#22972 Argon2 encryption of password hashes

Enhancement

Critical

#9000

Modular wrapper implementations

#22762

Graphical evaluations for model-based search

#22763

App2App communication with structures

#22800

Model-based search: Search for correlations

#22920

Tile layout

#22987

Reactive forms

#23188

TL script: Html macros

Major

#20949

Update charts flicker-free

#22774

Model-based search: Multiple Boolean operators per filter expression

#22805

tl.core: New primitive type 'DateTime

#22844

Configurable options for selections in the model

#22910

Multi-upload

#22965

Column configuration at attribute(type)

#22972

Argon2 encryption of password hashes

#22973

Selectable "precision" of drop operations

#22981

Tables as drop target

#22990

Administrable login messages for confirmation after login

#22991

Any components as drop target

#22996

Friendlier display of errors communicated via `TopLogicException`.

#23013

WYSIWYG editor: text color, font, hyperlinks, references to TL subject objects, source code

#23014

Script recorder: multi-user script execution

#23056

Search expressions: 3-valued if-function, negative number literals

#23057

Declare deletion conditions on the model

#23109

Calculated attributes via TL script

#23110

TL-Model data types for I18N

#23112

Mapping for the transfer of values using TLSync

#23126

Model attributes with configuration type

#23128

TL-Model data type for icons

#23156

Flexibilization of the RiskItemHolder implementation

#23170

"Reasonable" resource keys for model elements

#23173

TL-Model Data Types for Java Enum Types

#23184

TL-Script: Plug-ins into the evaluation engine

#23318

Generic instance admin

#23371

TLScript: Create objects

#23382

TLScript: Local variables and function call

#23385

TLScript: Reduce operation

#23398

New blocking concept

#23421

Accessor via search expressions

#23440

Handling of structures without displayed root node

#23548

Tables: Custom tooltips for column labels

#23684

TLScript: Date values and formats

Detail

#21144

Evaluation by classification lists: separate not set and empty results

#21680

Customizations of commands in the Burger menu

#22661

Small stuff that has arisen in the context of the Kafka scheme management

#22747

Table for generic objects

#22779

XMLInstanceImporter': application-defined primitive types

#22782

Migration simplification for #22765

#22788

Remove MetaAttribute, MetaElement and Attributed

#22789

New chart type "Interval bar

#22797

Path navigation for schedule line functions in flexible reporting

#22818

List display of a select field

#22829

Time as selection dialog

#22858

Gantt chart: Overlap-free representation of milestones

#22879

Render arbitrary fragments as toolbar titles

#22880

Theme-specific layout transformation

#22881

Opening the `LayoutControl` hierarchy

#22882

Simplify `ViewConfiguration` API

#22888

Simplify `CommandModelConfiguration` API

#22901

Implementation of an IconChooser

#22909

Dynamically generate attribute fragment content

#22912

Utility to open a popup at the mouse position

#22916

Exception of modules from the tag process

#22919

Use of special ResourceProviders for milestones

#22926

Help-ID instead of `InfoComponent

#22940

Allow milestone creation in schedule

#22964

Add IconChooser to the model

#22968

Textual input at IconChooser

#22975

Setter for NamedConfiguration#getName()

#22976

Tiny improvements that have arisen in the context of EPP

#22980

Thin out BoundChecker

#23004

Constraints on the layout configuration

#23009

Make MilestoneFormContextModificator compatible with transient lines

#23024

Add option to read config file as JNDI Entry

#23036

Style sheet for attributes of subject objects

#23039

Table and tree without default selection

#23045

Renderer to display an icon

#23046

Tabular display of cumulative attribute values in a tree structure

#23048

Command to switch to another MainLayout

#23052

Selection of a date without input field

#23065

Gantt chart: color change per row group instead of per row

#23067

Selectable use of the component model for form JSP's

#23070

Literal resource keys

#23072

Resource key literals in search expressions

#23076

Work breakdown structure update: do not hard code component name

#23080

Transfer new tree-based milestone maintenance from Prime to POS

#23083

Help button in the toolbar is to be placed in its own group

#23087

External links in the tool row and side bar

#23095

StructuredElement: Defaults for all "subject methods

#23099

Dependency that only one of several fields may be filled

#23108

Search expressions: Implicit flat map semantics from .get(...) to collections

#23123

Documentation for the textual language of search expressions

#23129

Configuration option for the context/target object of a CommandHandler

#23135

Creation of a document tile

#23137

TL-Model data type for TL-Script expressions

#23139

Add IssueChartListModelBuilder as already available for risks and acitivities

#23145

Static and default methods in ConfigurationItem

#23148

Tiny improvements that have occurred as part of EPP (2)

#23154

IndexedObjectNaming: allow null values as part of the key

#23158

Intrinsic component commands via configuration

#23161

ListModelBuilder via search expressions

#23164

Introduce tile preview for charts

#23171

Transfer permissions for the new milestone management from Prime to POS

#23187

Consistent view mode representation between SelectControl and SelectionControl

#23191

TagWriter: Consistent semantics of `writeText()` and `append()`

#23193

Creating an ImageControl with specification of a CSS class

#23210

LayoutComponent configuration should know additional command groups

#23213

Generic ModelName for an aspect of an object

#23217

New theme: Glossy

#23218

Remove BoundComponent.useSecurityOfDialogParent

#23221

Utilities for group membership

#23230

Label and ResourceProvider for TabbedLayoutComponent, LayoutComponent and ComponentTile and other small things

#23257

Export command should become configurable in GanttExport dialog

#23319

Use Create functionality independently from `AbstractCreateCommandHandler

#23327

Additional model identifier for LabeledButton Actions

#23329

Automatically restore last view before logout

#23330

Record more than one action

#23334

Configurable size of the IconChooser

#23336

Layout structure change for TabComponent

#23341

Layout structure change for AssistantComponent

#23359

Updating the database server of the test environments of TL-Project and TL-Board

#23360

Model-based search: customizing types based on their module names

#23366

Display disable icon font buttons in toolbar grayed out

#23367

Edit annotations of types even if instances already exist

#23374

Listener to the children of a LayoutList

#23394

GridComponent: make technical column a config option

#23399

Format to specify time periods in milliseconds human readable in configurations.

#23402

Default accessor for 'ReflectionInstanceAccessor

#23406

The TLClass "Tag" should have a reference to the tagged object

#23411

TopLogicException: specify error details more easily

#23416

Monitor for the ClusterManager

#23419

TL-Script: List access

#23436

ResKey: Transfer message arguments to subkeys

#23438

Make WebFolderUIFactory a module

#23439

Dialog opener: configure model `target` for opener command

#23441

Dump download functionality

#23444

Offer download without store and forward from the application

#23453

TL script: Singleton literals

#23454

Configuration for update after model change

#23459

configuration option `showNoModel` in `EditAttributedComponent`

#23463

Replace HTMLTree with TreeComponent

#23495

Executability rule for security delegation

#23501

Remove RiskItem.originalID

#23503

Refactoring: Use TL6 API instead of TL5 API for ProjectElement creation from templates

#23514

SSL encryption for DB connections

#23521

TL-Script: concat() & subList()

#23522

TL Script: add()

#23546

The results of tasks should be written to the application log.

#23569

Enabling discrete values - partitions for number-valued attributes in search evaluation

#23571

Graph binding: Edge builder for simple reference relationships

#23588

ModelNamingScheme that records objects by their label

#23621

Change Label and ResourceProviderRegistry to typed configuration

#23639

Creating new IDs during data migration

#23641

Saving evaluations of the model-based search

#23661

TL Script: Compatibility with legacy enum constant names

#23665

Declarative Forms: Set property annotations also at the property type

#23666

TL Script: Always display scripts in forumlars with multiline input

#23674

TLScript: Semantic for Arithmetic with `null`

#23675

TLScript: Comparison of list values with single elements

Nice to have

#23106

Enable Drag&Drop in ScriptRecorder

#23155

Better possibility to close a dialogue programmatically

#23482

Open any dialogs

#23608

ResKey: Introduce method "resKey.fallback(resKey)

#23650

Unify dialogs for saving a search query or evaluation

#23668

Remove DublinCore as superclass from Person

#23698

Instantiate PopupCommand using lambda expression

Bugfix

Major

#21786

Column filter not completely visible

#22776

Model-based search: The "most important" attributes `parent` and `children` are hidden

#22955

TreeComponent: Incorrect display when root node is hidden

#23146

Model-based search: (date) comparison returns errors

#23339

SelectFields may not be displayed in view mode

#23356

Model-based search: string comparison returns errors

#23435

Create GUI for attributes of subject object types allows invalid attribute names

#23485

Table column filter after hiding the column is not reset

#23667

TL script: Changing a script for calculated attributes has no effect without restarting

Detail

#20239

GridComponent: The transition between the transient NewObject and the new persistent Object is not propagated as modelSelectedEvent

#22656

Eclipse TagLib code support in JSPs no longer works

#22658

No value filter in flat tables does not count

#22807

Search queries with references back to context values cannot be saved

#22852

CSS class in `ColumnConfig` is configured with the `class` attribute

#22890

Active dialog opener for types without defaultFor in the grid

#22935

Words with umlauts are not found in the online help

#22952

(Old) MTA does not work if 2 (or more) milestones with the same name exist

#22958

IntegerInputControl: Rendering problems in grids

#22970

Fix TL Build Errors for wrong class comments and headers in POS

#22982

Scroller retention in forms with "form:form" does not work

#23021

You cannot create fields marked as changed in FormTableModel

#23043

Tooltips for disabled commands are not displayed in MS Edge

#23061

In the Modern theme, a text size is set in <strong>.

#23091

The class BeaconSupport casts to FastListElement without checking

#23252

Schedule does not respond to creation of project milestones

#23266

Milestone icons are no longer displayed correctly

#23283

In the GOTO, the wrong object may be checked for security.

#23294

Error when creating a milestone in filtered tree grid

#23307

Failure to restore recorded global selections in TableData

#23310

TestCreateDemoData creates invalid milestone

#23317

Dialog opener shows "No authorization" if model not supported

#23322

View online help shows outdated configuration

#23324

Truncated texts in person and company admin tables are not added when columns are manually widened

#23363

(Unique) translations for (table) types displayed in search

#23380

EWE history does not show deleted people correctly

#23412

Missing backgrounds in ImageLinkButtonRenderer

#23456

Incorrect absolute URL when deploying with facade

#23479

Gantt Chart: Label background color different from row background

#23496

Incomplete use of the viewport in Gantt charts

#23523

Unintuitive axis labeling in memory trend

#23541

Schedule: Error when creating new milestones in tile layout

#23584

Kachel Cockpit: In Sidebar Layout font size in breadcrumb menu too small

#23601

Delete nonsensical overrides of LayoutComponent.isDefaultFor(...)

#23604

MTA: Legend in PPT export shows wrong labels

#23642

Checkboxes are marked as mandatory fields

#23656

TL script: Number `0.0` cannot be parsed

#23662

TL script: Error when transforming compare operators

#23696

SelectTextControl renders only the label text

#23716

Report administration: upload of own templates no longer possible

Task

Detail

#10391

Version number maintenance in TL-Project

Enhancement

Major

#22972

Argon2 encryption of password hashes

SecurityIssue

Sorry, this is going to be a little novel, but I just want to put what I have learned somewhere:

TLDR;

In coordination with BHU, the current conclusion is to do without encryption, to store the passwords with salt+hash and to provide an opitonal "pepper" in the application configuration, with which one can restrict password hashes to the respective instance. The security gain of this option is questionable, so it would be disabled by default. Pwd hashes would thus be interchangeable among Top Logic instances, which would facilitate data sharing and infrastructure measures.

Lessons learned along the way:

Currently, user passwords of locally administered users are (hopefully) hashed and these hashes are then symmetrically encrypted with a key dynamically generated on the server (at first server startup). If the key is found in the file system at the next server start and successfully read, it will continue to be used, otherwise a new one will be generated.

So far so good - this makes Brutforce attacks or the use of Rainbow Tables more difficult. In particular, however, it is also not possible to simply copy the hash of a known password from one Top-Logic instance to another at database level in order to transfer the password. This additional encryption of the password hashes with a server-locally generated key can therefore possibly be used to argue for an additional security gain.

However, this is also kind of annoying, because you can't just deliver a root password or copy the data back and forth between different environments. Therefore this key was regularly delivered and deployed as "keyPair_signature.key". This destroys the previously described security gain, because now all instances use the same key again and the hashes become transferable.

Even worse: You *have* to deliver this keyfile, because a dynamically generated keyfile would be stored on the server in WEB-INF/database/keys and would be deleted with every new deployment and would have to be generated again: The stored password hashes would become invalid with every deployment.

This could also explain tickets about not working root passwords, if e.g. PROD data was copied to QS or simply redeployed.

Unfortunately, this (delivered) key is stored in the mentioned file as a serialized Java object. In the case of Prime / MPM, this no longer works with Websphere Liberty at the latest, because IBM JVM 8 cannot read in a key file serialized with Oracle/Sun.

So a problem arises now whenever the data (including stored password hashes) is to be transferred from one environment to another and the key we deliver does not work: The new environment would then use its own (new) key and thus could not decrypt the already stored password hashes. Therefore, the key of the previous instance would have to be transferred to the new installation:

There is no standardized way to do this. This key is stored on the application server under web-inf/database/keys and cannot simply be read out. It would have to be copied manually to the new instance. This is difficult to organize for customer installations.

Unfortunately, this key was stored as a serialized Java object, so even if you copy the file to the new environment, there is no guarantee that it can be deserialized with the new JVM.

Specifically, there is only one strategy for moving Prime and MPM to Websphere Liberty:

We provide a key file (as a serialized Java object) for the target environment IBM JVM 8 and deliver a suitable hash for the root password as part of the data migration. With this you can log in as root after the migration and then you have to reset the passwords of all other database users. Disadvantage: If we include the key file, the same key is used on all instances, i.e. the password hashes would be interchangeable between instances.

The key file for this target environment must be supplied with all subsequent deliveries (as it was before).

The use of the previous key file is ruled out because IBM JVM 8 cannot read this file and the dynamic generation of new keys in the Liberty environments is ruled out because these would be deleted and regenerated with each deployment.

Future possible solutions for Top-Logic. How to do it right?:

Continue to encrypt password hashes? If you want to keep encrypting password hashes, you should at least persist such a key in a form that in principle allows it to be transferred to another environment. A simple text file is good enough. In the above scenario you could copy it into the new environment and the already stored password hashes would still be valid. Currently it's just the serialization of a Java object that can't be deserialized in the target environment (depending on the JVM used).

Password "switching"? And not encrypt them? But you can also do without encrypting the password hashes. Instead, passwords should (anyway) be hashed with a salt and the hashes should be stored together with the salt in the database.

Additionally "peppering" passwords? To prevent the successful transfer of such hashes to other Top-Logic instances, one could additionally "pepper" the passwords. Such a "pepper" would be valid for one server instance at a time and persisted in some way (preferably not in the same database as the password hashes). The application configuration would be a candidate. This "pepper" then goes into all PWD hashes of this instance. This prevents these hashes from being used on any other instance. This causes the same problems as described above, when moving to a new environment with transfer of previously stored password hashes. It would now have to be possible to ensure that the new environment uses the same "pepper" as the previous one, so that the stored hashes can continue to be used. The use of a "pepper" could be optional and simply disabled by default. Actually, the idea is quite nice: this way, password hashes could be interchangeable between multiple Prime instances of a customer (all using the same pepper), but not with other Top-Logic apps such as MPM, nor with instances of other customers.

Implementation

The ability was created to hash the password using the Argon2 algorithm(https://github.com/P-H-C/phc-winner-argon2). This uses a "salt" and a "pepper" can be configured in the application configuration.

Test

TestArgon2Hashing