I’m playing with the PBKDF2 package of Udo:
(thanks Udo), but I can’t find how to validate a stored hash.
Can you point me in the right direction?
Looks like you’ll have to store the salt when making the original hash of the
With that you can do
| salt originalPassword userInputPassword originalHash newHash secretKey |
originalHash:=PBKDF2 derivedKeySHA1Password: originalPassword salt: salt.
newHash:=PBKDF2 derivedKeySHA1Password: userInputPassword salt: salt.
secretKey:= SecureRandom new nextBytes: 16.
((SHA256 new hmac key: secretKey) digestMessage: originalHash) = ((SHA256
new hmac key: secretKey) digestMessage: newHash).
We do the double SHA256 HMAC signing of the hashes because of
You can store the #secretKey and each user should get a new #salt every time
they change their password and you shouldn’t reuse the salts for other users
For PBKDF2 there is probably a max (or recommended) salt length but I don’t
I also don’t know anything about the SecureRandom class but it says it on
the tin, so maybe it is. Maybe not though. I don’t know how to find out.
But I don’t know that it matters in this instance as its only used for the
SHA256 HMAC internally in the comparison function.
Hope this helps.