Is there a way to export the salt for a user password?

markr · January 24, 2024, 11:45pm

I am looking to get the salt value for a user password.

markr · January 26, 2024, 5:18am

I have read how DS stores password values

https://backstage.forgerock.com/knowledge/kb/article/a44757687

Specifically, I am interested in

Name |Applicable versions | Salt size (bytes) | Key size (bits) | Format
PBKDF2-HMAC-SHA256 | DS 7 and later | 16 | “{PBKDF2-HMAC-SHA256}” <iterations> “:” base64(<digest> <salt>)

I also see the code to get the hash length and salt length here:

https://backstage.forgerock.com/knowledge/kb/article/a44757687

I tried to update the code to get the salt value from the following but cannot seem to get it. (This is test data, not concerned about posting here.)

var original = “{PBKDF2-HMAC-SHA256}10:8c7nLGEIXeZf45YQ92A2MD+v8olvKKl6iWXGQZoluJ/awqZnHwFvslIOx7xOZ9AV”

Shouldn’t I be able to get the salt from this string?

markr · January 26, 2024, 8:29pm

Solved it.

import java.util.Arrays;
import java.util.Base64;

class PBKDF2HashExtractor
{
    static final int SHA_ALGORITHM_SIZE = 32; // Number of bytes returned from a SHA-1 hash
    static final String PREFIX = "{PBKDF2-HMAC-SHA256}10:"; // PBKDF2 prefix

    public static void main(String[] args)
    {

        //example hash
        var original = "{PBKDF2-HMAC-SHA256}10:09WsfABUXWTsm6WVP1T//rdhSUPA0FwkQoZSSqBeojoxdKon88VAnzjlCFDkXQun";
        

        var base64 = original.substring(PREFIX.length());
        var bytes = Base64.getDecoder().decode(base64);

        //split the hash into pw hash and salt
        var hashBytes = Arrays.copyOfRange(bytes, 0, SHA_ALGORITHM_SIZE);
        var saltBytes = Arrays.copyOfRange(bytes, SHA_ALGORITHM_SIZE, bytes.length);

        //encode pw hash
        String hashEncode = Base64.getEncoder().encodeToString(hashBytes);
        System.out.println("Endoded Password Hash = " + hashEncode);

        //encode salt
        String saltEncode = Base64.getEncoder().encodeToString(saltBytes);
        System.out.println("Endoded Salt = " + saltEncode);

        System.out.println("Hash length = " + hashBytes.length);
        System.out.println("Salt length = " + saltBytes.length);

    }
}

Produces

Endoded Password Hash = 09WsfABUXWTsm6WVP1T//rdhSUPA0FwkQoZSSqBeojo=
Endoded Salt = MXSqJ/PFQJ845QhQ5F0Lpw==
Hash length = 32
Salt length = 16

salbertelli01 · January 26, 2024, 9:50pm

Hi Markr, great job! The steps you worked out for extracting the salt value from the encoded hash are immensely valuable to our community. Thank you for sharing this information with the collective!