About PBKDF2 salt

I’m playing with the PBKDF2 package of Udo:
(thanks Udo), but I can’t find how to validate a stored hash.
Can you point me in the right direction?



Looks like you’ll have to store the salt when making the original hash of the

With that you can do

| salt originalPassword userInputPassword originalHash  newHash secretKey |
originalHash:=PBKDF2 derivedKeySHA1Password: originalPassword salt: salt.
newHash:=PBKDF2 derivedKeySHA1Password: userInputPassword salt: salt.

secretKey:= SecureRandom new nextBytes: 16.

((SHA256 new hmac key: secretKey) digestMessage: originalHash) = ((SHA256
new hmac key: secretKey) digestMessage: newHash).

We do the double SHA256 HMAC signing of the hashes because of

You can store the #secretKey and each user should get a new #salt every time
they change their password and you shouldn’t reuse the salts for other users
or password.

For PBKDF2 there is probably a max (or recommended) salt length but I don’t
know it.

I also don’t know anything about the SecureRandom class but it says it on
the tin, so maybe it is.  Maybe not though.  I don’t know how to find out.
But I don’t know that it matters in this instance as its only used for the
SHA256 HMAC internally in the comparison function.

Hope this helps.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: