CA Directory Password Storage hashing method - additional information

book

Article ID: 142618

calendar_today

Updated On:

Products

DIRECTORY

Issue/Introduction

Q1 What is the underlying HMAC algorithm employed by PBKDF

Q2  What are the values of the non-configurable parameters?

Q3 How do the configuration parameter of CA Directory (for expl.:pbkdf2-iterations) map to them?

Environment

CA Directory 14.x

Resolution

Q1 What is the underlying HMAC algorithm employed by PBKDF
A1 As confirmed by Engineering, we are using SHA1 algorithm within pbkdf2 - it is not configurable


Q2  What are the values of the non-configurable parameters?
Some of the default values are provided in the link https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/directory/14-0/reference/commands-reference/set-password-storage-command.html

The complete list is

pbkdf2:
                Pseudo Random Function: HMAC-SHA1
                Salt: random salt with length (in bits) specified with set salt-length command (default 128)
                Number of iterations: specified with set pbkdf2-iterations command
                Bit-length of the derived key: specified with set pbkdf2-digest-length command (default 128)

bscrypt: 
                Salt: random salt with length (in bits) specified with set salt-length command (default 128)
                Number of iterations: specified with set pbkdf-iterations command.
                Bit-length of the derived key: fixed length 24 byte

scrypt:
                Salt: random salt with length (in bits) specified with set salt-length command (default 128)
                costFactor: 512
                blocksizeFactor: 8
                ParallelizationFactor: specified with set pbkdf-iterations command.
                DesiredKeyLen: specified with set pbkdf-digest-length command (default 128)


Q3 How do the configuration parameter of CA Directory (for expl.:pbkdf-iterations) map to them?
A3 The link https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/directory/14-0/reference/commands-reference/set-password-storage-command.html contains the answers for this question under "Supporting Commands for the PBKDF2 Hashing Method" as well as "Supporting Commands for the bcrypt and scrypt Hashing Mechanisms"

 

Additional Information

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/directory/14-0/reference/commands-reference/set-password-storage-command.html