6:55 p.m.
My company has a client whose security prerequisites require us to store
passwords using SHA-2 or better for the hash (SHA-512 ideal). We're looking
to migrate our user management functions to Keycloak, and I noticed that
hashing with SHA-1 is only provider out of the box.
I propose adding the following providers (and will be happy to
contribute!), using the hash functions available in the Java 8 runtime
environment:
1. PBKDF2WithHmacSHA224
2. PBKDF2WithHmacSHA256
3. PBKDF2WithHmacSHA384
4. PBKDF2WithHmacSHA512
I also propose marking the current Pbkdf2PasswordHashProvider as
deprecated, now that a real SHA-1 hash collision has been published by
Google Security.
--
*Adam Kaplan*
Senior Engineer
findyr <http://findyr.com/>
m 914.924.5186 <//914.924.5186> | e akaplan(a)findyr.com
WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
7:28 p.m.
I deal with similarly concerned customer bases. I would be happy to see
some of these algorithms added. +1
On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan(a)findyr.com> wrote:
My company has a client whose security prerequisites require us to
store
passwords using SHA-2 or better for the hash (SHA-512 ideal). We're looking
to migrate our user management functions to Keycloak, and I noticed that
hashing with SHA-1 is only provider out of the box.
I propose adding the following providers (and will be happy to
contribute!), using the hash functions available in the Java 8 runtime
environment:
1. PBKDF2WithHmacSHA224
2. PBKDF2WithHmacSHA256
3. PBKDF2WithHmacSHA384
4. PBKDF2WithHmacSHA512
I also propose marking the current Pbkdf2PasswordHashProvider as
deprecated, now that a real SHA-1 hash collision has been published by
Google Security.
--
*Adam Kaplan*
Senior Engineer
findyr <http://findyr.com/>
m 914.924.5186 <(914)%20924-5186> <//914.924.5186 <(914)%20924-5186>> |
e
akaplan(a)findyr.com
WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:39 a.m.
Hi Adam and John, I understand your concern. Although, collisions are not
practical for key derivation functions. There's a long discussion about
this subject here[1].
Anyways, you can file a Jira as a feature request. If you feel like you
would like to attach a PR, better.
[1] - http://comments.gmane.org/gmane.comp.security.phc/973
On Wed, Mar 1, 2017 at 3:33 PM John D. Ament <john.d.ament(a)gmail.com> wrote:
I deal with similarly concerned customer bases. I would be happy to
see
some of these algorithms added. +1
On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan(a)findyr.com> wrote:
> My company has a client whose security prerequisites require us to store
> passwords using SHA-2 or better for the hash (SHA-512 ideal). We're
looking
> to migrate our user management functions to Keycloak, and I noticed that
> hashing with SHA-1 is only provider out of the box.
>
> I propose adding the following providers (and will be happy to
> contribute!), using the hash functions available in the Java 8 runtime
> environment:
>
> 1. PBKDF2WithHmacSHA224
> 2. PBKDF2WithHmacSHA256
> 3. PBKDF2WithHmacSHA384
> 4. PBKDF2WithHmacSHA512
>
> I also propose marking the current Pbkdf2PasswordHashProvider as
> deprecated, now that a real SHA-1 hash collision has been published by
> Google Security.
>
> --
> *Adam Kaplan*
> Senior Engineer
> findyr <http://findyr.com/>
> m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186> <//914.924.5186
<(914)%20924-5186> <(914)%20924-5186>> | e
> akaplan(a)findyr.com
> WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2617
days inactive
2618
days old
2 comments
3 participants
participants (3)
-
Adam Kaplan -
Bruno Oliveira -
John D. Ament