[keycloak-user] Submitted Feature: More Secure PassowrdHashProviders

Stian Thorgersen sthorger at redhat.com
Mon Mar 6 06:37:36 EST 2017 

4 new providers is surely a bit overkill? Isn't 256 and 512 more than
sufficient?

On 2 March 2017 at 15:28, Adam Kaplan <akaplan at findyr.com> wrote:

> This is now in the jboss JIRA: https://issues.jboss.org/
> browse/KEYCLOAK-4523
>
> I intend to work on it over the next week or two and submit a PR.
>
> On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
> > Hi Adam and John, I understand your concern. Although, collisions are not
> > practical for key derivation functions. There's a long discussion about
> > this subject here[1].
> >
> > Anyways, you can file a Jira as a feature request. If you feel like you
> > would like to attach a PR, better.
> >
> > [1] - http://comments.gmane.org/gmane.comp.security.phc/973
> >
> > On Wed, Mar 1, 2017 at 3:33 PM John D. Ament <john.d.ament at gmail.com>
> > wrote:
> >
> >> I deal with similarly concerned customer bases.  I would be happy to see
> >> some of these algorithms added.  +1
> >>
> >> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan at findyr.com> wrote:
> >>
> >> > My company has a client whose security prerequisites require us to
> store
> >> > passwords using SHA-2 or better for the hash (SHA-512 ideal). We're
> >> looking
> >> > to migrate our user management functions to Keycloak, and I noticed
> that
> >> > hashing with SHA-1 is only provider out of the box.
> >> >
> >> > I propose adding the following providers (and will be happy to
> >> > contribute!), using the hash functions available in the Java 8 runtime
> >> > environment:
> >> >
> >> >    1. PBKDF2WithHmacSHA224
> >> >    2. PBKDF2WithHmacSHA256
> >> >    3. PBKDF2WithHmacSHA384
> >> >    4. PBKDF2WithHmacSHA512
> >> >
> >> > I also propose marking the current Pbkdf2PasswordHashProvider as
> >> > deprecated, now that a real SHA-1 hash collision has been published by
> >> > Google Security.
> >> >
> >> > --
> >> > *Adam Kaplan*
> >> > Senior Engineer
> >> > findyr <http://findyr.com/>
> >> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186> <//914.924.5186
> >> <(914)%20924-5186> <(914)%20924-5186>> | e
> >> > akaplan at findyr.com
> >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
> >> > _______________________________________________
> >> > keycloak-user mailing list
> >> > keycloak-user at lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
>
>
> --
> *Adam Kaplan*
> Senior Engineer
> findyr <http://findyr.com/>
> m 914.924.5186 <//914.924.5186> | e akaplan at findyr.com
> WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list