Argon2 Password Storage Scheme

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

The Argon2 Password Storage Scheme provides a mechanism for encoding passwords using the memory-hard Argon2 (specifically, Argon2i) password hash and proof-of-work function, as described in draft-irtf-cfrg-argon2.

For legacy compatibility purposes, this implementation uses the Argon2i variant of the algorithm. We have since introduced three additional password storage scheme implementations that allow you to explicitly choose the Argon2i, Argon2d, or Argon2id variant.
In the past, it was necessary to independently obtain the Bouncy Castle library and place it in the server's lib directory. This is no longer required, as the server ships with the necessary Bouncy Castle library.
This password storage scheme is not supported in servers running in FIPS 140-2-compliant mode.

Direct Subcomponents Parent Component Properties dsconfig Usage

Direct Subcomponents

The following Argon2 Password Storage Schemes are available in the server :

These Argon2 Password Storage Schemes inherit from the properties described below.

Parent Component

The Argon2 Password Storage Scheme component inherits from the Password Storage Scheme

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 enabled
 iteration-count
 parallelism-factor
 memory-usage-kb
 salt-length-bytes
 derived-key-length-bytes

Basic Properties

description

Description
A description for this Password Storage Scheme
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the Password Storage Scheme is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

iteration-count

Description
The number of rounds of cryptographic processing required in the course of encoding each password. Increasing this value makes the algorithm more computationally intensive, and thereby increases the cost of password-guessing attacks. However, it also limits the rate at which the server can encode passwords, which can adversely affect the performance of operations that require password encoding, as well as import performance for LDIF files that contain clear-text passwords.
The value must be greater than or equal to 1 and less than or equal to 8,388,607.
Default Value
None
Allowed Values
An integer value. Lower limit is 1. Upper limit is 8388607 .
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

parallelism-factor

Description
The number of concurrent threads that will be used in the course of encoding each password. Increasing this value reduces the number of password encoding operations that may be processed concurrently, and thereby increases the cost of password-guessing attacks. However, it can also limit rate at which the server can encode passwords, which can adversely affect the performance of operations that require password encoding, as well as import performance for LDIF files that contain clear-text passwords.
The value must be greater than or equal to 1 and less than or equal to 255.
Default Value
None
Allowed Values
An integer value. Lower limit is 1. Upper limit is 255 .
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

memory-usage-kb

Description
The number of kilobytes of memory that must be used in the course of encoding each password. Increasing this value limits the number of password encoding operations thta may be processed concurrently. If too many password encoding attempts are in progress, the aggregate memory consumption may exceed the amount of memory available for the server to use.
The value must be greater than or equal to 8 and less than or equal to 8,388,607.
Default Value
None
Allowed Values
An integer value. Lower limit is 8. Upper limit is 8388607 .
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

salt-length-bytes

Description
The number of bytes to use for the generated salt. The salt introduces random data into the password encoding process. This means that repeated attempts to encode the same password will yield different outputs. A sufficiently large salt prevents pre-computed dictionary attacks by ensuring that the number of possible encoded representations of any single password is too large to feasibly generate.
The value must be greater than or equal to 8 and less than or equal to 255.
Default Value
None
Allowed Values
An integer value. Lower limit is 8. Upper limit is 255 .
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

derived-key-length-bytes

Description
The number of bytes to use for the derived key. The value must be greater than or equal to 8 and less than or equal to 512.
Default Value
None
Allowed Values
An integer value. Lower limit is 8. Upper limit is 512 .
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Password Storage Schemes:

dsconfig list-password-storage-schemes
     [--property {propertyName}] ...

To view the configuration for an existing Password Storage Scheme:

dsconfig get-password-storage-scheme-prop
     --scheme-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Password Storage Scheme:

dsconfig set-password-storage-scheme-prop
     --scheme-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Argon2 Password Storage Scheme:

dsconfig create-password-storage-scheme
     --scheme-name {name}
     --type argon2
     --set enabled:{propertyValue}
     --set iteration-count:{propertyValue}
     --set parallelism-factor:{propertyValue}
     --set memory-usage-kb:{propertyValue}
     --set salt-length-bytes:{propertyValue}
     --set derived-key-length-bytes:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Password Storage Scheme:

dsconfig delete-password-storage-scheme
     --scheme-name {name}