15.11. Cryptographic considerations of eduMFA

15.11.1. Encryption keys

The encryption key is a set of 3 256bit AES keys. Usually this key is located in a 96 byte long file “enckey” specified by EDUMFA_ENCFILE in The Config File. The encryption key can be encrypted with a password.

The three encryption keys are used to encrypt

  • data like the OTP seeds and secret keys stored in the Token table,

  • password of resolvers to connect to LDAP/AD or SQL (stored in the ResolverConfig table)

  • and optional additional values.

OTP seeds and passwords are needed in clear text to calculate OTP values or to connect to user stores. So these values need to be stored in a decryptable way.

15.11.2. Token Hash Algorithms

OTP values according to HOTP and TOTP can be calculated using SHA1, SHA2-256 and SHA2-512.

15.11.3. PIN Hashing

Token PINs are managed by eduMFA as the first of the two factors. Each token has its own token PIN. The token PIN is hashed with Argon2 (9 rounds) and stored in the Token database table.

This PIN hashing is performed in lib.crypto:hash.

15.11.4. Administrator Passwords

eduMFA can manage internal administrators using The edumfa-manage Script. Internal administrators are stored in the database table Admin.

The password is stored using Argon2 (9 rounds) with an additional pepper. While Argon2 uses a salt which is stored in the Admin table created randomly for each admin password the pepper is unique for one eduMFA installation and stored in the edumfa.cfg file.

This way a database administrator is not able to inject rogue password hashes.

The admin password hashing is performed in lib.crypto:hash_with_pepper.

15.11.5. Audit Signing

The audit log is digitally signed. (see Audit and Audit parameters).

The audit log can be handled by different modules. eduMFA comes with an SQL Audit Module which is enabled by default.

For signing the audit log the SQL Audit Module uses the RSA keys specified with the values EDUMFA_AUDIT_KEY_PUBLIC and EDUMFA_AUDIT_KEY_PRIVATE in The Config File.

By default the installer generates 2048bit RSA keys.

If you can assure that the private key has not been tampered with, the config entry EDUMFA_AUDIT_NO_PRIVATE_KEY_CHECK = True avoids a time-consuming check during loading of the private key (See also The Audit-log).

The audit signing is performed in lib.crypto:Sign.sign using SHA2-256 as hash function.