[keycloak-dev] Zero-knowledge proof of password?

Peter K. Boucher pkboucher801 at gmail.com
Wed Mar 8 08:33:33 EST 2017


Sorry, I should have described our scenario more thoroughly.

We have one of these at the border of our VPC:
https://en.wikipedia.org/wiki/TLS_termination_proxy 

We can accept the risk of data being transmitted in the clear inside the
VPC, but we would prefer that passwords not be transmitted in the clear.

It's an old problem.  NTLM also used a proof of the password rather than
transmitting the password for similar reasons.

We could force that TLS be used inside the VPC between the TLS termination
proxy and Keycloak, but even then, the passwords are decrypted and then
re-encrypted.

We are considering trying to use something like the client-side hashing
described here: https://github.com/dxa4481/clientHashing 

The question for this group was related to whether anyone has already
developed anything along these lines for use with Keycloak.

Thanks!


-----Original Message-----
From: keycloak-dev-bounces at lists.jboss.org
[mailto:keycloak-dev-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Tuesday, March 7, 2017 6:06 PM
To: keycloak-dev at lists.jboss.org
Subject: Re: [keycloak-dev] Zero-knowledge proof of password?

What does that even mean?  Keycloak's SSL mode can forbid non SSL 
connections.  FYI, OIDC requires SSL.


On 3/7/17 4:22 PM, Peter K. Boucher wrote:
> Suppose you don't want your passwords transmitted in the clear after SSL
is
> terminated by a proxy.
>
>   
>
> Has anyone developed a secure way for the client to prove they have the
> password, rather than transmitting it in the body of a post?
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list