Password encryption

Edit online

You can use IBM® Security Directory Server to prevent unauthorized access to user passwords. By using one-way encryption formats, user passwords can be encrypted and stored in the directory. The encryption prevents clear passwords from being accessed by any users and also the system administrators.

The administrator can configure the server to encrypt userPassword attribute values in either a one-way encryption format or a two-way encryption format.

One-way encryption formats:
  • crypt
  • MD5
  • PBKDF2
  • SHA-1
  • Salted SHA-1
  • SHA-2
  • Salted SHA-2

After the server is configured, any new passwords (for new users) or modified passwords (for existing users) are encrypted before they are stored in the directory database. The encrypted passwords are tagged with the encryption algorithm name so that passwords encrypted in different formats can coexist in the directory. When the encryption configuration is changed, existing encrypted passwords remain unchanged and continue to work.

For applications that require retrieval of clear passwords, such as middle-tier authentication agents, the directory administrator needs to configure the server to perform either a two-way encryption or no encryption on user passwords. In this instance, the clear passwords that are stored in the directory are protected by the directory ACL mechanism.

Two-way encryption format:
  • AES

A two-way encryption option, AES, is provided to allow values of the userPassword attribute to be encrypted in the directory and retrieved as part of an entry in the original clear format. It can be configured to use 128, 192, and 256-bit key lengths. Some applications such as middle-tier authentication servers require passwords to be retrieved in clear text format, however, corporate security policies might prohibit storing clear passwords in a secondary permanent storage. This option satisfies both requirements.

A simple bind succeeds if the password provided in the bind request matches any of the multiple values of the userPassword attribute.

When you configure the server by using Web Administration, you can select one of the following encryption options:
None
No encryption. Passwords are stored in the clear text format.
crypt
Passwords are encrypted by the UNIX crypt encryption algorithm before they are stored in the directory.
PBKDF2
Passwords are encrypted by the PBKDF2 family of encrypting algorithms before they are stored in the directory. The following list describes the supported encryption schemes under the PBKDF2 family of encryption algorithms:
  • PBKDF2-SHA1
  • PBKDF2-SHA224
  • PBKDF2-SHA256
  • PBKDF2-SHA384
  • PBKDF2-SHA512
Note: You cannot configure the PBKDF2 algorithm with the Web Administration Tool. Configure this algorithm with the standard ldap modify operation.
MD5
Passwords are encrypted by the MD5 Message Digest algorithm before they are stored in the directory.
SHA-1
Passwords are encrypted by the SHA-1 encryption algorithm before they are stored in the directory.
Salted SHA-1
Passwords are encrypted by the Salted SHA-1 encryption algorithm before they are stored in the directory.
SHA-2
Passwords are encrypted by the SHA-2 family of encryption algorithm before they are stored in the directory. The following encryption schemes are supported under the SHA-2 family of encryption algorithm:
  • SHA-224
  • SHA-256
  • SHA-384
  • SHA-512
Salted SHA-2
Passwords are encrypted by the Salted SHA-2 family of encryption algorithm before they are stored in the directory. The following encryption schemes are supported under the Salted SHA-2 family of encryption algorithm:
  • SSHA-224
  • SSHA-256
  • SSHA-384
  • SSHA-512
AES128
Passwords are encrypted by the AES128 algorithm before they are stored in the directory and are retrieved as part of an entry in the original clear format.
AES192
Passwords are encrypted by the AES192 algorithm before they are stored in the directory and are retrieved as part of an entry in the original clear format.
AES256
Passwords are encrypted by the AES256 algorithm before they are stored in the directory and are retrieved as part of an entry in the original clear format.
Note: The imask format that was available in previous releases is no longer an encryption option. However, any existing imask encrypted values still work.
The default option is AES256. A change is registered in a password encryption directive of the server configuration file: 
ibm-SlapdPwEncryption: AES256
The server configuration file is located in: 
<instance_directory>\etc\ibmslapd.conf

In addition to userPassword, values of the secretKey attribute are always "AES256" encrypted in the directory. Unlike userPassword, this encryption is enforced for values of secretKey. No other option is provided. The secretKey attribute is an IBM- defined schema. Applications can use this attribute to store sensitive data that needs to be always encrypted in the directory and to retrieve the data in clear text format by using the directory access control.

Consult the Installing and Configuring section in the IBM Security Directory Server documentation for additional information about the configuration file.

To specify the type of password encryption, use one of the following methods:

Note:
  1. If the UNIX crypt method is used, only the first 8 characters are effective.
  2. A one-way encrypted password can be used for password matching but it cannot be decrypted. During user login, the login password is encrypted and compared with the stored version for matching verification.