4 Replies Latest reply on Jun 8, 2018 6:28 AM by honza889

    Custom password hash with JDBC realm

    pmm
    pmm Jun 5, 2018 8:28 AM

      We are looking at migrating our existing legacy login module (subclass of DatabaseServerLoginModule) to a Eltytron JDBC realm. One issue we're facing is that we're currently using a combination of a salt and PBKDF2 with 10,000 rounds. As far as we can tell this is currently not possible so we would have to implement something custom. Is there somewhere some documentation on how this can be achieved?

        • 1. Re: Custom password hash with JDBC realm
          mchoma
          mchoma Jun 7, 2018 5:46 AM (in response to pmm)

          Did you looked at scram-mapper of jdbc-realm? You can specify hash algorithm, salt, iteration there.

            • Actions
          • 2. Re: Custom password hash with JDBC realm
            pmm
            pmm Jun 7, 2018 12:14 PM (in response to mchoma)

            mchoma  wrote:

             

            Did you looked at scram-mapper of jdbc-realm? You can specify hash algorithm, salt, iteration there.

            We did, we are currently using PBKDF2WithHmacSHA512 and directly call SecretKeyFactory. However in the scram-mapper we only have "scram-sha-1" and "scram-sha-256" available. Would "scram-sha-1" produce the same output as PBKDF2WithHmacSHA1 assuming the same number of rounds and salt?

              • Actions
            • 3. Re: Custom password hash with JDBC realm
              mchoma
              mchoma Jun 8, 2018 2:21 AM (in response to pmm)

              dmlloyd honza889 Dont you know? "Would scram-sha-1 produce the same output as PBKDF2WithHmacSHA1" ?

                • Actions
              • 4. Re: Custom password hash with JDBC realm
                honza889
                honza889 Jun 8, 2018 6:28 AM (in response to mchoma)

                Hi, following way of obtaining hash:

                SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
PBEKeySpec keySpec = new PBEKeySpec(password, salt, ic, 160);
SecretKey secretKey = keyFactory.generateSecret(keySpec);
byte[] encoded = secretKey.getEncoded();

                is equivalent to following in wildfly-elytron:

                PasswordFactory factory = PasswordFactory.getInstance(ALGORITHM_SCRAM_SHA_1);
IteratedSaltedPasswordAlgorithmSpec algoSpec = new IteratedSaltedPasswordAlgorithmSpec(ic, salt);
EncryptablePasswordSpec encSpec = new EncryptablePasswordSpec(password, algoSpec);
ScramDigestPassword scramPassword = (ScramDigestPassword) factory.generatePassword(encSpec);
byte[] elytronEncoded = scramPassword.getDigest();

                which is equivalent to following in JDBC realm:

                <scram-mapper algorithm="scram-sha-1" password-index="1" salt-index="2" iteration-count-index="10000"/>

                (Unfortunately there is missing scram-sha-512 in elytron subsystem, even through it is supported in wildfly-elytron - reporting as bug: WFCORE-3919)

                  • Actions