[keycloak-user] Submitted Feature: More Secure PassowrdHashProviders

Ori Doolman Ori.Doolman at amdocs.com
Mon Mar 13 05:51:33 EDT 2017 

Adam,
From this code change:
-spi-private/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java<https://github.com/keycloak/keycloak/compare/master...adambkaplan:feature/KEYCLOAK-4523?diff=unified&expand=1&name=feature%2FKEYCLOAK-4523#diff-6bd4fe1e1352335e9875f74a54373b57> :
-public class Pbkdf2PasswordHashProvider implements PasswordHashProviderFactory, PasswordHashProvider {
+public class Pbkdf2PasswordHashProvider extends APbkdf2PasswordHashProvider implements PasswordHashProviderFactory {

I am concerned that backward compatibility is not maintained, and I would have to replace all active user passwords after upgrade. Is that correct?
Also, where do I set the SHA-256 option eventually? Do I control it from the Admin Console UI?

Thanks,
Ori.

From: Adam Kaplan [mailto:akaplan at findyr.com]
Sent: יום ה 09 מרץ 2017 19:15
To: stian at redhat.com
Cc: Ori Doolman <Ori.Doolman at Amdocs.com>; Bruno Oliveira <bruno at abstractj.org>; keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders

I'd agree with 4 being overkill - I just listed what was available in in the JRE.

I started down the path of implementing - feature branch is here: https://github.com/adambkaplan/keycloak/tree/feature/KEYCLOAK-4523

On Thu, Mar 9, 2017 at 8:24 AM, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:
Search for usage of the class PasswordHashProvider

On 9 March 2017 at 12:54, Ori Doolman <Ori.Doolman at amdocs.com<mailto:Ori.Doolman at amdocs.com>> wrote:
From this discussion I understand that for all realm users, current password hashing algorithm is using SHA1 before the hashed password is saved to the DB.

Can you please point me to the place in the code where this hashing occurs ?

Thanks.


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] On Behalf Of Bruno Oliveira
Sent: יום ב 06 מרץ 2017 14:08
To: stian at redhat.com<mailto:stian at redhat.com>; Adam Kaplan <akaplan at findyr.com<mailto:akaplan at findyr.com>>
Cc: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders

On Mon, Mar 6, 2017 at 8:37 AM Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:

> 4 new providers is surely a bit overkill? Isn't 256 and 512 more than
> sufficient?
>

+1


>
> On 2 March 2017 at 15:28, Adam Kaplan <akaplan at findyr.com<mailto:akaplan at findyr.com>> wrote:
>
> This is now in the jboss JIRA:
> https://issues.jboss.org/browse/KEYCLOAK-4523
>
> I intend to work on it over the next week or two and submit a PR.
>
> On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira <bruno at abstractj.org<mailto:bruno at abstractj.org>>
> wrote:
>
> > Hi Adam and John, I understand your concern. Although, collisions
> > are not practical for key derivation functions. There's a long
> > discussion about this subject here[1].
> >
> > Anyways, you can file a Jira as a feature request. If you feel like
> > you would like to attach a PR, better.
> >
> > [1] - http://comments.gmane.org/gmane.comp.security.phc/973
> >
> > On Wed, Mar 1, 2017 at 3:33 PM John D. Ament
> > <john.d.ament at gmail.com<mailto:john.d.ament at gmail.com>>
> > wrote:
> >
> >> I deal with similarly concerned customer bases.  I would be happy
> >> to see some of these algorithms added.  +1
> >>
> >> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan at findyr.com<mailto:akaplan at findyr.com>> wrote:
> >>
> >> > My company has a client whose security prerequisites require us
> >> > to
> store
> >> > passwords using SHA-2 or better for the hash (SHA-512 ideal).
> >> > We're
> >> looking
> >> > to migrate our user management functions to Keycloak, and I
> >> > noticed
> that
> >> > hashing with SHA-1 is only provider out of the box.
> >> >
> >> > I propose adding the following providers (and will be happy to
> >> > contribute!), using the hash functions available in the Java 8
> >> > runtime
> >> > environment:
> >> >
> >> >    1. PBKDF2WithHmacSHA224
> >> >    2. PBKDF2WithHmacSHA256
> >> >    3. PBKDF2WithHmacSHA384
> >> >    4. PBKDF2WithHmacSHA512
> >> >
> >> > I also propose marking the current Pbkdf2PasswordHashProvider as
> >> > deprecated, now that a real SHA-1 hash collision has been
> >> > published by Google Security.
> >> >
> >> > --
> >> > *Adam Kaplan*
> >> > Senior Engineer
> >> > findyr <http://findyr.com/>
>
> >> > m 914.924.5186<tel:914.924.5186> <(914)%20924-5186> <(914)%20924-5186>
> >> > <//914.924.5186<tel:914.924.5186>
> >> <(914)%20924-5186> <(914)%20924-5186>> | e
>
>
> >> > akaplan at findyr.com<mailto:akaplan at findyr.com>
> >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
> >> > _______________________________________________
> >> > keycloak-user mailing list
> >> > keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
>
>
>
> --
>
>
> *Adam Kaplan*
> Senior Engineer
> findyr <http://findyr.com/>
>
> m 914.924.5186<tel:914.924.5186> <//914.924.5186<tel:914.924.5186>> | e akaplan at findyr.com<mailto:akaplan at findyr.com>
>
>
> WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,

you may review at http://www.amdocs.com/email_disclaimer.asp




--
Adam Kaplan
Senior Engineer
findyr<http://findyr.com/>
m 914.924.5186<tel://914.924.5186> | e akaplan at findyr.com<mailto:akaplan at findyr.com>
WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,

you may review at http://www.amdocs.com/email_disclaimer.asp

More information about the keycloak-user mailing list