FACT-Finder Password encryption

Simple or extended encryption

FACT-Finder offers two options for sending passwords: a simple method and an advanced method. The advanced method is the standard setting.

The reason for the two options is that FACT-Finder interfaces do not require a secure (https) connection. Therefore, to ensure the security of passwords as they are sent, a two-stage hash process is applied by the advanced method. The fundamental prerequisite for this is that the same secret key is used by both FACT-Finder side and the client.

UTF-8 must be used as the encoding when generating the hashes. MD5 is used as the standard hash algorithm, but another algorithm can also be used if desired.

The password hash is formed as follows:

Plain text password: userpw

From the plain text password, a hash is first created using a defined algorithm. In the example userpw produces the hash d8118f1bb6bd9998031053176a2c4bee. This is the string that should be sent transferred as the password when using the simple method. As this hash value, if somehow obtained, works as well as the password for authentication purposes, requests with this value should only be sent over secure connections (HTTPS).

If you prefer to use the advanced hash method, you also need the secret key and a current timestamp (expressed in milliseconds since midnight 1 January 1970 GMT). You can obtain the timestamp in Java, for example, by using the method System.currentTimeMillis();. This method returns a result that is already relative to the UTC time zone.
In the example we assume the following values:

Prefix: FACT-FINDER

Postfix: FACT-FINDER

Timestamp: 1270732953523

The advanced password variant is sent in the form of the result of the simple encryption, which is the hash of the clear text password. In addition, the prefix and the timestamp are prefixed to this password and the postfix is also added. A new hash is then generated from this string, and that is what is then sent.

Using the example above, the following string is generated:

FACT-FINDER1270732953523d8118f1bb6bd9998031053176a2c4beeFACT-FINDER

The result is: 167539c3e7aba8388eee252f429a4a1a. This is sent to FACT-Finder as the password. As the timestamp changes each time the advanced hashing process is invoked, the resulting hash also changes, which leads to increased security. By default each resulting hash is valid for 60 seconds; if you would like another lifespan, please let us know. This approach means it is not critical if the sent hash value is somehow obtained. Once the set time-out has expired, attempts to authenticate using the stolen password hash will fail. If the clocks on the web shop server and the FACT-Finder Search server are running synchronously, the time-out value can be reduced further to increase security.

Login

The login type used depends on the interface. For web service queries an AuthenticationToken object must be sent, in which the values are set accordingly. With XML and JSON, the login data, as well as the search parameters, are passed via the URL. The parameter names for this are username, password and timestamp.

If we take up the previous example again and the password belongs to the user user, the following URL results:

$stringEscapeUtils.escapeHtml($body)

If you are sending a request to the REST-API the login data can not be passed via parameters in the URL. In that case add, for example, the HTTP-Header ‚Authorization: user:167539c3e7aba8388eee252f429a4a1a:1270732953523‘ to your request.