|
|
|
|
|
- Overview
- Defining a password item in the data model editor
- Defining a password item dynamically (through programming)
- Defining a password item via a query
- Handling an item of type Password
- Comparisons
Type of item: Secure password
Available only with these kinds of connection
"Password" items are used to securely store passwords by using a salt and a hash algorithm. The principle is very simple: - The user provides a password in the form of a string.
- You store this string in a "Password" item.
- The HFSQL engine adds security layers. The password (i.e. the string) is salted and hashed, and the result of these processes will be stored in the data file.
- Salting consists in adding a random string (salt) to the provided string.
- The result is then hashed.
HFSQL stores only the following elements in the data file: - the salt used,
- the hash result,
- the type of algorithm used.
With this data, it becomes impossible to reconstruct the original string. Data is therefore securely stored. To check a password, simply compare the value entered by the user with the contents of the Password item. HFSQL will run the same processes as those used to store the data. Then, it will compare the new result with the stored result. To use this type of item in your existing projects: - in the analysis associated with your project, change the type of item used to store passwords. The "Text" item becomes a "Password" item.
- update your data via automatic data modification. The automatic data modification will salt and hash the string in the item.
- if necessary, make some adjustments in your code. To check a password, simply compare the HFSQL item with a string. For example, the code will be:
IF EDT_Password = LoginCredentials.Password THEN // Password OK ELSE // Wrong password END
Defining a password item in the data model editor To create a Password item in the data model editor: - Create a new item in the description window of the data file items ("Description of items" in the context menu of the data file in the data model editor).
- Select the "Password" type.
- Indicate the different options of the item:
- Derivation function used for the hash.
- Hash algorithm used for the salt.
- Number of Iterations: number of hash iterations. It is recommended to set a value between 10,000 and 30,000.
- Result length (bits): Hash output length. The key (expressed in bits) must be a multiple of 8, greater than 160 bits and less than 2048 bits. It is recommended to use a 256 or 512-bit key.
- Validate.
Remark: These operations can also be performed on an existing text item to convert it to a "Password" item. Defining a password item dynamically (through programming) To describe an item through programming, you must use a variable of type "Item Description". The description of an item is validated by HDescribeItem. To describe a "Password" item: - Declare a variable of type Item Description.
- Describe the item using different properties (for more details, see Item Description).
- Use the properties specific to the description of a "Password" item:
- The Type property must be set to hItemSecurePassword.
- The spDerivation property is used to define the key derivation function used for the hash.
- The spHash property is used to define the salting algorithm.
- The spIterationCount property is used to define the number of iterations of the hash algorithm.
- The spLength property is used to define the hash output length.
- Validate the description of each item (HDescribeItem).
Defining a password item via a query To define a password item in a table via an SQL query, it is necessary to execute an "ALTER TABLE" query with the SECUREPASSWORD parameter . Reminder: The ALTER TABLE statement is used to create or change the structure of an existing table. Example: Query to add an item: ALTER TABLE test2 ADD spTest2 SECUREPASSWORD Example: Query to change the type of an item: ALTER TABLE test2 ALTER text TYPE SECUREPASSWORD Handling an item of type Password The use of a Password item has specific implications: - Automatic data modification: A Text item can be converted to a Password item, but a Password item cannot be converted to another type.
- NULL is allowed in Password items.
- An item containing an empty string ("") will be hashed then salted.
- Queries are supported on data files containing Password items. The item is read-only and doesn't support any specific operations. The following operations are supported:
- equality, difference,
- NULL, COUNT, IN, STRINGDECODE, CASE, NULLIF
- Import: You can import JSON, text, XML and XLS strings into a Password item. The string will be automatically hashed and salted.
- Export:
- Export to CSV, XLS: the Password item is represented by the "*****" string.
- Export to JSON, XML: the Password item is not exported.
- You cannot define a password item as key (or index).
- The value of a password item cannot be displayed. In arrays, it will automatically be replaced by "*****".
- The default values are as follows:
- PBKDF2
- SHA2_256
- Number of Iterations : 20 000
- Output length : 256
Comparisons A Password item can only be compared with a string. It is not possible to compare two Password items Example: // Compare a Password item with a string LoginCredentials.Password = "hello" IF NOT HAdd(LoginCredentials) THEN Trace(HErrorInfo()) END Â HReadFirst(LoginCredentials) IF LoginCredentials.Password = "hello" THEN Trace("Password OK") ELSE Trace("The passwords do not match") END
Example of wrong code: // You cannot compare an item // of type Password with a variable of type password  oSP is SecurePassword oSP.Hash = MDPS_SHA2_256 oSP.IterationCount = 10000 oSP.Size = 256 oSP = "hello"  LoginCredentials.Password = "hello" IF NOT HAdd(LoginCredentials) THEN Trace(HErrorInfo()) END  HReadFirst(LoginCredentials) IF LoginCredentials.Password = oSP THEN Trace("Password OK") ELSE Trace("The passwords do not match") END
This page is also available for…
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|