[OPENIDM-14277] Update the documentation on hashing config Created: 16/Jan/20  Updated: 20/May/20  Resolved: 26/Mar/20

Status: Closed
Project: OpenIDM
Component/s: documentation
Affects Version/s: 7.0.0
Fix Version/s: 7.0.0

Type: Story Priority: Major
Reporter: Lana Frost Assignee: Lana Frost
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Document
documents OPENIDM-13293 Request for IDM to allow for hashed p... Resolved
documents OPENIDM-14229 Allow tuning PBKDF2/Bcrypt/Scrypt par... Resolved
Target Version/s:
Verified Version/s:
QA Assignee: Son Nguyen
Story Points: 1
Sprint: 2020.04 - IDM

 Description   

OPENIDM-14229 (this PR) adds additional config options for configuring the hash algorithm.

OPENIDM-13293 made additional enhancements for salt length.



 Comments   
Comment by Travis Haagen [ 16/Jan/20 ]

Examples of the enhanced config, where previously the only field that could be set was "algorithm":

"secureHash" : {
    "algorithm" : "PBKDF2",
    "hashLength" : 16,
    "saltLength" : 16,
    "iterations" : 10,
    "hmac" : "SHA-256"
}

"secureHash" : {
    "algorithm" : "SCRYPT",
    "hashLength" : 16,
    "saltLength" : 16,
    "n" : 32768,
    "r" : 8,
    "p" : 1
},

// hashLength and saltLength are not changable for BCrypt
"secureHash" : {
    "algorithm" : "BCRYPT",
    "cost" : 16
},

All the other supported hash algorithms can only customize "saltLength"

"secureHash" : {
    "algorithm" : "SHA-256",
    "saltLength" : 16
},

More specifics about what constitutes valid field values are in the comments for the 3 above hash implementations:

It was implemented to not break anything for customers that used these hashes in IDM 6 or 6.5. Also, a customer can change these settings at any time and it will not break anything, because all the needed settings are persisted with the hashed value.

Comment by Travis Haagen [ 25/Mar/20 ]

The CLI tool has a quirk where the --config JSON cannot have spaces between JSON elements and you must escape quotes and commas:

openidm/cli.sh secureHash \
 --algorithm PBKDF2 \
 --config '{\"hashLength\":16\,\"saltLength\":16\,\"iterations\":20000\,\"hmac\":\"SHA3-256\"}' \
 "password"
Comment by Lana Frost [ 26/Mar/20 ]

https://stash.forgerock.org/projects/OPENIDM/repos/openidm-docs/pull-requests/2679/overview
https://ea.forgerock.com/docs/idm/security-guide/encoding-attribute-values.html#encoding-salted-hash
https://ea.forgerock.com/docs/idm/setup-guide/cli-secure-hash.html

Comment by Son Nguyen [ 20/May/20 ]

Verified successfully on master

Generated at Tue Oct 27 07:04:00 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.