[rabbitmq-discuss] Password Hashing
Simon MacMullen
simon at rabbitmq.com
Tue May 10 11:06:34 BST 2011
On 09/05/11 17:44, Denny, Peet (London)(c) wrote:
> Hi,
> The REST api documentation says that we can create users with a hashed
> password instead of one in clear text.
> An individual user. To PUT a user, you will need a body looking
> something like this:
>
> ... {"password_hash":"2lmoth8l4H0DViLaK9Fxi6l9ds8=", "administrator":true}
>
> This suggests that there is a hashing library somewhere for us to use to acheive this.
> Is that the case?
Hi Danny. My expectation in writing that documentation was that people
would use a password hash from a user they'd already done a GET on, or
set it to "" to lock the account. So there's no library apart from the
server implementation, starting at
rabbit_auth_backend_internal:hash_password/1:
http://hg.rabbitmq.com/rabbitmq-server/file/df7aa5d114ae/src/rabbit_auth_backend_internal.erl#l204
However, the algorithm is quite simple if you want to implement it
yourself. Here's a worked example:
Generate a random 32 bit salt:
CA D5 08 9B
Concatenate that with the UTF-8 representation of the password (in this
case "simon"):
CA D5 08 9B 73 69 6D 6F 6E
Take the MD5 hash:
CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12
Concatenate the salt again:
CA D5 08 9B CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12
And convert to base64 encoding:
ytUIm8s3AnKsXQjptplKFytfVxI=
Cheers, Simon
--
Simon MacMullen
Staff Engineer, RabbitMQ
SpringSource, a division of VMware
More information about the rabbitmq-discuss
mailing list