Re: [keycloak-user] List of supported cryptographic algorithms

Hi Thomas, Thank you for the detailed answer! Is Keycloak supports "improve" of hashing algorithms during a password reset? The use case: Now we use SHA-256 for user passwords. Therefore, during the migration to Keycloak I still need to use SHA-256. But I want to replace hash to PBKDF2. It will be great if during a password reset it will be possible to replace the hash algorithm. ________________________________ From: Thomas Darimont <thomas.darimont(a)googlemail.com&gt; Sent: Wednesday, November 2, 2016 6:11 PM To: Michael Furman Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] List of supported cryptographic algorithms Hello Michael, see: threat-model mitigations https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/top... Password db compromised: https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/top... currently user passwords in Keycloak are by default hashed with PBKDF2WithHmacSHA1 + salt and 20.000 iterations. https://github.com/keycloak/keycloak/blob/fc6d6ff7f7dae7fb25edf052659d18c... https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a3388639... [https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https:... keycloak/keycloak<https://github.com/keycloak/keycloak/blob/a89dbabc92... github.com keycloak - Open Source Identity and Access Management For Modern Applications and Services You can provide your own hash algorithms via custom extensions, see: PasswordHashProviderFactory, PasswordHashProvider Supported OTP hash algos: SHA1("HmacSHA1"), SHA256("HmacSHA256"), SHA512("HmacSHA512"); OTP secrets are stored by default as HmacSHA1 HmacOTP: https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d... User passwords as well as OTP secrets are stored within the "credentials" table in the Keycloak database (in case of using a RDBMS) via the CredentialEntity. CredentialEntity: https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d... Defaults in code might be overriden with defaults in database-changelog scripts: https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d... [https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https:... keycloak/keycloak<https://github.com/keycloak/keycloak/tree/1aeec2a83c... github.com keycloak - Open Source Identity and Access Management For Modern Applications and Services Cheers, Thomas 2016-11-02 16:40 GMT+01:00 Michael Furman <michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>>: Can somebody point where to find the information? ________________________________ From: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> <keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Michael Furman <michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>> Sent: Tuesday, November 1, 2016 10:11 AM To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: [keycloak-user] List of supported cryptographic algorithms Hi all, Where can I find list of supported algorithms used here: http://www.keycloak.org/docs/rest-api/#_credentialrepresentation What is the list of hash algorithms? What is the list of encryption algorithms? Thank you in advance for your help. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user> lists.jboss.org<http://lists.jboss.org> To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user