[keycloak-user] List of supported cryptographic algorithms
Thomas Darimont
thomas.darimont at googlemail.com
Wed Nov 2 12:11:29 EDT 2016
Hello Michael,
see: threat-model mitigations
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/topics/threat.html
Password db compromised:
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/topics/threat/password-db-compromised.html
currently user passwords in Keycloak are by default hashed with
PBKDF2WithHmacSHA1 + salt and 20.000 iterations.
https://github.com/keycloak/keycloak/blob/fc6d6ff7f7dae7fb25edf052659d18cd8de55a5f/server-spi/src/main/java/org/keycloak/policy/HashAlgorithmPasswordPolicyProviderFactory.java#L31
https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a33886396bb13781b/server-spi/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java
You can provide your own hash algorithms via custom extensions, see:
PasswordHashProviderFactory, PasswordHashProvider
Supported OTP hash algos:
SHA1("HmacSHA1"),
SHA256("HmacSHA256"),
SHA512("HmacSHA512");
OTP secrets are stored by default as HmacSHA1
HmacOTP:
https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/server-spi/src/main/java/org/keycloak/models/utils/HmacOTP.java#L33
User passwords as well as OTP secrets are stored within the "credentials"
table in the Keycloak database
(in case of using a RDBMS) via the CredentialEntity.
CredentialEntity:
https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/java/org/keycloak/models/jpa/entities/CredentialEntity.java#L50
Defaults in code might be overriden with defaults in database-changelog
scripts:
https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/resources/META-INF
Cheers,
Thomas
2016-11-02 16:40 GMT+01:00 Michael Furman <michael_furman at hotmail.com>:
> Can somebody point where to find the information?
>
>
>
> ________________________________
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
> jboss.org> on behalf of Michael Furman <michael_furman at hotmail.com>
> Sent: Tuesday, November 1, 2016 10:11 AM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] List of supported cryptographic algorithms
>
> Hi all,
> Where can I find list of supported algorithms used here:
> http://www.keycloak.org/docs/rest-api/#_credentialrepresentation
> What is the list of hash algorithms?
> What is the list of encryption algorithms?
> Thank you in advance for your help.
> Best regards,
> Michael
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user Info Page - JBoss Developer<https://lists.jboss.
> org/mailman/listinfo/keycloak-user>
> lists.jboss.org
> To see the collection of prior postings to the list, visit the
> keycloak-user Archives. Using keycloak-user: To post a message to all the
> list members ...
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list