Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12289

Remove or reduce the lower limit on iteration count for PBKDF2 key generation

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 14.0.0, 5.5.1, 6.0.0
    • Fix Version/s: 6.0.0
    • Component/s: other
    • Labels:
    • Target Version/s:

      Description

      PBKDF2KeyDerivation has a check to enforce a lower limit of 10,000 iterations of PBKDF2 to apply when generating key.

      Possibly this is too high and we could reduce to a lower limit that may improve overall key generation performance.

      Steps to Reproduce

      Set following in Tomcat setenv.sh and do a fresh install: will throw IllegalStateException as iterations value too low.

      JAVA_OPTS="$JAVA_OPTS -Dcom.iplanet.security.encryptor=org.forgerock.openam.shared.security.crypto.AESWrapEncryption"
      JAVA_OPTS="$JAVA_OPTS -Dorg.forgerock.openam.encryption.key.iterations=2000"
      JAVA_OPTS="$JAVA_OPTS -Dorg.forgerock.openam.encryption.key.size=256"
      JAVA_OPTS="$JAVA_OPTS -Dorg.forgerock.openam.encryption.key.digest=SHA512"

      Considerations:

      If applied this should probably go in hand with an addition to documentation stating that this setting should be considered alongside the quality of the encryption password

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                phillcunnington Phill Cunnington
                Reporter:
                jonthomas Jonathan Thomas
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: