This topic contains 5 replies, has 3 voices, and was last updated by  Ludo 2 months, 2 weeks ago.

  • Author
    Posts
  • #23252
     pbrendt 
    Participant

    Hi,

    Is there a way to configure the salt- and hash size (Nr. of bytes) for the PBKDF2 password scheme? Eg. 16Byte Salt and 32 Byte Hash. Or is there a custom plugin available which addresses this ?

    KR
    Peter

    #23253
     Chris Ridd 
    Participant

    Hi, unfortunately no – PBKDF2 will always create new values with a fixed size salt and hash (8 and 20)

    However it looks like it is able to compare passwords with values that have longer salts, if that helps.

    The PKCS5S2 scheme uses a longer salt and hash (16 and 32) but does not have configurable iterations. Maybe that’s another option for you.

    #23254
     pbrendt 
    Participant

    Hi Chris,

    Customer is using 16 Byte Salt, 32Byte Hash and 1000 iterations. So with option 1 I am hit with the salt and hash size. I thought about option 2 as well but there I cannot configure the iterations.
    Is the source code for the PBKDF2 storage scheme available so we can write a custom scheme?

    #23256
     Ludo 
    Moderator

    Which version of OpenDJ/Directory Services are you using?
    The storage schemes are depending on the Server’s APIs and thus are specific to a version.
    Note that the PBKDF2 storage scheme has a number of parameters that are implicit (such as hash length) and algorithm used (HMAC-SHA1). If you’re writing a custom storage scheme with different implicit parameters, you should create a new scheme (i.e. have a different {PREFIX}), so that there is no confusion about the value of stored passwords.

    #23274
     pbrendt 
    Participant

    We a using DS 6

    #23286
     Ludo 
    Moderator

    DS 6 ships with a sample Password Storage Scheme that gives a template to build custom ones.
    The PBKDF2 schema hasn’t changed much since we’ve introduced it, except for the server APIs it uses.
    You can find the source code for an older version in the Community Edition source code.
    I hope this helps.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?