Password Hashing
This chapter is about how cryptographic password hashing is done in CIB seven. In particular, the hashing algorithm that is being used and the salt generation. If you are not familiar with these topics, we recommend reading the articles about cryptographic hash function, salt and secure password hashing.
The Camunda version 7.6 and earlier use the cryptographic hash function SHA-1. Since Camunda version 7.7 the hash function SHA-512 is used. If there is a need for another custom hash function, it is possible to plugin a custom password hashing algorithm in Camunda.
At salt generation, a random 16-byte per-user value is created, which is generated with SecureRandom. It is also possible to customize the salt generation if desired.
Customize the Hashing Algorithm
If it is necessary to use a more secure hash algorithm, you can provide your own implementation.
You can do this by implementing the PasswordEncryptor
interface from the org.camunda.bpm.engine.impl.digest
package. The interface ensures that all necessary functions for password hashing are implemented. You can have a look at the classes Base64EncodedHashDigest
and ShaHashDigest
from the org.camunda.bpm.engine.impl.digest
package to see how this is done in Camunda. A template for your own implementation could look as follows:
public class MyPasswordEncryptor implements PasswordEncryptor {
@Override
public String encrypt(String password) {
// do something
}
@Override
public boolean check(String password, String encrypted) {
// do something
}
@Override
public String hashAlgorithmName() {
// This name is used to resolve the algorithm used for the encryption of a password.
return "NAME_OF_THE_ALGORITHM";
}
}
Once this is done, you can use the process engine configuration to plug in the custom implementation by the setting the passwordEncryptor
property to your custom implementation, e.g., MyPasswordEncryptor
. See Process Engine Bootstrapping on where you have to set the property for your Camunda environment.
Note that, even if you have already users created with passwords hashed by other algorithms, e.g., old custom algorithms or the Camunda default hash algorithm SHA-512
, they can still automatically be resolved by the engine although you have added your custom algorithm afterwards. The property customPasswordChecker
is a list of hashing algorithms to be used to check (older) passwords. The Camunda default hashing algorithms are automatically added, so please only add your previous custom passwordEncryptor
implementation to that list.
Heads Up!
Please do not use your own implementation of a hash function, but rather a standard that has been peer reviewed!
Customize the Salt generation
Similar to the hashing algorithm, the salt generation can be adjusted. First, implement the SaltGenerator
interface from the org.camunda.bpm.engine.impl.digest
. This ensures that all necessary functions are implemented. You can have a look at the classes Base64EncodedSaltGenerator
and Default16ByteSaltGenerator
from the org.camunda.bpm.engine.impl.digest
package to see how this is done in Camunda. A template for your own implementation could look as follows:
public class MyCustomSaltGenerator implements SaltGenerator {
@Override
public String generateSalt() {
// do something
}
}
Once this is done, you can use the process engine configuration to plug in the custom implementation by the setting the saltGenerator
property to your custom implementation, e.g., MyCustomSaltGenerator
. See Process Engine Bootstrapping on where you have to set the property for your Camunda environment.