User Tools

Site Tools


en:security

Security

Enhance the security of FreeHealth

TLS encrypted MySQL connection

Passphrase

Current facts

  • Passphrase max length limit is 79 characters for the reference MySQL 5.5 client.
  • Same password is used for mysql connection and for users table
  • No key derivation function is used, only a single SHA2 hashing, if the database is accessed by an adversary, it can quickly recover passwords with a dictionary attack

Solutions

  • use Argon2 as kdf
  • use the hash to connect to MySQL (truncate at 79 chars)
  • use hash to check users table rights (do not truncate)

Categories of user

We need to improve the enforcement of access rights according to categories (notably administrative, MD and nurses).

Private notes

Current structure of FreeHealth is to allow all healthcare professionals belonging to a certain category to access all data. We could give users the ability to write private notes encrypted with their passphrase.

en/security.txt · Last modified: 2018/03/14 09:03 by 66.249.69.182