Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-14985

Can’t configure kbaInfo to use bcrypt hashing

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0, 6.5.0.3
    • Fix Version/s: None
    • Component/s: Module - SelfService
    • Labels:
      None
    • Target Version/s:
    • Cases:
    • Support Ticket IDs:
    • Zendesk ID:
      50475

      Description

      If you try to configure the kbaInfo answers to be hashed with the bcrypt algorithm, when users self-register, their kba answers are hashed using SHA-256. It looks like Self Service may hard-code KBA answers to use SHA-256 in org.forgerock.selfservice.core.util.Answers#hashAnswer

      Steps to reproduce in 6.5.x or 7.0:
      1. In the Admin UI, enable User Registration and Security Questions.
      2. In managed.json, change kbaInfo answers to use bcrypt hashing:

       "kbaInfo" : {
                              "description" : "KBA Info",
                              "type" : "array",
                              "userEditable" : true,
                              "viewable" : false,
                              "usageDescription" : "",
                              "isPersonal" : true,
                              "items" : {
                                  "type" : "object",
                                  "title" : "KBA Info Items",
                                  "properties" : {
                                      "answer" : {
                                          "description" : "Answer",
                                           "secureHash" : {
                                  		"algorithm" : "BCRYPT"
                              		}
                                      },
                                      "customQuestion" : {
                                          "description" : "Custom question",
                                          "type" : "string"
                                      },
                                      "questionId" : {
                                          "description" : "Question ID",
                                          "type" : "string"
                                      }
                                  },
      

      3. Have a user self-register.
      4. The new managed/user object will show the kbaInfo answers hashed with SHA-256, for example:

      "kbaInfo": [
                      {
                          "answer": {
                              "$crypto": {
                                  "value": {
                                      "algorithm""SHA-256",
                                      "data""GRAySlsKga9KG9D3i5xxGZPvnmuC8coHG8MuShRZya38PNywdcR7gG/u5ALCN1S0"
                                  },
                                  "type""salted-hash"
                              }
                          },
                          "questionId""1"
                      },
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                brmiller Brendan Miller
                Reporter:
                nena.hunt Nena Hunt
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: