IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Access/Refresh token hashing and salting

    Posted Tue July 25, 2023 03:21 AM

    Hi,

    I couldn't find any information about the way tokens are hashed in the database.

    When the following advanced runtime params are enabled : 

    • oauth20.hashedTokenStorageEnabled = true
    • runtime.hashAlgorithm = SHA-256
    • runtime.verificationHashAlgorithms = SHA-256

    Is it salted or not?

    Thank you,

    Sébastien



    ------------------------------
    Sébastien De Kinder
    ------------------------------


  • 2.  RE: Access/Refresh token hashing and salting

    Posted Wed July 26, 2023 09:16 PM

    Hi Sebastien, 
    Salting is generally reserved for user supplied values (ie passwords) to ensure uniqueness of the hash and a resistance to rainbow tables/dictionary attacks. 
    For a token element that is a unique long random alphanumeric string, they provide limited value as its generally infeasible to pre-compute an entire SHA256 space.

    If you're still concerned, change it to SHA 512, set your token length a bit longer.



    ------------------------------
    Philip Nye
    IBM
    Gold Coast
    ------------------------------

    Original Message


Related Content