{"id":1434,"date":"2015-01-29T20:33:46","date_gmt":"2015-01-30T02:33:46","guid":{"rendered":"https:\/\/www.identityblog.com\/?page_id=1434"},"modified":"2015-01-30T15:54:27","modified_gmt":"2015-01-30T21:54:27","slug":"hash-transform","status":"publish","type":"page","link":"https:\/\/www.identityblog.com\/?page_id=1434","title":{"rendered":"Hash Claims Transformation"},"content":{"rendered":"
The Hash claims transformation provides the ability to create an output\u00a0claim which is the hash of an\u00a0input claim. Salt\u00a0must be added using a second input claim and an input parameter. \u00a0The input parameter\u00a0must be the name of a secret key belonging to the tenant\u00a0so that\u00a0publication of the policy doesn’t allow an attacker to predict the value of the hash\u00a0by virtue of knowing the input claims.<\/div>\n

 <\/p>\n

\n\n\n<\/colgroup>\n\n\n
\n

InputClaims<\/strong><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

\n\n\n\n<\/colgroup>\n\n\n\n\n
\n

TransformationClaimType<\/em><\/span><\/p>\n<\/td>\n

Description<\/em><\/span><\/td>\n<\/tr>\n
\n

plaintext<\/em><\/span><\/p>\n<\/td>\n

The string to hash<\/td>\n<\/tr>\n
\n

salt<\/em><\/span><\/p>\n<\/td>\n

The optional salt for the hash<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
\n\n\n<\/colgroup>\n\n\n
\n

InputParameters<\/strong><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

\n\n\n\n\n<\/colgroup>\n\n\n\n
\n

Id<\/em><\/span><\/p>\n<\/td>\n

DataType<\/em><\/span><\/td>\nValue<\/em><\/span><\/td>\n<\/tr>\n
\n

randomizerSecret<\/em><\/span><\/p>\n<\/td>\n

string<\/td>\nThe name of a tenant key<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
\n\n\n<\/colgroup>\n\n\n
\n

OutputClaims<\/strong><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

\n\n\n\n<\/colgroup>\n\n\n\n
\n

TransformationClaimType<\/em><\/span><\/p>\n<\/td>\n

Description<\/em><\/span><\/td>\n<\/tr>\n
\n

hash<\/em><\/span><\/p>\n<\/td>\n

The hash computed by the transformation<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
\n\n\n<\/colgroup>\n\n\n
\n

Example<\/strong><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

\n

This example defines a ClaimsTransformation of the ‘Hash’ type called ‘HashPasswordWithUserId’. A claim called ‘password’ in the policy schema is hashed using a claim called ‘userId’ as salt. Because the hash is salted this way, two users with different userIds but the same password always end up with different hashes. This makes it impossible for an evil insider to insert the hash of a password he knows into another user’s record and successfully log in as the second user.<\/p>\n

In addition, the InputParameters statement causes the password to be salted by a secret key created by the tenant called, in this case, ‘AccountTransformSecret’. This means that even if two tenants have users with the same userIds and passwords, the hashes produced will be different. Further, it will be impossible to play passwords for a given userId against a known hash in order to discover the password.<\/p>\n

The output of the transformation is put into a claim called ‘hashedPassword’ in the policy schema.<\/p>\n<\/div>\n

<\/p>\n

      \r\n<<\/span>ClaimsTransformation<\/span> Id<\/span>=\"HashPasswordWithUserId\"<\/span> TransformationMethod<\/span>=\"Hash\"<\/span>><\/span>\r\n        <<\/span>InputClaims<\/span>><\/span>\r\n          <<\/span>InputClaim<\/span> ClaimTypeReferenceId<\/span>=\"password\"<\/span> TransformationClaimType<\/span>=\"plaintext\"<\/span> \/><\/span>\r\n          <<\/span>InputClaim<\/span> ClaimTypeReferenceId<\/span>=\"userId\"<\/span> TransformationClaimType<\/span>=\"salt\"<\/span> \/><\/span>\r\n        <\/<\/span>InputClaims<\/span>><\/span>\r\n        <<\/span>InputParameters<\/span>><\/span>\r\n          <<\/span>InputParameter<\/span> Id<\/span>=\"randomizerSecret\"<\/span> DataType<\/span>=\"string\"<\/span> Value<\/span>=\"AccountTransformSecret\"<\/span> \/><\/span>\r\n        <\/<\/span>InputParameters<\/span>><\/span>\r\n        <<\/span>OutputClaims<\/span>><\/span>\r\n          <<\/span>OutputClaim<\/span> ClaimTypeReferenceId<\/span>=\"hashedPassword\"<\/span> TransformationClaimType<\/span>=\"hash\"<\/span> \/><\/span>\r\n        <\/<\/span>OutputClaims<\/span>><\/span>\r\n      <\/<\/span>ClaimsTransformation<\/span>><\/span>\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
The Hash claims transformation provides the ability to create an output\u00a0claim which is the hash of an\u00a0input claim. Salt\u00a0must be added using a second input claim and an input parameter. \u00a0The input parameter\u00a0must be the name of a secret key belonging to the tenant\u00a0so that\u00a0publication of the policy doesn’t allow an attacker to predict the … Continue reading Hash Claims Transformation<\/span><\/a><\/p>\n","protected":false},"author":68,"featured_media":0,"parent":1453,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/pages\/1434"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1434"}],"version-history":[{"count":13,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/pages\/1434\/revisions"}],"predecessor-version":[{"id":1452,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/pages\/1434\/revisions\/1452"}],"up":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/pages\/1453"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}