Password Hashing Algorithms and Pluggable Hashing
cidaas provides a set of hashing algorithms out of the box, and we continuously add the latest algorithms, and migrate the user passwords on the fly to a more secure hashing method.
The hashing method applied is defined in the cidaas Configuration.
Supported Hashing Algorithms
| AlgorithmType | Description/Migration Information |
|---|---|
| SHA1 | using digest hex |
| SHA256 | using digest hex |
| PBKDF2 | configuration that can be passed to cidaas to cidaas are salt, iterations and keylen. These can be passed in equally named fields in the password_hash_info object |
ARGON (argon2id, argon2i, argon2d) | the configurations are already present in the Hashing Algorithm, so no need to do any particular configuration on cidaas side to recognize migrated passwords |
| HMAC-SHA-256 | this uses sha256 and digest hex. The salt can be passed in password_hash_info with field key |
| HMAC | Basically you can use any HMAC Method you would like to use. Therefore you need to use the prefix HMACand include the Hmac-algorithm and digest. The salt need to be passed in password_hash_info with field key salt |
| BCRYPT_n (1 to 20 ) | the configurations are already present in the Hashing Algorithm, you do not need to do any particular configuration on cidaas side to recognize migrated passwords; It is recommended to use BCRYPT up to 12 since more rounds increase security but also processing time. |
In order to provide a clean, and easy migration from other user databases and different hash algorithms we provide a way to migrate by using different Verification Settings.
To achieve a proper migration you can use the user migration (bulk) API and specify the algorithm used for the password hash of the user. Using the algorithmTypeId you can define your password hash algorithm used.
"password_hash_info": {
"algorithmTypeId": "CUSTOM_SHA1Hash",
"passwordHash": "da1800bf53301b5dbadbf85e991ba8eed93164cb"
}
Implementing Custom Hash Algorithms
There are occasions where other systems might implement a custom hash algorithm to encrypt passwords. To still be able to log in using a differently encrypted password, that was migrated to cidaas, it is possible to allow a verification of this password by a pluggable approach.
Therefore, you need to use a HashAlgorithm with prefix CUSTOM. This indicates that the system needs to call another service which can verify the passwords.
After a successful verification, those are migrated to the current Hash Algorithm applied in cidaas.
The Custom Hash Algorithms need:
- to be a custom service that can be secured using OAuth2 against cidaas.
- to have an endpoint that
accepts?action=compareas query param. - to return StatusCodes.OK with the following response as the body.
Request Body
{
"passwordVerification":{
"passwordHash":"",
"hData":{
"salt":<salt used for passwordhashing>
}
},
"password":<clear text password>,
"algorithm":<the algorithm id>
}
Response Body
{
"data":{
"verified":true
}
}
Need Support?
Please contact us directly on our support page