[keycloak-user] Submitted Feature: More Secure PassowrdHashProviders
Bruno Oliveira
bruno at abstractj.org
Mon Mar 6 07:08:15 EST 2017
On Mon, Mar 6, 2017 at 8:37 AM Stian Thorgersen <sthorger at redhat.com> wrote:
> 4 new providers is surely a bit overkill? Isn't 256 and 512 more than
> sufficient?
>
+1
>
> On 2 March 2017 at 15:28, Adam Kaplan <akaplan at findyr.com> wrote:
>
> This is now in the jboss JIRA:
> https://issues.jboss.org/browse/KEYCLOAK-4523
>
> I intend to work on it over the next week or two and submit a PR.
>
> On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
> > Hi Adam and John, I understand your concern. Although, collisions are not
> > practical for key derivation functions. There's a long discussion about
> > this subject here[1].
> >
> > Anyways, you can file a Jira as a feature request. If you feel like you
> > would like to attach a PR, better.
> >
> > [1] - http://comments.gmane.org/gmane.comp.security.phc/973
> >
> > On Wed, Mar 1, 2017 at 3:33 PM John D. Ament <john.d.ament at gmail.com>
> > wrote:
> >
> >> I deal with similarly concerned customer bases. I would be happy to see
> >> some of these algorithms added. +1
> >>
> >> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan at findyr.com> wrote:
> >>
> >> > My company has a client whose security prerequisites require us to
> store
> >> > passwords using SHA-2 or better for the hash (SHA-512 ideal). We're
> >> looking
> >> > to migrate our user management functions to Keycloak, and I noticed
> that
> >> > hashing with SHA-1 is only provider out of the box.
> >> >
> >> > I propose adding the following providers (and will be happy to
> >> > contribute!), using the hash functions available in the Java 8 runtime
> >> > environment:
> >> >
> >> > 1. PBKDF2WithHmacSHA224
> >> > 2. PBKDF2WithHmacSHA256
> >> > 3. PBKDF2WithHmacSHA384
> >> > 4. PBKDF2WithHmacSHA512
> >> >
> >> > I also propose marking the current Pbkdf2PasswordHashProvider as
> >> > deprecated, now that a real SHA-1 hash collision has been published by
> >> > Google Security.
> >> >
> >> > --
> >> > *Adam Kaplan*
> >> > Senior Engineer
> >> > findyr <http://findyr.com/>
>
> >> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186> <//914.924.5186
> >> <(914)%20924-5186> <(914)%20924-5186>> | e
>
>
> >> > akaplan at findyr.com
> >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
> >> > _______________________________________________
> >> > keycloak-user mailing list
> >> > keycloak-user at lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
>
>
>
> --
>
>
> *Adam Kaplan*
> Senior Engineer
> findyr <http://findyr.com/>
>
> m 914.924.5186 <//914.924.5186> | e akaplan at findyr.com
>
>
> WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
More information about the keycloak-user
mailing list