Red Hat Summitこのコンテンツは選択した言語では利用できません。
16.6.2. Configure Secure Remote Password (SRP) Protocol
To use Secure Remote Password (SRP) Protocol in your application, you first create an MBean which implements the
SRPVerifierStore interface. Information about the implementation is provided in The SRPVerifierStore Implementation.
Procedure 16.5. Integrate the Existing Password Store
Create the hashed password information store.
If your passwords are already stored in an irreversible hashed form, you need to do this on a per-user basis.You can implementsetUserVerifier(String, VerifierInfo)as a noOp method, or a method that throws an exception stating that the store is read-only.Create the SRPVerifierStore interface.
Create a customSRPVerifierStoreinterface implementation that can obtain theVerifierInfofrom the store you created.TheverifyUserChallenge(String, Object)can be used to integrate existing hardware token based schemes like SafeWord or Radius into the SRP algorithm. This interface method is called only when the client SRPLoginModule configuration specifies the hasAuxChallenge option.Create the JNDI MBean.
Create a MBean that exposes theSRPVerifierStoreinterface available to JNDI, and exposes any configurable parameters required.The defaultorg.jboss.security.srp.SRPVerifierStoreServiceallows you to implement this. You can also implement the MBean using a Java properties file implementation ofSRPVerifierStore.
The SRPVerifierStore Implementation
The default implementation of the SRPVerifierStore interface is not recommended for production systems, because it requires all password hash information to be available as a file of serialized objects.
The
SRPVerifierStore implementation provides access to the SRPVerifierStore.VerifierInfo object for a given username. The getUserVerifier(String) method is called by the SRPService at the start of a user SRP session to obtain the parameters needed by the SRP algorithm.
Elements of a VerifierInfo Object
- username
- The username or user ID used to authenticate
- verifier
- A one-way hash of the password the user enters as proof of identity. The
org.jboss.security.Utilclass includes acalculateVerifiermethod which performs the password hashing algorithm. The output password takes the formH(salt | H(username | ':' | password)), whereHis the SHA secure hash function as defined by RFC2945. The username is converted from a string to a byte[] using UTF-8 encoding. - salt
- A random number used to increase the difficulty of a brute force dictionary attack on the verifier password database in the event that the database is compromised. The value should be generated from a cryptographically strong random number algorithm when the user's existing clear-text password is hashed.
- g
- The SRP algorithm primitive generator. This can be a well known fixed parameter rather than a per-user setting. The
org.jboss.security.srp.SRPConfutility class provides several settings forg, including a suitable default obtained viaSRPConf.getDefaultParams().g(). - N
- The SRP algorithm safe-prime modulus. This can be a well-known fixed parameter rather than a per-user setting. The
org.jboss.security.srp.SRPConfutility class provides several settings for N including a good default obtained viaSRPConf.getDefaultParams().N().
Example 16.15. The SRPVerifierStore Interface
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}