[OPENIDM-14985] Can’t configure kbaInfo to use bcrypt hashing Created: 12/Jun/20  Updated: 21/Oct/20

Status: In Review
Project: OpenIDM
Component/s: Module - SelfService
Affects Version/s: 7.0.0, 6.5.0.3
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Nena Hunt Assignee: Jon Branch
Resolution: Unresolved Votes: 0
Labels: CLARK
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on COMMONS-623 Support additional hash algorithms fo... Resolved
Relates
relates to OPENIDM-13293 Request for IDM to allow for hashed p... Resolved
relates to OPENIDM-14229 Allow tuning PBKDF2/Bcrypt/Scrypt par... Resolved
Target Version/s:
Story Points: 3
Sprint: 2020.14 - IDM
Cases: 50475
Support Ticket IDs:
Zendesk ID: 50475

 Description   

If you try to configure the kbaInfo answers to be hashed with the bcrypt algorithm, when users self-register, their kba answers are hashed using SHA-256. It looks like Self Service may hard-code KBA answers to use SHA-256 in org.forgerock.selfservice.core.util.Answers#hashAnswer

Steps to reproduce in 6.5.x or 7.0:
1. In the Admin UI, enable User Registration and Security Questions.
2. In managed.json, change kbaInfo answers to use bcrypt hashing:

 "kbaInfo" : {
                        "description" : "KBA Info",
                        "type" : "array",
                        "userEditable" : true,
                        "viewable" : false,
                        "usageDescription" : "",
                        "isPersonal" : true,
                        "items" : {
                            "type" : "object",
                            "title" : "KBA Info Items",
                            "properties" : {
                                "answer" : {
                                    "description" : "Answer",
                                     "secureHash" : {
                            		"algorithm" : "BCRYPT"
                        		}
                                },
                                "customQuestion" : {
                                    "description" : "Custom question",
                                    "type" : "string"
                                },
                                "questionId" : {
                                    "description" : "Question ID",
                                    "type" : "string"
                                }
                            },

3. Have a user self-register.
4. The new managed/user object will show the kbaInfo answers hashed with SHA-256, for example:

"kbaInfo": [
                {
                    "answer": {
                        "$crypto": {
                            "value": {
                                "algorithm""SHA-256",
                                "data""GRAySlsKga9KG9D3i5xxGZPvnmuC8coHG8MuShRZya38PNywdcR7gG/u5ALCN1S0"
                            },
                            "type""salted-hash"
                        }
                    },
                    "questionId""1"
                },

Generated at Sat Oct 31 01:58:01 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.