Forum: VoltDB Architecture

Post: BCrypt

BCrypt
Sabrina
Feb 14, 2016
Hello,

I looked at the BCrypt implementation (https://github.com/jeremyh/jBCrypt) and cannot understand the way voltdb uses it.
VoltDB Stores with voltdb mask the password hashes as SHA1(password)+SHA2(password). When the Client (for example Java Client) connects to the server, the client sends the password as SHA2 hash to the server. The SetUsersInfo function - where the bcrypt password is generated (Bcrypt.hashpw) is executed when the database is started. So the Bcrypt passwords are only in memory. When the user authenticates the hashpw function is executed. Why doesn't VoltDB uses the haspw function to store the passwords?

Thanks.

Best regards,
Sabrina
anish
Feb 15, 2016
VoltDB supports SHA1 and SHA2 schemes for passwords and thus mask saves both the values in deployment file. The server does not accept taking password in cleartext instead accepts shas. BCrypt is not used for storing hex encoded shas and we only compare the those shas.

Anish
Sabrina
Feb 16, 2016
Hi Anish,

thanks for your answer. I used the authentication in my java application two times
properties.put("user", "sys-admin");
properties.put("password", "securePWD");
dbConnection = DriverManager.getConnection(DATABASE_URL, properties);
... // do something
dbConnection.close();

in the second authentication process no username and password is sent to the voltdb server. Why takes the authentication only happens one time?

Best regards,
Sabrina
pzhao
Feb 16, 2016
Sabrina,
Could you please provide the original code? As you've stated, if the connection is closed, which is what you appear to have done, it should reauthenticate when opening a new connection.
Peter Zhao
Sabrina
Feb 17, 2016
Hello Peter,

the source code is simple this:

public ConnectTime()
throws SQLException
{
long connection_time, startTime;
float elapsedTimeSec;

Properties properties = new Properties();
properties.put("user", "sys-admin");
properties.put("password", "securePWD");
System.out.printf("securePWD");

startTime = System.currentTimeMillis();

dbConnection = DriverManager.getConnection(DATABASE_URL, properties);

connection_time = System.currentTimeMillis() - startTime;
elapsedTimeSec = connection_time / 1000F;
System.out.printf("Time: %.4f
", elapsedTimeSec);
}

/** Closes the connection to the server. */
public void close() throws SQLException {
dbConnection.close();
}

public static void main(String [] args) throws Exception {
Class.forName(DRIVER_CLASS);
for(int i=0; i<5; i++)
{
ConnectTime helloDB = new ConnectTime();
helloDB.close();
Thread.sleep(2000);
}

}

In the wireshark trace I only see one authentication to each server in the connection pool. But the script runs five times.

Thanks.
Sabrina
Feb 19, 2016
Hi Peter,

I can also send the wireshark trace to you.

Best regards,
Sabrina