[keycloak-user] List of supported cryptographic algorithms
Michael Furman
michael_furman at hotmail.com
Thu Nov 3 07:44:23 EDT 2016
Hi Thomas,
Thank you for the detailed answer!
Is Keycloak supports "improve" of hashing algorithms during a password reset?
The use case:
Now we use SHA-256 for user passwords.
Therefore, during the migration to Keycloak I still need to use SHA-256.
But I want to replace hash to PBKDF2.
It will be great if during a password reset it will be possible to replace the hash algorithm.
________________________________
From: Thomas Darimont <thomas.darimont at googlemail.com>
Sent: Wednesday, November 2, 2016 6:11 PM
To: Michael Furman
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] List of supported cryptographic algorithms
Hello Michael,
see: threat-model mitigations
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/topics/threat.html
Password db compromised:
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/topics/threat/password-db-compromised.html
currently user passwords in Keycloak are by default hashed with PBKDF2WithHmacSHA1 + salt and 20.000 iterations.
https://github.com/keycloak/keycloak/blob/fc6d6ff7f7dae7fb25edf052659d18cd8de55a5f/server-spi/src/main/java/org/keycloak/policy/HashAlgorithmPasswordPolicyProviderFactory.java#L31
https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a33886396bb13781b/server-spi/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java
[https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a33886396bb13781b/server-spi/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java>
keycloak/keycloak<https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a33886396bb13781b/server-spi/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java>
github.com
keycloak - Open Source Identity and Access Management For Modern Applications and Services
You can provide your own hash algorithms via custom extensions, see: PasswordHashProviderFactory, PasswordHashProvider
Supported OTP hash algos:
SHA1("HmacSHA1"),
SHA256("HmacSHA256"),
SHA512("HmacSHA512");
OTP secrets are stored by default as HmacSHA1
HmacOTP:
https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/server-spi/src/main/java/org/keycloak/models/utils/HmacOTP.java#L33
User passwords as well as OTP secrets are stored within the "credentials" table in the Keycloak database
(in case of using a RDBMS) via the CredentialEntity.
CredentialEntity:
https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/java/org/keycloak/models/jpa/entities/CredentialEntity.java#L50
Defaults in code might be overriden with defaults in database-changelog scripts:
https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/resources/META-INF
[https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/resources/META-INF>
keycloak/keycloak<https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/resources/META-INF>
github.com
keycloak - Open Source Identity and Access Management For Modern Applications and Services
Cheers,
Thomas
2016-11-02 16:40 GMT+01:00 Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>:
Can somebody point where to find the information?
________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>
Sent: Tuesday, November 1, 2016 10:11 AM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] List of supported cryptographic algorithms
Hi all,
Where can I find list of supported algorithms used here:
http://www.keycloak.org/docs/rest-api/#_credentialrepresentation
What is the list of hash algorithms?
What is the list of encryption algorithms?
Thank you in advance for your help.
Best regards,
Michael
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org<http://lists.jboss.org>
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list