Outsystems migration from version 8 - 10 - MD5 encryption to AES-256 encryption

Outsystems migration from version 8 - 10 - MD5 encryption to AES-256 encryption

  

Hi,


We have performed migration from outsystems version 8 to 10 . Now we need to change MD5 encryption to AES-256 encryption . Is it possible ?.

 If its possible ,

Is there a data conversion needed (i.e., what happens to old passwords – do they just need to be reset)?


thanks 

Janarthanan

Hi Janarthanan,

If you're talking about the passwords stored in the User Entity, you don't need to do anything. The old password hashes are still valid, and any new ones are created with stronger encryption. There's of course no way to actually convert anything, even MD5 shouldn't be easily reversible :).

Kilian Hekhuis wrote:

Hi Janarthanan,

If you're talking about the passwords stored in the User Entity, you don't need to do anything. The old password hashes are still valid, and any new ones are created with stronger encryption. There's of course no way to actually convert anything, even MD5 shouldn't be easily reversible :).


Hi Killian,

Thank you .

We have used MD5 for encryption in outsystems 8 to store passwords and now customer wants to move to  AES-256 encryption in the newly migrated environment outsystems 10 version . 

Migration happened like what suggested in the outsystems like below.


  1. Be sure to read all the documents that might impact your upgrade. As an example, if you're upgrading from version 8 to 10, read the breaking changes for the versions 9, 9.1, and 10.
  2. In version 9.0.1 the encryption algorithm that the OutSystems Platform uses to store the settings in the database was improved and applications in later versions of the OutSystems Platform are not able to read settings stored with the previous algorithm. To avoid downtime in Production environments, when upgrading OutSystems from a revision earlier than 9.0.1 you must do the following:

Perform a full upgrade to the latest 9.0.1 revision;

Validate the functionality of the applications running on OutSystems Platform 9.0.1;

Perform a full upgrade to OutSystems 10.


1.So i can use  AES-256 algorithm from CryptoAPI extension to decrepit old passwords as well which is encrypted by MD5 ?

2. If its not what we should we need to do .


Thanks

Janarthanan 

Hi Janarthanan,

If you are using the standard OutSystems login capability, you can't use AES-256. OutSystems uses SHA-512 for its passwords. So for example the EncryptPassword function from the Users eSpace encrypts the password using SHA-512, and the PlatformPasswordUtils Module has a ValidatePassword Action that can validate a password from the User Entity, regardless of whether it's encrypted using the old MD5 hash or the new SHA-512 hash.

Note however, that for hashing passwords, you should never ever use AES! AES is symetric encryption, which means it's not a one-way hash (which is what you want for passwords), but you can actually decrypt the encrypted content. And you must therefore never, and I repeat really never, and in case you're not sure what I mean REALLY NEVER encrypt passwords using AES-256! Passwords should never be decryptable!

Kilian Hekhuis wrote:

Hi Janarthanan,

If you are using the standard OutSystems login capability, you can't use AES-256. OutSystems uses SHA-512 for its passwords. So for example the EncryptPassword function from the Users eSpace encrypts the password using SHA-512, and the PlatformPasswordUtils Module has a ValidatePassword Action that can validate a password from the User Entity, regardless of whether it's encrypted using the old MD5 hash or the new SHA-512 hash.

Note however, that for hashing passwords, you should never ever use AES! AES is symetric encryption, which means it's not a one-way hash (which is what you want for passwords), but you can actually decrypt the encrypted content. And you must therefore never, and I repeat really never, and in case you're not sure what I mean REALLY NEVER encrypt passwords using AES-256! Passwords should never be decryptable!

Hi Kilian,

Thanks for your valuable information . It helps us to find the right encryption algoritam for our case.

thanks

Janarthanan


Hi Janarthanan,

The right encryption level is the one you get right out of the box. Like I said, use EncryptPassword from the Users eSpace to encrypt a password using SHA-512, and use ValidatePassword from PlatformPasswordUtils to validate a password, and you'll be safe.