[keycloak-user] List of supported cryptographic algorithms
Bill Burke
bburke at redhat.com
Thu Nov 3 10:10:22 EDT 2016
If passwords are stored by Keycloak, it remembers the salt and algorithm
used to create the hash for that password. If the policy changes, then
the next password change will use the new algorithm defined.
On 11/3/16 7:44 AM, Michael Furman wrote:
> Hi Thomas,
> Thank you for the detailed answer!
> Is Keycloak supports "improve" of hashing algorithms during a password reset?
> The use case:
> Now we use SHA-256 for user passwords.
> Therefore, during the migration to Keycloak I still need to use SHA-256.
> But I want to replace hash to PBKDF2.
>
> It will be great if during a password reset it will be possible to replace the hash algorithm.
>
>
> ________________________________
> From: Thomas Darimont <thomas.darimont at googlemail.com>
> Sent: Wednesday, November 2, 2016 6:11 PM
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] List of supported cryptographic algorithms
>
> Hello Michael,
>
> see: threat-model mitigations
> https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/topics/threat.html
>
> Password db compromised:
> https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/topics/threat/password-db-compromised.html
>
>
> currently user passwords in Keycloak are by default hashed with PBKDF2WithHmacSHA1 + salt and 20.000 iterations.
>
> https://github.com/keycloak/keycloak/blob/fc6d6ff7f7dae7fb25edf052659d18cd8de55a5f/server-spi/src/main/java/org/keycloak/policy/HashAlgorithmPasswordPolicyProviderFactory.java#L31
> https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a33886396bb13781b/server-spi/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java
> [https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a33886396bb13781b/server-spi/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java>
>
> keycloak/keycloak<https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a33886396bb13781b/server-spi/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java>
> github.com
> keycloak - Open Source Identity and Access Management For Modern Applications and Services
>
>
> You can provide your own hash algorithms via custom extensions, see: PasswordHashProviderFactory, PasswordHashProvider
>
> Supported OTP hash algos:
> SHA1("HmacSHA1"),
> SHA256("HmacSHA256"),
> SHA512("HmacSHA512");
>
> OTP secrets are stored by default as HmacSHA1
>
> HmacOTP:
> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/server-spi/src/main/java/org/keycloak/models/utils/HmacOTP.java#L33
>
> User passwords as well as OTP secrets are stored within the "credentials" table in the Keycloak database
> (in case of using a RDBMS) via the CredentialEntity.
>
> CredentialEntity:
> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/java/org/keycloak/models/jpa/entities/CredentialEntity.java#L50
>
> Defaults in code might be overriden with defaults in database-changelog scripts:
> https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/resources/META-INF
> [https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/resources/META-INF>
>
> keycloak/keycloak<https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/resources/META-INF>
> github.com
> keycloak - Open Source Identity and Access Management For Modern Applications and Services
>
>
> Cheers,
> Thomas
>
> 2016-11-02 16:40 GMT+01:00 Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>:
> Can somebody point where to find the information?
>
>
>
> ________________________________
> From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>
> Sent: Tuesday, November 1, 2016 10:11 AM
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] List of supported cryptographic algorithms
>
> Hi all,
> Where can I find list of supported algorithms used here:
> http://www.keycloak.org/docs/rest-api/#_credentialrepresentation
> What is the list of hash algorithms?
> What is the list of encryption algorithms?
> Thank you in advance for your help.
> Best regards,
> Michael
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
> lists.jboss.org<http://lists.jboss.org>
> To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list