PBKDF2 Password Storage Scheme

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

PBKDF2 Password Storage Scheme provide password storage scheme implementations that use the PBKDF2 key derivation function as described in the PKCS#5 specification contained in RFC 2898.

Parent Component Properties dsconfig Usage

Parent Component

The PBKDF2 Password Storage Scheme component inherits from the Password Storage Scheme

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  max-password-length
 enabled
 digest-algorithm
 iteration-count
 salt-length-bytes
 derived-key-length-bytes

Basic Properties

description

Description
A description for this Password Storage Scheme
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the Password Storage Scheme is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

digest-algorithm

Description
Specifies the digest algorithm that will be used when encoding passwords.
Default Value
sha-1
Allowed Values
sha-1 - Indicates that passwords should be encoded with PBKDF2WithHmacSHA1.

sha-256 - Indicates that passwords should be encoded with PBKDF2WithHmacSHA256.

sha-384 - Indicates that passwords should be encoded with PBKDF2WithHmacSHA384.

sha-512 - Indicates that passwords should be encoded with PBKDF2WithHmacSHA512.
Multi-Valued
No
Required
No
Admin Action Required
In a topology with multiple server versions, you should choose a digest algorithm that is supported by all servers in the topology. If a server encounters a password encoded with an unsupported digest algorithm, it will be unable to use that password.

iteration-count

Description
Specifies the number of iterations to use when encoding passwords. The value must be greater than or equal to 1000.
Default Value
10000
Allowed Values
An integer value. Lower limit is 1000.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

salt-length-bytes

Description
Specifies the number of bytes to use for the generated salt. The value must be greater than or equal to 8.
Default Value
16
Allowed Values
An integer value. Lower limit is 8. Upper limit is 127 .
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

derived-key-length-bytes

Description
Specifies the number of bytes to use for the derived key. The value must be greater than or equal to 8.
Default Value
32
Allowed Values
An integer value. Lower limit is 8.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action


Advanced Properties

max-password-length (Advanced Property)

Description
Specifies the maximum allowed length, in bytes, for passwords encoded with this scheme, which can help mitigate denial of service attacks from clients that attempt to bind with very long passwords. This password storage scheme performs expensive cryptographic computation as a way to thwart brute force password-cracking attacks. However, this processing consumes server resources, at the possible expense of the server's ability to process other operations. The longer a provided password is, the more expensive it is to encode, or to verify whether a provided password matches a user's encoded password. Malicious clients may attempt to exploit that by providing very long passwords during authentication attempts. However, if the provided password is longer than the configured max-password-length value, then this password storage scheme will immediately reject it rather than perform that expensive computation.
Default Value
200
Allowed Values
An integer value. Lower limit is 1.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Password Storage Schemes:

dsconfig list-password-storage-schemes
     [--property {propertyName}] ...

To view the configuration for an existing Password Storage Scheme:

dsconfig get-password-storage-scheme-prop
     --scheme-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Password Storage Scheme:

dsconfig set-password-storage-scheme-prop
     --scheme-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new PBKDF2 Password Storage Scheme:

dsconfig create-password-storage-scheme
     --scheme-name {name}
     --type pbkdf2
     --set enabled:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Password Storage Scheme:

dsconfig delete-password-storage-scheme
     --scheme-name {name}