Support for Argon2, PBKDF2-HMAC-SHA256/512, SCRAM-SHA-256/512 Symantec Directory password hashing algorithms
search cancel

Support for Argon2, PBKDF2-HMAC-SHA256/512, SCRAM-SHA-256/512 Symantec Directory password hashing algorithms

book

Article ID: 372023

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

Currently supported password hashing algorithms in CA Directory 4.1 are the following

  • ssha-512
  • sha-512
  • ssha-1
  • sha-1
  • pbkdf2
  • crypt
  • scrypt
  • bcrypt
  • md5
  • smd5
  • none

Please review "set password-storage Command" documentation.

Do we currently support Argon2, PBKDF2-HMAC-SHA256/512, SCRAM-SHA-256/512 hashing algorithm?

 

Environment

CA Directory 14.1

Resolution

As of the time this article is written, Symantec Directory has no support for Argon2, PBKDF2-HMAC-SHA256/512, SCRAM-SHA-256/512 hashing algorithm. However, we plan to support them.

Argon2

The support of this password hashing algorithms depends on CAPKI ( CAPKI (Previously known as ETPKI) is a C based Software Development Kit (SDK) that provides CA Development Community with features required to implement Information Security services in its products) , CAPKI internally uses OpenSSL. We have found that the latest OpenSSL has a support for this algorithm. Once we get the new CAPKI version with the latest version of OpenSSL, we can incorporate this password hashing algorithm. Tentative inclusion in Symantec Directory release 14.1 SP7 ( ~Q4, 2025).


PBKDF2-HMAC-SHA256/512

A custom implementation is required at CAPKI as this requires processing of the input arguments appropriately. It is too late to add this in to the current Symantec Directory release 14.1 SP06 as it is has dependency with other product team and on their priority items as well.  We will raise an enhancement request with CAPKI team, get the implementation completed and will incorporate the changes in Directory release 14.1 SP7 ( ~Q4, 2025).


SCRAM-SHA-256/512

A custom implementation is required at CAPKI as there is no direct support from OpenSSL for this algorithms. It is too late to add this in to the current Symantec Directory release 14.1 SP06 as it is has dependency with other product team and on their priority items as well hence we will continue to monitor OpenSSL new version for support of these algorithms until Q4, 2024 and in case if OpenSSL has not plan to support, We will raise an enhancement request with CAPKI team, get the implementation completed and will incorporate the changes in Symantec Directory release 14.1 SP7 ( ~Q4, 2025).

Powered by Wolken Software