170.302 (o-v) Security requirements
From OpenEMR Project Wiki
Revision as of 19:06, 3 March 2011 by Ken Chapple (talk | contribs) (→Proposal for Generate/Display and confirm HASH Key)
Integrity SHA1 170.302()
Email discussion moved to discussion tab --Tony - www.mi-squared.com 19:05, 3 March 2011 (UTC)
Basic Visolve Actions
(1) Audit log - its a straightforward change.
(2) User Passwords -
(a) For New installations - again its a straightforward change
(b) For Upgrades -
Isolated one issue:
-- Already existing users will have their passwords encrypted in MD5
-- If we change the algorithm to SHA1, how the existing MD5 passwords are validated?
Our proposed solution (only after upgrade):
(a) When the user logins, the length of the password string is retrieved.
(b) If the lenght is less than 40 bytes, the user is validated with MD5 and allowed to login
1. On successful login, the user is prompted to "reset his/her password"
(This activity has to be forced through some mechanism)
2. If fails, it lands again to login page.
Note:
SHA1 and MD5 have different hash lengths.
The MD5 hash is 128 bits (or 32 bytes as a hex string); The SHA-1 hash is 160 bits
(or 40 bytes as a hex string)
