List of supported cryptographic algorithms - keycloak-user - Jboss List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

List of supported cryptographic algorithms

Exception with User Storage SPI...

Keycloak-spring-boot-adapter CORS...

Michael Furman

Tuesday, 1 November 2016 Tue, 1 Nov '16

3:11 a.m.

Hi all, Where can I find list of supported algorithms used here: http://www.keycloak.org/docs/rest-api/#_credentialrepresentation What is the list of hash algorithms? What is the list of encryption algorithms? Thank you in advance for your help. Best regards, Michael

Reply

Show replies by date

Michael Furman

Wednesday, 2 November Wed, 2 Nov

10:40 a.m.

Can somebody point where to find the information? ________________________________ From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org> on behalf of Michael Furman <michael_furman(a)hotmail.com> Sent: Tuesday, November 1, 2016 10:11 AM To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] List of supported cryptographic algorithms Hi all, Where can I find list of supported algorithms used here: http://www.keycloak.org/docs/rest-api/#_credentialrepresentation What is the list of hash algorithms? What is the list of encryption algorithms? Thank you in advance for your help. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user> lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...

Reply

Thomas Darimont

11:11 a.m.

Hello Michael, see: threat-model mitigations https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/top... Password db compromised: https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/top... currently user passwords in Keycloak are by default hashed with PBKDF2WithHmacSHA1 + salt and 20.000 iterations. https://github.com/keycloak/keycloak/blob/fc6d6ff7f7dae7fb25edf052659d18c... https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a3388639... You can provide your own hash algorithms via custom extensions, see: PasswordHashProviderFactory, PasswordHashProvider Supported OTP hash algos: SHA1("HmacSHA1"), SHA256("HmacSHA256"), SHA512("HmacSHA512"); OTP secrets are stored by default as HmacSHA1 HmacOTP: https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d... User passwords as well as OTP secrets are stored within the "credentials" table in the Keycloak database (in case of using a RDBMS) via the CredentialEntity. CredentialEntity: https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d... Defaults in code might be overriden with defaults in database-changelog scripts: https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d... Cheers, Thomas 2016-11-02 16:40 GMT+01:00 Michael Furman <michael_furman(a)hotmail.com>:

Can somebody point where to find the information? ________________________________ From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces@lists. jboss.org> on behalf of Michael Furman <michael_furman(a)hotmail.com> Sent: Tuesday, November 1, 2016 10:11 AM To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] List of supported cryptographic algorithms Hi all, Where can I find list of supported algorithms used here: http://www.keycloak.org/docs/rest-api/#_credentialrepresentation What is the list of hash algorithms? What is the list of encryption algorithms? Thank you in advance for your help. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer<https://lists.jboss. org/mailman/listinfo/keycloak-user> lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

Michael Furman

Thursday, 3 November Thu, 3 Nov

6:44 a.m.

Hi Thomas, Thank you for the detailed answer! Is Keycloak supports "improve" of hashing algorithms during a password reset? The use case: Now we use SHA-256 for user passwords. Therefore, during the migration to Keycloak I still need to use SHA-256. But I want to replace hash to PBKDF2. It will be great if during a password reset it will be possible to replace the hash algorithm. ________________________________ From: Thomas Darimont <thomas.darimont(a)googlemail.com> Sent: Wednesday, November 2, 2016 6:11 PM To: Michael Furman Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] List of supported cryptographic algorithms Hello Michael, see: threat-model mitigations https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/top... Password db compromised: https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/top... currently user passwords in Keycloak are by default hashed with PBKDF2WithHmacSHA1 + salt and 20.000 iterations. https://github.com/keycloak/keycloak/blob/fc6d6ff7f7dae7fb25edf052659d18c... https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a3388639... [https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https:... keycloak/keycloak<https://github.com/keycloak/keycloak/blob/a89dbabc92... github.com keycloak - Open Source Identity and Access Management For Modern Applications and Services You can provide your own hash algorithms via custom extensions, see: PasswordHashProviderFactory, PasswordHashProvider Supported OTP hash algos: SHA1("HmacSHA1"), SHA256("HmacSHA256"), SHA512("HmacSHA512"); OTP secrets are stored by default as HmacSHA1 HmacOTP: https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d... User passwords as well as OTP secrets are stored within the "credentials" table in the Keycloak database (in case of using a RDBMS) via the CredentialEntity. CredentialEntity: https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d... Defaults in code might be overriden with defaults in database-changelog scripts: https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d... [https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https:... keycloak/keycloak<https://github.com/keycloak/keycloak/tree/1aeec2a83c... github.com keycloak - Open Source Identity and Access Management For Modern Applications and Services Cheers, Thomas 2016-11-02 16:40 GMT+01:00 Michael Furman <michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>>: Can somebody point where to find the information? ________________________________ From: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> <keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Michael Furman <michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>> Sent: Tuesday, November 1, 2016 10:11 AM To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: [keycloak-user] List of supported cryptographic algorithms Hi all, Where can I find list of supported algorithms used here: http://www.keycloak.org/docs/rest-api/#_credentialrepresentation What is the list of hash algorithms? What is the list of encryption algorithms? Thank you in advance for your help. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user> lists.jboss.org<http://lists.jboss.org> To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

Bill Burke

9:10 a.m.

If passwords are stored by Keycloak, it remembers the salt and algorithm used to create the hash for that password. If the policy changes, then the next password change will use the new algorithm defined. On 11/3/16 7:44 AM, Michael Furman wrote:

Hi Thomas, Thank you for the detailed answer! Is Keycloak supports "improve" of hashing algorithms during a password reset? The use case: Now we use SHA-256 for user passwords. Therefore, during the migration to Keycloak I still need to use SHA-256. But I want to replace hash to PBKDF2. It will be great if during a password reset it will be possible to replace the hash algorithm. ________________________________ From: Thomas Darimont <thomas.darimont(a)googlemail.com> Sent: Wednesday, November 2, 2016 6:11 PM To: Michael Furman Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] List of supported cryptographic algorithms Hello Michael, see: threat-model mitigations https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/top... Password db compromised: https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/top... currently user passwords in Keycloak are by default hashed with PBKDF2WithHmacSHA1 + salt and 20.000 iterations. https://github.com/keycloak/keycloak/blob/fc6d6ff7f7dae7fb25edf052659d18c... https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a3388639... [https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https:... keycloak/keycloak<https://github.com/keycloak/keycloak/blob/a89dbabc92... github.com keycloak - Open Source Identity and Access Management For Modern Applications and Services You can provide your own hash algorithms via custom extensions, see: PasswordHashProviderFactory, PasswordHashProvider Supported OTP hash algos: SHA1("HmacSHA1"), SHA256("HmacSHA256"), SHA512("HmacSHA512"); OTP secrets are stored by default as HmacSHA1 HmacOTP: https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d... User passwords as well as OTP secrets are stored within the "credentials" table in the Keycloak database (in case of using a RDBMS) via the CredentialEntity. CredentialEntity: https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d... Defaults in code might be overriden with defaults in database-changelog scripts: https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d... [https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https:... keycloak/keycloak<https://github.com/keycloak/keycloak/tree/1aeec2a83c... github.com keycloak - Open Source Identity and Access Management For Modern Applications and Services Cheers, Thomas 2016-11-02 16:40 GMT+01:00 Michael Furman <michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>>: Can somebody point where to find the information? ________________________________ From: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> <keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Michael Furman <michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>> Sent: Tuesday, November 1, 2016 10:11 AM To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: [keycloak-user] List of supported cryptographic algorithms Hi all, Where can I find list of supported algorithms used here: http://www.keycloak.org/docs/rest-api/#_credentialrepresentation What is the list of hash algorithms? What is the list of encryption algorithms? Thank you in advance for your help. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user> lists.jboss.org<http://lists.jboss.org> To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

2976

days inactive

2978

days old

keycloak-user@lists.jboss.org

Manage subscription

4 comments

3 participants

tags (0)

participants (3)

Bill Burke
Michael Furman
Thomas Darimont