Interface Pbkdf2PasswordHash

  • All Superinterfaces:
    PasswordHash

    public interface Pbkdf2PasswordHash
    extends PasswordHash
    This interface represents the built-in Pbkdf2PasswordHash implementation.

    To use Pbkdf2PasswordHash with the built-in Database IdentityStore, configure this interface type as the hashAlgorithm value on the DatabaseIdentityStoreDefinition annotation.

    To configure parameters for Pbkdf2PasswordHash, specify them as the hashAlgorithmParameters value on the DatabaseIdentityStoreDefinition annotation.

    The built-in implementation must support the following configurable parameters:

    Pbkdf2PasswordHash.Algorithm      // default "PBKDF2WithHmacSHA256"
    Pbkdf2PasswordHash.Iterations     // default 2048, minimum 1024
    Pbkdf2PasswordHash.SaltSizeBytes  // default 32, minimum 16
    Pbkdf2PasswordHash.KeySizeBytes   // default 32, minimum 16
     

    And the following PBKDF2 algorithms:

    PBKDF2WithHmacSHA224
    PBKDF2WithHmacSHA256
    PBKDF2WithHmacSHA384
    PBKDF2WithHmacSHA512
     
    Algorithm names are the string literal names documented for the corresponding algorithms by the Java Cryptography Architecture Standard Algorithm Name Documentation.

    The encoded format produced by PasswordHash.generate(char[]), and consumed by PasswordHash.verify(char[], String), is as follows:

    <algorithm>:<iterations>:<base64(salt)>:<base64(hash)>
     
    Where:
    • algorithm -- the algorithm used to generate the hash
    • iterations -- the number of iterations used to generate the hash
    • base64(salt) -- the salt used to generate the hash, base64-encoded
    • base64(hash) -- the hash value, base64-encoded

    Because the algorithm and the parameters used to generate the hash are stored with the hash, the built-in Pbkdf2PasswordHash implementation can verify hashes generated using algorithm and parameter values that differ from the currently configured values. This means the configuration parameters can be changed without impacting the ability to verify existing password hashes.

    (Password hashes generated using algorithms/parameters outside the range supported by Pbkdf2PasswordHash cannot be verified.)

    See Also:
    DatabaseIdentityStoreDefinition.hashAlgorithm(), DatabaseIdentityStoreDefinition.hashAlgorithmParameters()