Using Client-Side Password Encryption

Standard practice for most applications that transmit passwords is to use a secure protocol such as HTTPS, which handles password encryption internally. The LoginUser Web service, however, includes an option that permits a client-side application to encrypt passwords and then log in a user without using a secure protocol.

Important: Oracle strongly recommends using a secure protocol for all operations that transmit confidential information, including logins. The client-side password encryption feature built into the LoginUser service exists as an option for customers with unusual login requirements, and it is not recommended for general use.

To use this feature, client applications must follow very specific Oracle Commerce Platform-defined rules for encrypting cleartext passwords. If a password is encrypted in a way the Oracle Commerce Platform server does not understand, the login authentication will fail. Note also that the rules for encryption vary according to the password hasher your application uses; for example, the MD5PasswordHasher hashes passwords in a different way from the SaltedDigestPasswordHasher.

Not all password hashers permit the client-side encryption of passwords. Applications whose password hashers do not provide a temporary encryption key to be used for logins cannot use client-side encryption. This temporary encryption key is needed so that the client does not send a password string that is identical to the stored password in the database. The CanClientEncryptPasswords Web Service determines if the current application allows client-side encryption. Currently, only the MD5PasswordHasher has well-defined rules for client-side encryption, and it is the only password hasher supported for this feature.

The process of passing an encrypted password from a client application to the LoginUser Web service is called a password encryption conversation. A restriction of this feature is that the entire password encryption conversation must be completed within a certain time limit, defined by the maxAuthenticationWait property of the ProfileServices component. This time limit starts the moment a client calls GetPasswordHashKey and ends the moment that same client calls LoginUser.

The following procedure describes how to have your application use the client-side password encryption feature to log in a user. Note that the procedure assumes your application uses the MD5PasswordHasher.

  1. Call the CanClientEncryptPasswordsWeb service.

  2. If CanClientEncryptPasswords returns false, use HTTPS and send the password as cleartext. Call the LoginUser service using the following parameters: loginUser(login, cleartext_password, false).

  3. If CanClientEncryptPasswords returns true, call the getPasswordHashAlgorithm service.

  4. Use the returned algorithm to encrypt the user’s password.

  5. Call the GetPasswordHashKey service. Note that the conversation timer is started here. The client application has maxAuthenticationWait milliseconds to call the LoginUser service. If LoginUser is not called quickly enough, an error is thrown when the service is eventually called.

  6. Encrypt a combination of the returned hashKey and the encrypted password from step 4, again using the algorithm returned from step 3.

  7. Call the LoginUser service using the following parameters: loginUser(login, encrypted_password_from_step_6, true).

Copyright © 1997, 2015 Oracle and/or its affiliates. All rights reserved. Legal Notices