4 Replies Latest reply on Jun 8, 2018 6:28 AM by Jan Kalina

    Custom password hash with JDBC realm

    Philippe Marschall Expert

      We are looking at migrating our existing legacy login module (subclass of DatabaseServerLoginModule) to a Eltytron JDBC realm. One issue we're facing is that we're currently using a combination of a salt and PBKDF2 with 10,000 rounds. As far as we can tell this is currently not possible so we would have to implement something custom. Is there somewhere some documentation on how this can be achieved?

        • 1. Re: Custom password hash with JDBC realm
          Martin Choma Master

          Did you looked at scram-mapper of jdbc-realm? You can specify hash algorithm, salt, iteration there.

          • 2. Re: Custom password hash with JDBC realm
            Philippe Marschall Expert

            mchoma  wrote:

             

            Did you looked at scram-mapper of jdbc-realm? You can specify hash algorithm, salt, iteration there.

            We did, we are currently using PBKDF2WithHmacSHA512 and directly call SecretKeyFactory. However in the scram-mapper we only have "scram-sha-1" and "scram-sha-256" available. Would "scram-sha-1" produce the same output as PBKDF2WithHmacSHA1 assuming the same number of rounds and salt?

            • 3. Re: Custom password hash with JDBC realm
              Martin Choma Master

              dmlloyd honza889 Dont you know? "Would scram-sha-1 produce the same output as PBKDF2WithHmacSHA1" ?

              • 4. Re: Custom password hash with JDBC realm
                Jan Kalina Newbie

                Hi, following way of obtaining hash:

                SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
                PBEKeySpec keySpec = new PBEKeySpec(password, salt, ic, 160);
                SecretKey secretKey = keyFactory.generateSecret(keySpec);
                byte[] encoded = secretKey.getEncoded();

                is equivalent to following in wildfly-elytron:

                PasswordFactory factory = PasswordFactory.getInstance(ALGORITHM_SCRAM_SHA_1);
                IteratedSaltedPasswordAlgorithmSpec algoSpec = new IteratedSaltedPasswordAlgorithmSpec(ic, salt);
                EncryptablePasswordSpec encSpec = new EncryptablePasswordSpec(password, algoSpec);
                ScramDigestPassword scramPassword = (ScramDigestPassword) factory.generatePassword(encSpec);
                byte[] elytronEncoded = scramPassword.getDigest();

                which is equivalent to following in JDBC realm:

                <scram-mapper algorithm="scram-sha-1" password-index="1" salt-index="2" iteration-count-index="10000"/>

                (Unfortunately there is missing scram-sha-512 in elytron subsystem, even through it is supported in wildfly-elytron - reporting as bug: WFCORE-3919)