When a project is authenticating against a database user source does the client encrypt/hash the password being sent to the gateway? and along those same lines does it encrypt/hash the password being sent from the gateway to the database?
The example show in the setup of the user source is
SELECT firstname, lastname, schedule FROM USERS WHERE username = ? AND password = MD5(?)
If not is there someway I can encrypt/hash the password before it gets sent to the gateway?
They are obscured via encryption before being sent to the gateway, but you need to use HTTPS/TLS to be truly secured.
We are definitely going to use SSL, but I do not want to rely solely on that for encrypting the password. If the client is obscuring the password via encryption does that mean when it gets to the gateway it un-obscures the password before sending it to the database query to check for authentication?
Yes, it’s unobscured and then passed to whatever user source profile is in use, which depending on the implementation may hash the password before using it to authenticate.
With DB Automatic it’s SHA1.
When handling passwords, you need to check two possibilities for stealing: stealing by evesdropping the communication, and stealing by getting access to the data.
To protect against evesdropping, you need to use a secure transport layer. SSL should offer that. At least, it’s used all over the web to transfer sensitive data.
Once it reaches your server, it should normally be safe from immediate attacks. So you can handle the password as plain-text in memory. But you shouldn’t store it as plain text because at some day, someone will hack into the system, or get his hands on the data in some way, and know the passwords.
That’s why it should be encrypted in the database. Do note that, for a good encryption, you need to use a good algorithm, but also add salt to the password (some string that makes it unique so it doesn’t appear in some online database of hashed and cracked passwords)
We want to use the database source in manual mode because we already have our users and roles setup in another database system. What I am struggling with is how we can hash the password in the gateway before send it to the database. Is there some way to have the hashed password comparison happen on the gateway rather then in the database?
I think the intention with the manual mode is that your authentication query uses a SQL hash function implemented by your database.