Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The Scrypt Password Storage Scheme provides support for encoding passwords using the scrypt key derivation function. The string representation uses the "c2NyeXB0" format that is also used by a number of other implementations.
Like other password storage schemes supported by the server (especially PBKDF2 and Bcrypt), scrypt is designed to be expensive so that attacks against scrypt-encoded passwords are also expensive. However, scrypt is different from other algorithms because it is designed to consume a substantial amount of memory during the course of encoding a password, and to require pseudorandom access to portions of that memory. This makes the cost of generating a password dependent upon memory access latency in addition to CPU performance, and reduces the ability to parallelize password cracking attempts.
In the past, it was necessary to independently obtain the Bouncy Castle library and place it in the server's lib directory. This is no longer required, as the server ships with the necessary Bouncy Castle library.
This password storage scheme is not supported in servers running in FIPS 140-2-compliant mode.
The Scrypt Password Storage Scheme component inherits from the Password Storage Scheme
The properties supported by this managed object are as follows:
Basic Properties: | Advanced Properties: |
---|---|
description | max-password-length |
enabled | |
scrypt-cpu-memory-cost-factor-exponent | |
scrypt-block-size | |
scrypt-parallelization-parameter |
Description | A description for this Password Storage Scheme |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Indicates whether the Password Storage Scheme is enabled for use. |
Default Value | None |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
scrypt-cpu-memory-cost-factor-exponent
Description | Specifies the exponent that should be used for the CPU/memory cost factor. The cost factor must be a power of two, so the value of this property represents the power to which two is raised. The CPU/memory cost factor specifies the number of iterations required for encoding the password, and also affects the amount of memory required during processing. A higher cost factor requires more processing and more memory to generate a password, which makes attacks against the password more expensive. The value must be less than (128*r/8), where "r" represents the configured block size. The amount of memory that will be consumed in the course of generating the password is (128*2^N*r) bytes, where "N" represents the CPU/memory cost factor exponent and "r" represents the configured block size. The Directory Server will not permit the total memory consumption per password encoding to exceed 100 megabytes. |
Default Value | 14 |
Allowed Values | An integer value. Lower limit is 1. Upper limit is 30 . |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the block size for the digest that will be used in the course of encoding passwords. Increasing the block size while keeping the CPU/memory cost factor constant will increase the amount of memory required to encode a password, but it also increases the ratio of sequential memory access to random memory access (and sequential memory access is generally faster than random memory access). The value must be greater than or equal to one. The amount of memory that will be temporarily consumed in the course of generating the password is 128*2^N*r bytes, where "N" represents the CPU/memory cost factor exponent and "r" represents the configured block size. The Directory Server will not permit the total memory consumption per password encoding to exceed 100 megabytes. |
Default Value | 8 |
Allowed Values | An integer value. Lower limit is 1. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
scrypt-parallelization-parameter
Description | Specifies the number of times that scrypt has to perform the entire encoding process to produce the final result. The amount of processing required to encode a password increases linearly with the value of this parameter. If an attacker uses an scrypt implementation that supports the use of multiple threads to perform multiple encodings in parallel, then it also linearly increases the amount of memory required. |
Default Value | 1 |
Allowed Values | An integer value. Lower limit is 1. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
max-password-length (Advanced Property)
Description | Specifies the maximum allowed length, in bytes, for passwords encoded with this scheme, which can help mitigate denial of service attacks from clients that attempt to bind with very long passwords. This password storage scheme performs expensive cryptographic computation as a way to thwart brute force password-cracking attacks. However, this processing consumes server resources, at the possible expense of the server's ability to process other operations. The longer a provided password is, the more expensive it is to encode, or to verify whether a provided password matches a user's encoded password. Malicious clients may attempt to exploit that by providing very long passwords during authentication attempts. However, if the provided password is longer than the configured max-password-length value, then this password storage scheme will immediately reject it rather than perform that expensive computation. |
Default Value | 200 |
Allowed Values | An integer value. Lower limit is 1. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
To list the configured Password Storage Schemes:
dsconfig list-password-storage-schemes [--property {propertyName}] ...
To view the configuration for an existing Password Storage Scheme:
dsconfig get-password-storage-scheme-prop --scheme-name {name} [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the configuration for an existing Password Storage Scheme:
dsconfig set-password-storage-scheme-prop --scheme-name {name} (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Scrypt Password Storage Scheme:
dsconfig create-password-storage-scheme --scheme-name {name} --type scrypt --set enabled:{propertyValue} [--set {propertyName}:{propertyValue}] ...
To delete an existing Password Storage Scheme:
dsconfig delete-password-storage-scheme --scheme-name {name}