0

How to avoid plain-text passwords storage on server with ALLJOYN_SRP_LOGON mechanism

asked 2015-05-12 02:44:21 -0700

hashok gravatar image

Hi,

As I understand, in order for the AJ server to employ user name/password authentication mechanism (ALLJOYN_SRP_LOGON) it is required to know, and thus to store, plain text user names and passwords on server which is a bad practice. Based on Credentials class description, it is necessary to provide UserName and Password directly during authentication process (in RequestCredentials callback).

The question - how it is possible to avoid plain-text passwords storage on server side in AJ?

There is a Credentials::SetLogonEntry() method available, but there is no any single usage example and I'm also not sure if it solves the issue, because some of N:g:s:v parameters seems to be session-specific (salt?) and also can not be permanently stored.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-05-17 03:49:17 -0700

praveenb gravatar image

You're correct that username and password are provided directly via RequestCredentials callback. But this doesn't necessarily require that usernames and passwords have to be stored in plain-text.

An application can prompt the user for the password during authentication, for instance. This avoids having to store the password.

If the application doesn't want to repeatedly prompt the user for usernames and passwords repeatedly, it would have to store them in which ever secure manner it prefers (for eg. KeyChain API on Android). Different operating systems have ways to store credentials securely for Applications. Any of them can be used. All the application needs to do is to retrieve and supply them when RequestCredentials callback is invoked.

AllJoyn simply does not require that usernames and passwords are stored in plaintext.

edit flag offensive delete publish link more
Login/Signup to Answer

Question Tools

Follow
1 follower

Stats

Asked: 2015-05-12 02:44:21 -0700

Seen: 41 times

Last updated: May 17 '15