[keycloak-user] Proposal: More Secure PassowrdHashProviders

Bruno Oliveira bruno at abstractj.org
Thu Mar 2 04:39:44 EST 2017


Hi Adam and John, I understand your concern. Although, collisions are not
practical for key derivation functions. There's a long discussion about
this subject here[1].

Anyways, you can file a Jira as a feature request. If you feel like you
would like to attach a PR, better.

[1] - http://comments.gmane.org/gmane.comp.security.phc/973

On Wed, Mar 1, 2017 at 3:33 PM John D. Ament <john.d.ament at gmail.com> wrote:

> I deal with similarly concerned customer bases.  I would be happy to see
> some of these algorithms added.  +1
>
> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan at findyr.com> wrote:
>
> > My company has a client whose security prerequisites require us to store
> > passwords using SHA-2 or better for the hash (SHA-512 ideal). We're
> looking
> > to migrate our user management functions to Keycloak, and I noticed that
> > hashing with SHA-1 is only provider out of the box.
> >
> > I propose adding the following providers (and will be happy to
> > contribute!), using the hash functions available in the Java 8 runtime
> > environment:
> >
> >    1. PBKDF2WithHmacSHA224
> >    2. PBKDF2WithHmacSHA256
> >    3. PBKDF2WithHmacSHA384
> >    4. PBKDF2WithHmacSHA512
> >
> > I also propose marking the current Pbkdf2PasswordHashProvider as
> > deprecated, now that a real SHA-1 hash collision has been published by
> > Google Security.
> >
> > --
> > *Adam Kaplan*
> > Senior Engineer
> > findyr <http://findyr.com/>
> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186> <//914.924.5186
> <(914)%20924-5186> <(914)%20924-5186>> | e
> > akaplan at findyr.com
> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list