I am looking to get the salt value for a user password.
I have read how DS stores password values
https://backstage.forgerock.com/knowledge/kb/article/a44757687
Specifically, I am interested in
Name |Applicable versions | Salt size (bytes) | Key size (bits) | Format
PBKDF2-HMAC-SHA256 | DS 7 and later | 16 | “{PBKDF2-HMAC-SHA256}” <iterations> “:” base64(<digest> <salt>)
I also see the code to get the hash length and salt length here:
https://backstage.forgerock.com/knowledge/kb/article/a44757687
I tried to update the code to get the salt value from the following but cannot seem to get it. (This is test data, not concerned about posting here.)
var original = “{PBKDF2-HMAC-SHA256}10:8c7nLGEIXeZf45YQ92A2MD+v8olvKKl6iWXGQZoluJ/awqZnHwFvslIOx7xOZ9AV”
Shouldn’t I be able to get the salt from this string?
Solved it.
import java.util.Arrays;
import java.util.Base64;
class PBKDF2HashExtractor
{
static final int SHA_ALGORITHM_SIZE = 32; // Number of bytes returned from a SHA-1 hash
static final String PREFIX = "{PBKDF2-HMAC-SHA256}10:"; // PBKDF2 prefix
public static void main(String[] args)
{
//example hash
var original = "{PBKDF2-HMAC-SHA256}10:09WsfABUXWTsm6WVP1T//rdhSUPA0FwkQoZSSqBeojoxdKon88VAnzjlCFDkXQun";
var base64 = original.substring(PREFIX.length());
var bytes = Base64.getDecoder().decode(base64);
//split the hash into pw hash and salt
var hashBytes = Arrays.copyOfRange(bytes, 0, SHA_ALGORITHM_SIZE);
var saltBytes = Arrays.copyOfRange(bytes, SHA_ALGORITHM_SIZE, bytes.length);
//encode pw hash
String hashEncode = Base64.getEncoder().encodeToString(hashBytes);
System.out.println("Endoded Password Hash = " + hashEncode);
//encode salt
String saltEncode = Base64.getEncoder().encodeToString(saltBytes);
System.out.println("Endoded Salt = " + saltEncode);
System.out.println("Hash length = " + hashBytes.length);
System.out.println("Salt length = " + saltBytes.length);
}
}
Produces
Endoded Password Hash = 09WsfABUXWTsm6WVP1T//rdhSUPA0FwkQoZSSqBeojo=
Endoded Salt = MXSqJ/PFQJ845QhQ5F0Lpw==
Hash length = 32
Salt length = 16
Hi Markr, great job! The steps you worked out for extracting the salt value from the encoded hash are immensely valuable to our community. Thank you for sharing this information with the collective!