About PBKDF2 salt

I’m playing with the PBKDF2 package of Udo:
http://www.smalltalkhub.com/#!/~UdoSchneider/PBKDF2
(thanks Udo), but I can’t find how to validate a stored hash.
Can you point me in the right direction?

Thanks
Francis

Answer:

Looks like you’ll have to store the salt when making the original hash of the
password.

With that you can do

| salt originalPassword userInputPassword originalHash  newHash secretKey |
salt:=’salt’.
originalPassword:=’password’.
userInputPassword:=’12345678′.
originalHash:=PBKDF2 derivedKeySHA1Password: originalPassword salt: salt.
newHash:=PBKDF2 derivedKeySHA1Password: userInputPassword salt: salt.

secretKey:= SecureRandom new nextBytes: 16.

((SHA256 new hmac key: secretKey) digestMessage: originalHash) = ((SHA256
new hmac key: secretKey) digestMessage: newHash).

We do the double SHA256 HMAC signing of the hashes because of
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/

You can store the #secretKey and each user should get a new #salt every time
they change their password and you shouldn’t reuse the salts for other users
or password.

For PBKDF2 there is probably a max (or recommended) salt length but I don’t
know it.

I also don’t know anything about the SecureRandom class but it says it on
the tin, so maybe it is.  Maybe not though.  I don’t know how to find out.
But I don’t know that it matters in this instance as its only used for the
SHA256 HMAC internally in the comparison function.

Hope this helps.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: