Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there a standard for using PBKDF2 as a password hash?

Tags:

security

hash

pbkdf2

Join me in the fight against weak password hashes.

A PBKDF2 password hash should contain the salt, the number of iterations, and the hash itself so it's possible to verify later. Is there a standard format, like RFC2307's {SSHA}, for PBKDF2 password hashes? BCRYPT is great but PBKDF2 is easier to implement.

Apparently, there's no spec. So here's my spec.

>>> from base64 import urlsafe_b64encode
>>> password = u"hashy the \N{SNOWMAN}"
>>> salt = urlsafe_b64decode('s8MHhEQ78sM=')
>>> encoded = pbkdf2_hash(password, salt=salt)
>>> encoded
'{PBKDF2}1000$s8MHhEQ78sM=$hcKhCiW13OVhmLrbagdY-RwJvkA='

Update: http://www.dlitz.net/software/python-pbkdf2/ defines a crypt() replacement. I updated my little spec to match his, except his starts with $p5k2$ instead of {PBKDF2}. (I have the need to migrate away from other LDAP-style {SCHEMES}).

That's {PBKDF2}, the number of iterations in lowercase hexadecimal, $, the urlsafe_base64 encoded salt, $, and the urlsafe_base64 encoded PBKDF2 output. The salt should be 64 bits, the number of iterations should be at least 1000, and the PBKDF2 with HMAC-SHA1 output can be any length. In my implementation it is always 20 bytes (the length of a SHA-1 hash) by default.

The password must be encoded to utf-8 before being sent through PBKDF2. No word on whether it should be normalized into Unicode's NFC.

This scheme should be on the order of iterations times more costly to brute force than {SSHA}.

like image 599
joeforker Avatar asked Sep 24 '09 18:09

joeforker

1 Answers

There is a specification for the parameters (salt and iterations) of PBKDF2, but it doesn't include the hash. This is included in PKCS #5 version 2.0 (see Appendix A.2). Some platforms have built-in support for encoding and decoding this ASN.1 structure.

Since PBKDF2 is really a key derivation function, it doesn't make sense for it to specify a way to bundle the "hash" (which is the really a derived key) together with the derivation parameters—in normal usage, the key must remain secret, and is never stored.

But for usage as a one-way password hash, the hash can be stored in a record with the parameters, but in its own field.

like image 99
erickson Avatar answered Oct 27 '22 23:10

erickson
Sign in to Comment

Related questions

ClientMessageInspector add BinarySecurityToken and Signature
Apache Shiro 1.4.0 initialization
How can you encrypt users' data server-side without ruining the experience?
Is bcrypt viable for large web sites?
What is the correct way to clear sensitive data from memory in iOS?
How do you prevent phishing in mobile app?
How to limit web services usage in Java application?
PHP image upload security approach
Is it possible to add multiple Content Security Policy directive in Asp.net Web.config?
Plugin system security in .NET Framework 4.x (without CAS)
Is an AJAX call cross-domain if only the port is different?
Demystifying Web Authentication
CSRF tokens - how to implement properly?
Django JSON De-serialization Security
Rails attr_accessible :object vs :object_id
Session integration, is this approach secure?
Improve the usability of 3rd party application
Safely distribute OAuth 2.0 client_secret in desktop applications in Python
Is it safe to run a pool under NT AUTHORITY\NETWORK SERVICE?
How secure is the ASP.NET Membership framework?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!