Re: [Pharo-users] Validate password with PBKDF2

Fri, 30 Jun 2017 09:21:41 -0700

--- Begin Message --- 
Thanks Pierce and hernanmd
I decided to adopt the solution of the prepended salt as Erik said in the
previous post.

Here is my code, I hope it can be useful for the community

First I hash the password with an empty salt
 PBKDF2 derivedKeyHashFunction: SHA256 password: 'aSimplePassword' salt: ''
iterations: 3000 length: 16 .

I would have liked to avoid the empty salt but the message deriveKey needs
it.
Then I used UUID new as real salt and the string '$$' as separator between
the salt and the hashed password.
So here is the byte array I'm going to store in my db
 saltPlusHashedPassword := UUID new , '$$' asByteArray ,  (PBKDF2
derivedKeyHashFunction: SHA256 password: 'aSimplePassword' salt: ''
iterations: 3000 length: 16 ).

To validate the password, I retrieve the saltPlusHashedPassword from the db
and splitting it
 hashedPassword := (saltPlusHashedPassword splitOn:('$$' asByteArray))
second.

Finally the validation 
 (PBKDF2 derivedKeyHashFunction: SHA256 password: 'aSimplePassword' salt: ''
iterations: 3000 length: 16 ) = (ByteArray new, hashedPassword).


Note, I have to concatenate ByteArray new with hashedPassword because
hashedPassword is not a ByteAttay but a UUID, if you have a smarter way to
do it you are welcome.

HTH
Francis


Erik Stel wrote
> Francis, 
> 
> The hashpw function returns a hash with the salt prepended. So it contains
> both elements. (See for example explanation at:
> https://stackoverflow.com/questions/27413248/why-can-bcrypt-hashpw-be-used-both-for-hashing-and-verifying-passwords).
>  
> 
> You can do the same thing here. Assuming you have a fixed size salt, just
> prepend it before the hash value. Since the salt is (should be) random,
> returning it's value does not weaken the security. Using a salt prevents
> against rainbow table attacks: pre-generated hash values for many possible
> passwords. (See https://en.wikipedia.org/wiki/Rainbow_table).   
> 
> Cheers, 
> Erik





--
View this message in context: 
http://forum.world.st/Validate-password-with-PBKDF2-tp4952973p4953119.html
Sent from the Pharo Smalltalk Users mailing list archive at Nabble.com.

--- End Message ---

Reply via email to