8:28 a.m.
This is now in the jboss JIRA: https://issues.jboss.org/browse/KEYCLOAK-4523
I intend to work on it over the next week or two and submit a PR.
On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
Hi Adam and John, I understand your concern. Although, collisions are
not
practical for key derivation functions. There's a long discussion about
this subject here[1].
Anyways, you can file a Jira as a feature request. If you feel like you
would like to attach a PR, better.
[1] - http://comments.gmane.org/gmane.comp.security.phc/973
On Wed, Mar 1, 2017 at 3:33 PM John D. Ament <john.d.ament(a)gmail.com>
wrote:
> I deal with similarly concerned customer bases. I would be happy to see
> some of these algorithms added. +1
>
> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan(a)findyr.com> wrote:
>
> > My company has a client whose security prerequisites require us to store
> > passwords using SHA-2 or better for the hash (SHA-512 ideal). We're
> looking
> > to migrate our user management functions to Keycloak, and I noticed that
> > hashing with SHA-1 is only provider out of the box.
> >
> > I propose adding the following providers (and will be happy to
> > contribute!), using the hash functions available in the Java 8 runtime
> > environment:
> >
> > 1. PBKDF2WithHmacSHA224
> > 2. PBKDF2WithHmacSHA256
> > 3. PBKDF2WithHmacSHA384
> > 4. PBKDF2WithHmacSHA512
> >
> > I also propose marking the current Pbkdf2PasswordHashProvider as
> > deprecated, now that a real SHA-1 hash collision has been published by
> > Google Security.
> >
> > --
> > *Adam Kaplan*
> > Senior Engineer
> > findyr <http://findyr.com/>
> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186>
<//914.924.5186
> <(914)%20924-5186> <(914)%20924-5186>> | e
> > akaplan(a)findyr.com
> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
*Adam Kaplan*
Senior Engineer
findyr <http://findyr.com/>
m 914.924.5186 <//914.924.5186> | e akaplan(a)findyr.com
WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
5:37 a.m.
4 new providers is surely a bit overkill? Isn't 256 and 512 more than
sufficient?
On 2 March 2017 at 15:28, Adam Kaplan <akaplan(a)findyr.com> wrote:
This is now in the jboss JIRA: https://issues.jboss.org/
browse/KEYCLOAK-4523
I intend to work on it over the next week or two and submit a PR.
On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira <bruno(a)abstractj.org>
wrote:
> Hi Adam and John, I understand your concern. Although, collisions are not
> practical for key derivation functions. There's a long discussion about
> this subject here[1].
>
> Anyways, you can file a Jira as a feature request. If you feel like you
> would like to attach a PR, better.
>
> [1] - http://comments.gmane.org/gmane.comp.security.phc/973
>
> On Wed, Mar 1, 2017 at 3:33 PM John D. Ament <john.d.ament(a)gmail.com>
> wrote:
>
>> I deal with similarly concerned customer bases. I would be happy to see
>> some of these algorithms added. +1
>>
>> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan(a)findyr.com> wrote:
>>
>> > My company has a client whose security prerequisites require us to
store
>> > passwords using SHA-2 or better for the hash (SHA-512 ideal). We're
>> looking
>> > to migrate our user management functions to Keycloak, and I noticed
that
>> > hashing with SHA-1 is only provider out of the box.
>> >
>> > I propose adding the following providers (and will be happy to
>> > contribute!), using the hash functions available in the Java 8 runtime
>> > environment:
>> >
>> > 1. PBKDF2WithHmacSHA224
>> > 2. PBKDF2WithHmacSHA256
>> > 3. PBKDF2WithHmacSHA384
>> > 4. PBKDF2WithHmacSHA512
>> >
>> > I also propose marking the current Pbkdf2PasswordHashProvider as
>> > deprecated, now that a real SHA-1 hash collision has been published by
>> > Google Security.
>> >
>> > --
>> > *Adam Kaplan*
>> > Senior Engineer
>> > findyr <http://findyr.com/>
>> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186>
<//914.924.5186
>> <(914)%20924-5186> <(914)%20924-5186>> | e
>> > akaplan(a)findyr.com
>> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
--
*Adam Kaplan*
Senior Engineer
findyr <http://findyr.com/>
m 914.924.5186 <//914.924.5186> | e akaplan(a)findyr.com
WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:08 a.m.
On Mon, Mar 6, 2017 at 8:37 AM Stian Thorgersen <sthorger(a)redhat.com> wrote:
4 new providers is surely a bit overkill? Isn't 256 and 512 more
than
sufficient?
+1
On 2 March 2017 at 15:28, Adam Kaplan <akaplan(a)findyr.com> wrote:
This is now in the jboss JIRA:
https://issues.jboss.org/browse/KEYCLOAK-4523
I intend to work on it over the next week or two and submit a PR.
On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira <bruno(a)abstractj.org>
wrote:
> Hi Adam and John, I understand your concern. Although, collisions are not
> practical for key derivation functions. There's a long discussion about
> this subject here[1].
>
> Anyways, you can file a Jira as a feature request. If you feel like you
> would like to attach a PR, better.
>
> [1] - http://comments.gmane.org/gmane.comp.security.phc/973
>
> On Wed, Mar 1, 2017 at 3:33 PM John D. Ament <john.d.ament(a)gmail.com>
> wrote:
>
>> I deal with similarly concerned customer bases. I would be happy to see
>> some of these algorithms added. +1
>>
>> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan(a)findyr.com> wrote:
>>
>> > My company has a client whose security prerequisites require us to
store
>> > passwords using SHA-2 or better for the hash (SHA-512 ideal). We're
>> looking
>> > to migrate our user management functions to Keycloak, and I noticed
that
>> > hashing with SHA-1 is only provider out of the box.
>> >
>> > I propose adding the following providers (and will be happy to
>> > contribute!), using the hash functions available in the Java 8 runtime
>> > environment:
>> >
>> > 1. PBKDF2WithHmacSHA224
>> > 2. PBKDF2WithHmacSHA256
>> > 3. PBKDF2WithHmacSHA384
>> > 4. PBKDF2WithHmacSHA512
>> >
>> > I also propose marking the current Pbkdf2PasswordHashProvider as
>> > deprecated, now that a real SHA-1 hash collision has been published by
>> > Google Security.
>> >
>> > --
>> > *Adam Kaplan*
>> > Senior Engineer
>> > findyr <http://findyr.com/>
>> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186>
<//914.924.5186
>> <(914)%20924-5186> <(914)%20924-5186>> | e
>> > akaplan(a)findyr.com
>> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
--
*Adam Kaplan*
Senior Engineer
findyr <http://findyr.com/>
m 914.924.5186 <//914.924.5186> | e akaplan(a)findyr.com
WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:54 a.m.
New subject: Submitted Feature: More Secure PassowrdHashProviders
From this discussion I understand that for all realm users, current
password hashing algorithm is using SHA1 before the hashed password is saved to the DB.
Can you please point me to the place in the code where this hashing occurs ?
Thanks.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Bruno Oliveira
Sent: יום ב 06 מרץ 2017 14:08
To: stian(a)redhat.com; Adam Kaplan <akaplan(a)findyr.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders
On Mon, Mar 6, 2017 at 8:37 AM Stian Thorgersen <sthorger(a)redhat.com> wrote:
4 new providers is surely a bit overkill? Isn't 256 and 512 more
than
sufficient?
+1
On 2 March 2017 at 15:28, Adam Kaplan <akaplan(a)findyr.com> wrote:
This is now in the jboss JIRA:
https://issues.jboss.org/browse/KEYCLOAK-4523
I intend to work on it over the next week or two and submit a PR.
On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira <bruno(a)abstractj.org>
wrote:
> Hi Adam and John, I understand your concern. Although, collisions
> are not practical for key derivation functions. There's a long
> discussion about this subject here[1].
>
> Anyways, you can file a Jira as a feature request. If you feel like
> you would like to attach a PR, better.
>
> [1] - http://comments.gmane.org/gmane.comp.security.phc/973
>
> On Wed, Mar 1, 2017 at 3:33 PM John D. Ament
> <john.d.ament(a)gmail.com>
> wrote:
>
>> I deal with similarly concerned customer bases. I would be happy
>> to see some of these algorithms added. +1
>>
>> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan(a)findyr.com> wrote:
>>
>> > My company has a client whose security prerequisites require us
>> > to
store
>> > passwords using SHA-2 or better for the hash (SHA-512 ideal).
>> > We're
>> looking
>> > to migrate our user management functions to Keycloak, and I
>> > noticed
that
>> > hashing with SHA-1 is only provider out of the box.
>> >
>> > I propose adding the following providers (and will be happy to
>> > contribute!), using the hash functions available in the Java 8
>> > runtime
>> > environment:
>> >
>> > 1. PBKDF2WithHmacSHA224
>> > 2. PBKDF2WithHmacSHA256
>> > 3. PBKDF2WithHmacSHA384
>> > 4. PBKDF2WithHmacSHA512
>> >
>> > I also propose marking the current Pbkdf2PasswordHashProvider as
>> > deprecated, now that a real SHA-1 hash collision has been
>> > published by Google Security.
>> >
>> > --
>> > *Adam Kaplan*
>> > Senior Engineer
>> > findyr <http://findyr.com/>
>> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186>
>> > <//914.924.5186
>> <(914)%20924-5186> <(914)%20924-5186>> | e
>> > akaplan(a)findyr.com
>> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
--
*Adam Kaplan*
Senior Engineer
findyr <http://findyr.com/>
m 914.924.5186 <//914.924.5186> | e akaplan(a)findyr.com
WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
This message and the information contained herein is proprietary and confidential and
subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
7:24 a.m.
Search for usage of the class PasswordHashProvider
On 9 March 2017 at 12:54, Ori Doolman <Ori.Doolman(a)amdocs.com> wrote:
From this discussion I understand that for all realm users, current
password hashing algorithm is using SHA1 before the hashed password is
saved to the DB.
Can you please point me to the place in the code where this hashing occurs
?
Thanks.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@
lists.jboss.org] On Behalf Of Bruno Oliveira
Sent: יום ב 06 מרץ 2017 14:08
To: stian(a)redhat.com; Adam Kaplan <akaplan(a)findyr.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Submitted Feature: More Secure
PassowrdHashProviders
On Mon, Mar 6, 2017 at 8:37 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> 4 new providers is surely a bit overkill? Isn't 256 and 512 more than
> sufficient?
>
+1
>
> On 2 March 2017 at 15:28, Adam Kaplan <akaplan(a)findyr.com> wrote:
>
> This is now in the jboss JIRA:
> https://issues.jboss.org/browse/KEYCLOAK-4523
>
> I intend to work on it over the next week or two and submit a PR.
>
> On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira <bruno(a)abstractj.org>
> wrote:
>
> > Hi Adam and John, I understand your concern. Although, collisions
> > are not practical for key derivation functions. There's a long
> > discussion about this subject here[1].
> >
> > Anyways, you can file a Jira as a feature request. If you feel like
> > you would like to attach a PR, better.
> >
> > [1] - http://comments.gmane.org/gmane.comp.security.phc/973
> >
> > On Wed, Mar 1, 2017 at 3:33 PM John D. Ament
> > <john.d.ament(a)gmail.com>
> > wrote:
> >
> >> I deal with similarly concerned customer bases. I would be happy
> >> to see some of these algorithms added. +1
> >>
> >> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan(a)findyr.com>
wrote:
> >>
> >> > My company has a client whose security prerequisites require us
> >> > to
> store
> >> > passwords using SHA-2 or better for the hash (SHA-512 ideal).
> >> > We're
> >> looking
> >> > to migrate our user management functions to Keycloak, and I
> >> > noticed
> that
> >> > hashing with SHA-1 is only provider out of the box.
> >> >
> >> > I propose adding the following providers (and will be happy to
> >> > contribute!), using the hash functions available in the Java 8
> >> > runtime
> >> > environment:
> >> >
> >> > 1. PBKDF2WithHmacSHA224
> >> > 2. PBKDF2WithHmacSHA256
> >> > 3. PBKDF2WithHmacSHA384
> >> > 4. PBKDF2WithHmacSHA512
> >> >
> >> > I also propose marking the current Pbkdf2PasswordHashProvider as
> >> > deprecated, now that a real SHA-1 hash collision has been
> >> > published by Google Security.
> >> >
> >> > --
> >> > *Adam Kaplan*
> >> > Senior Engineer
> >> > findyr <http://findyr.com/>
>
> >> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186>
> >> > <//914.924.5186
> >> <(914)%20924-5186> <(914)%20924-5186>> | e
>
>
> >> > akaplan(a)findyr.com
> >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
> >> > _______________________________________________
> >> > keycloak-user mailing list
> >> > keycloak-user(a)lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
>
>
>
> --
>
>
> *Adam Kaplan*
> Senior Engineer
> findyr <http://findyr.com/>
>
> m 914.924.5186 <//914.924.5186> | e akaplan(a)findyr.com
>
>
> WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
This message and the information contained herein is proprietary and
confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
11:15 a.m.
I'd agree with 4 being overkill - I just listed what was available in in
the JRE.
I started down the path of implementing - feature branch is here:
https://github.com/adambkaplan/keycloak/tree/feature/KEYCLOAK-4523
On Thu, Mar 9, 2017 at 8:24 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
Search for usage of the class PasswordHashProvider
On 9 March 2017 at 12:54, Ori Doolman <Ori.Doolman(a)amdocs.com> wrote:
> From this discussion I understand that for all realm users, current
> password hashing algorithm is using SHA1 before the hashed password is
> saved to the DB.
>
> Can you please point me to the place in the code where this hashing
> occurs ?
>
> Thanks.
>
>
> -----Original Message-----
> From: keycloak-user-bounces(a)lists.jboss.org [mailto:
> keycloak-user-bounces(a)lists.jboss.org] On Behalf Of Bruno Oliveira
> Sent: יום ב 06 מרץ 2017 14:08
> To: stian(a)redhat.com; Adam Kaplan <akaplan(a)findyr.com>
> Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
> Subject: Re: [keycloak-user] Submitted Feature: More Secure
> PassowrdHashProviders
>
> On Mon, Mar 6, 2017 at 8:37 AM Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
> > 4 new providers is surely a bit overkill? Isn't 256 and 512 more than
> > sufficient?
> >
>
> +1
>
>
> >
> > On 2 March 2017 at 15:28, Adam Kaplan <akaplan(a)findyr.com> wrote:
> >
> > This is now in the jboss JIRA:
> > https://issues.jboss.org/browse/KEYCLOAK-4523
> >
> > I intend to work on it over the next week or two and submit a PR.
> >
> > On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira <bruno(a)abstractj.org>
> > wrote:
> >
> > > Hi Adam and John, I understand your concern. Although, collisions
> > > are not practical for key derivation functions. There's a long
> > > discussion about this subject here[1].
> > >
> > > Anyways, you can file a Jira as a feature request. If you feel like
> > > you would like to attach a PR, better.
> > >
> > > [1] - http://comments.gmane.org/gmane.comp.security.phc/973
> > >
> > > On Wed, Mar 1, 2017 at 3:33 PM John D. Ament
> > > <john.d.ament(a)gmail.com>
> > > wrote:
> > >
> > >> I deal with similarly concerned customer bases. I would be happy
> > >> to see some of these algorithms added. +1
> > >>
> > >> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan(a)findyr.com>
> wrote:
> > >>
> > >> > My company has a client whose security prerequisites require us
> > >> > to
> > store
> > >> > passwords using SHA-2 or better for the hash (SHA-512 ideal).
> > >> > We're
> > >> looking
> > >> > to migrate our user management functions to Keycloak, and I
> > >> > noticed
> > that
> > >> > hashing with SHA-1 is only provider out of the box.
> > >> >
> > >> > I propose adding the following providers (and will be happy to
> > >> > contribute!), using the hash functions available in the Java 8
> > >> > runtime
> > >> > environment:
> > >> >
> > >> > 1. PBKDF2WithHmacSHA224
> > >> > 2. PBKDF2WithHmacSHA256
> > >> > 3. PBKDF2WithHmacSHA384
> > >> > 4. PBKDF2WithHmacSHA512
> > >> >
> > >> > I also propose marking the current Pbkdf2PasswordHashProvider as
> > >> > deprecated, now that a real SHA-1 hash collision has been
> > >> > published by Google Security.
> > >> >
> > >> > --
> > >> > *Adam Kaplan*
> > >> > Senior Engineer
> > >> > findyr <http://findyr.com/>
> >
> > >> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186>
> > >> > <//914.924.5186
> > >> <(914)%20924-5186> <(914)%20924-5186>> | e
> >
> >
> > >> > akaplan(a)findyr.com
> > >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
> > >> > _______________________________________________
> > >> > keycloak-user mailing list
> > >> > keycloak-user(a)lists.jboss.org
> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >> >
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user(a)lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>
> > >
> >
> >
> >
> > --
> >
> >
> > *Adam Kaplan*
> > Senior Engineer
> > findyr <http://findyr.com/>
> >
> > m 914.924.5186 <//914.924.5186> | e akaplan(a)findyr.com
> >
> >
> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at http://www.amdocs.com/email_disclaimer.asp
>
--
*Adam Kaplan*
Senior Engineer
findyr <http://findyr.com/>
m 914.924.5186 <//914.924.5186> | e akaplan(a)findyr.com
WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
4:51 a.m.
Adam,
From this code change:
-spi-private/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java<https://github.com/keycloak/keycloak/compare/master...adambkaplan:feature/KEYCLOAK-4523?diff=unified&expand=1&name=feature%2FKEYCLOAK-4523#diff-6bd4fe1e1352335e9875f74a54373b57>
:
-public class Pbkdf2PasswordHashProvider implements PasswordHashProviderFactory,
PasswordHashProvider {
+public class Pbkdf2PasswordHashProvider extends APbkdf2PasswordHashProvider implements
PasswordHashProviderFactory {
I am concerned that backward compatibility is not maintained, and I would have to replace
all active user passwords after upgrade. Is that correct?
Also, where do I set the SHA-256 option eventually? Do I control it from the Admin Console
UI?
Thanks,
Ori.
From: Adam Kaplan [mailto:akaplan@findyr.com]
Sent: יום ה 09 מרץ 2017 19:15
To: stian(a)redhat.com
Cc: Ori Doolman <Ori.Doolman(a)Amdocs.com>; Bruno Oliveira
<bruno(a)abstractj.org>; keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders
I'd agree with 4 being overkill - I just listed what was available in in the JRE.
I started down the path of implementing - feature branch is here:
https://github.com/adambkaplan/keycloak/tree/feature/KEYCLOAK-4523
On Thu, Mar 9, 2017 at 8:24 AM, Stian Thorgersen
<sthorger@redhat.com<mailto:sthorger@redhat.com>> wrote:
Search for usage of the class PasswordHashProvider
On 9 March 2017 at 12:54, Ori Doolman
<Ori.Doolman@amdocs.com<mailto:Ori.Doolman@amdocs.com>> wrote:
From this discussion I understand that for all realm users, current password hashing
algorithm is using SHA1 before the hashed password is saved to the DB.
Can you please point me to the place in the code where this hashing occurs ?
Thanks.
-----Original Message-----
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>
[mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>]
On Behalf Of Bruno Oliveira
Sent: יום ב 06 מרץ 2017 14:08
To: stian@redhat.com<mailto:stian@redhat.com>; Adam Kaplan
<akaplan@findyr.com<mailto:akaplan@findyr.com>>
Cc: keycloak-user
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders
On Mon, Mar 6, 2017 at 8:37 AM Stian Thorgersen
<sthorger@redhat.com<mailto:sthorger@redhat.com>> wrote:
4 new providers is surely a bit overkill? Isn't 256 and 512 more
than
sufficient?
+1
On 2 March 2017 at 15:28, Adam Kaplan
<akaplan@findyr.com<mailto:akaplan@findyr.com>> wrote:
This is now in the jboss JIRA:
https://issues.jboss.org/browse/KEYCLOAK-4523
I intend to work on it over the next week or two and submit a PR.
On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira
<bruno@abstractj.org<mailto:bruno@abstractj.org>>
wrote:
> Hi Adam and John, I understand your concern. Although, collisions
> are not practical for key derivation functions. There's a long
> discussion about this subject here[1].
>
> Anyways, you can file a Jira as a feature request. If you feel like
> you would like to attach a PR, better.
>
> [1] - http://comments.gmane.org/gmane.comp.security.phc/973
>
> On Wed, Mar 1, 2017 at 3:33 PM John D. Ament
> <john.d.ament@gmail.com<mailto:john.d.ament@gmail.com>>
> wrote:
>
>> I deal with similarly concerned customer bases. I would be happy
>> to see some of these algorithms added. +1
>>
>> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan
<akaplan@findyr.com<mailto:akaplan@findyr.com>> wrote:
>>
>> > My company has a client whose security prerequisites require us
>> > to
store
>> > passwords using SHA-2 or better for the hash (SHA-512 ideal).
>> > We're
>> looking
>> > to migrate our user management functions to Keycloak, and I
>> > noticed
that
>> > hashing with SHA-1 is only provider out of the box.
>> >
>> > I propose adding the following providers (and will be happy to
>> > contribute!), using the hash functions available in the Java 8
>> > runtime
>> > environment:
>> >
>> > 1. PBKDF2WithHmacSHA224
>> > 2. PBKDF2WithHmacSHA256
>> > 3. PBKDF2WithHmacSHA384
>> > 4. PBKDF2WithHmacSHA512
>> >
>> > I also propose marking the current Pbkdf2PasswordHashProvider as
>> > deprecated, now that a real SHA-1 hash collision has been
>> > published by Google Security.
>> >
>> > --
>> > *Adam Kaplan*
>> > Senior Engineer
>> > findyr <http://findyr.com/>
>> > m 914.924.5186<tel:914.924.5186> <(914)%20924-5186>
<(914)%20924-5186>
>> > <//914.924.5186<tel:914.924.5186>
>> <(914)%20924-5186> <(914)%20924-5186>> | e
>> > akaplan@findyr.com<mailto:akaplan@findyr.com>
>> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
--
*Adam Kaplan*
Senior Engineer
findyr <http://findyr.com/>
m 914.924.5186<tel:914.924.5186> <//914.924.5186<tel:914.924.5186>> | e
akaplan@findyr.com<mailto:akaplan@findyr.com>
WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
This message and the information contained herein is proprietary and confidential and
subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
--
Adam Kaplan
Senior Engineer
findyr<http://findyr.com/>
m 914.924.5186<tel://914.924.5186> | e
akaplan@findyr.com<mailto:akaplan@findyr.com>
WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
This message and the information contained herein is proprietary and confidential and
subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
2848
days inactive
2859
days old
6 comments
4 participants
participants (4)
-
Adam Kaplan -
Bruno Oliveira -
Ori Doolman -
Stian Thorgersen