest way is to simply make that ns not queryable period by non-admins otherwise it is a bit trickier to implement.&lt;/p&gt;</comment>
                            <comment id="22359" author="dblock" created="Fri, 14 Jan 2011 17:39:28 +0000"  >&lt;p&gt;Note that maybe with an SSL implementation with &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-524&quot; title=&quot;Encryption of wire protocol with SSL&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-524&quot;&gt;&lt;del&gt;SERVER-524&lt;/del&gt;&lt;/a&gt; Mongo could do mutual SSL auth instead of needing to have the concept of user/password in the database itself (the latter is not too useful for security since it just segregates r/w).&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                        <issuelink>
            <issuekey id="56238">SERVER-7648</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10020">
                    <name>Gantt Dependency</name>
                                            <outwardlinks description="has to be done before">
                                        <issuelink>
            <issuekey id="50709">CSHARP-573</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="69271">SERVER-9058</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="55680">SERVER-7596</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>10.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 22 Jun 2011 06:10:43 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        11 years, 1 week, 6 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10857" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>PM-3</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>ramon.fernandez@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            11 years, 1 week, 6 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Old_Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10000"><![CDATA[No]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>andreas.nilsson</customfieldvalue>
            <customfieldvalue>dblock</customfieldvalue>
            <customfieldvalue>davec</customfieldvalue>
            <customfieldvalue>david.hows</customfieldvalue>
            <customfieldvalue>dwight@mongodb.com</customfieldvalue>
            <customfieldvalue>janpaul</customfieldvalue>
            <customfieldvalue>kuijsten</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrp8lb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hrfnnb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3695</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrnva7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>