Open Source e-Learning
  • Login

Extended User Import Script

Wischniak, Stanislav


Wischniak, Stanislav [wischniak] - 15. Aug 2016, 17:58

What's wrong with the UserImport and why is ILIAS3 "illegal"

Some of you already encountered the issue, that the import of the XML in ILIAS will be refused with the following message:
The others are most likely to encounter the problem after the next ILIAS update so I hope you do read this page before or at least shortly after your next update and don’t have to spend a lot of time twiddling with Excel, starring at XML or grumble at your IT department.

So the reason for this error is a security measure, which was broadly applied to the newest ILIAS versions. To be precise, the change was applied to the versions 5.0.14 and 5.1.8. And of course it will also be from the beginning in the upcoming version 5.2.

As a necessary enhancement to the security of ILIAS the ILIAS-Community decided to abandon the not-anymore-secure MD5 method for hashing passwords in ILIAS and to use the likely-secure-for-a-long-long-time method BCRYPT.
In case cryptology is your hobby, you are interested in the decision process of the ILIAS Community on that matter or just need some more details on the reasons; you probably want to read more about Abandon MD5 Password Encryption.
So how is this important for the UserImport?
The UserImport used to have the MD5 Encryption set to “yes” (table “MD5-Declaration”). In this case the XML export would be like:

<Password Type="ILIAS3"><![CDATA[487753b954871b5b05f854060de151d8]]></Password>

This MD5 hash “487..” was a pretty secure encryption for a long time; if someone got a hand on this XML. He still would not know the password and could not use this hash to login in ILIAS.

Today (with much more computing power, cheaper data storage and new technologies) this hash just pretends to be secure, but in fact is not. In IT this is called “security by obscurity” and is considered a very week security and overall bad manner.
Today just anyone could decrypt this hash and get the plain password. Go ahead and just try it yourself.

So with the new ILIAS version the Password Type “ILIAS3” (which was supporting MD5) is no longer allowed (thus the error when importing). The only two allowed types in those new ILIAS versions are PLAIN and BCRYPT. You can find those rules in any ILIAS installation .

So by now I guess you already figured how to keep using the UserImport. In the newest version (v.2.6.1) the setting MD5 encryption is already set to “no” by default, so you will not have any problems with import in ILIAS. And you do probably already know, that the line in your XML with this setting would be like:

<Password Type="PLAIN">myPassword123</Password>

So be aware of the sensitive data in your XML as you hopefully are with the data in your Excel. Do not send the XML via Email or use for import with a less secure connection (free Wi-Fi, hotel, internet café etc.). And the best advice would be to consider the option “Change Password on First Login” (Administration – User Management – Settings).
What about BCRYPT?
The first thing you should know, once your ILIAS is set to “BCRYPT” (manually or by update) with every login of a user his/hers MD5 encrypted password will be translated to BCRYPT, so after a while all the user passwords in the database will be encrypted with BCRYPT.

Regarding the UserManagement the implementation in 5.0.x and 5.1.x does not allow to use BCRYPT in Excel (an individual user salt will be created in ILIAS, which the Excel is not aware of). In ILIAS 5.2 there will be a new implementation of BCRYPT (due to PHP 7 update) which will allow to use an foreign created BCRYPT hash. So we hope it will be possible to implement the BCRYPT algorithms in Excel (VBA) and encrypt the password with BCRYPT to make those XML's secure again.
[Update 13.09.2016]: In fact MD5 was abandoned in 5.0.14 and 5.0.8 (not 5.0.13 and 5.1.7).
Commit 5.0.x
Commit 5.1.x


No comment has been posted yet.