Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pbkdf2 seems to generate a wrong hash #12

Open
snakamura opened this issue Apr 23, 2014 · 6 comments
Open

pbkdf2 seems to generate a wrong hash #12

snakamura opened this issue Apr 23, 2014 · 6 comments

Comments

@snakamura
Copy link

I tested pbkdf2 function from pwstore-fast and pbkdf packages, and found that these two libraries generated different results.

>>> Crypto.PBKDF.ByteString.sha256PBKDF2 "password" "salt" 1000 32
"c,(\DC2\228mF\EOT\DLE+\167a\142\157m}/\129(\246&kJ\ETX&M*\EOT`\183\220\179"

>>> Crypto.PasswordStore.pbkdf2 "password" (Crypto.PasswordStore.importSalt $ Data.ByteString.Base64.encode "salt") 1000
"\191>\158?\217=\248\233SG\207\231\138\139\&8\255\SUB\185g\SO]\244\&0\159%\255z\229\216\239\133U"

As a reference, I also generated a hash with pbkdf2-ruby and it generated the same result as pbkdf library.

>>> PBKDF2.new(:password=>'password', :salt=>'salt', :iterations=>1000, :hash_function => OpenSSL::Digest::SHA256, :key_length => 32).bin_string
=> "c,(\x12\xE4mF\x04\x10+\xA7a\x8E\x9Dm}/\x81(\xF6&kJ\x03&M*\x04`\xB7\xDC\xB3"

Did I miss something?
@alexanderkjeldaas
Copy link
Contributor

What is the status of this? RFC6070 contains authorative test vectors.

@adinapoli
Copy link
Contributor

Hi there, I'm the implementor of the pbkdf2 function. I tested the algorithm myself against the rfc vectors, and used the library to generate legacy hashes for a Django app I had, and it all worked fine, so this issue is coming as a surprise.
Is this the second library you tried?

http://hackage.haskell.org/package/pbkdf-1.1.1.1

Alfredo

@snakamura
Copy link
Author

Yes, it is.

@adinapoli
Copy link
Contributor

Ok, I will take a look over the weekend if I have time.
Please bear in mind though that the RFC6070 gives you test vector for pbkdf2 which uses HMAC-Sha1 as pseudorandom function derivation.
My implementation uses internally hmac-sha256:

http://hackage.haskell.org/package/pwstore-fast-2.4.4/docs/src/Crypto-PasswordStore.html#pbkdf2

@galenhuntington galenhuntington mentioned this issue Aug 18, 2018
Open
@tom-bop
Copy link

tom-bop commented Aug 23, 2018

@adinapoli do you have any update on this?

@galenhuntington
Copy link

The problem apparently is that the salt is base64-encoded before it is used to hash. Indeed, if one bypasses it,

> Crypto.PasswordStore.pbkdf2 "password" (Crypto.PasswordStore.importSalt "salt") 1000
"c,(\DC2\228mF\EOT\DLE+\167a\142\157m}/\129(\246&kJ\ETX&M*\EOT`\183\220\179"

This is pretty irregular. Normally the encoding is just for outputting the string, and the salt is used directly as bytes during hashing. However, I suppose it's not any less secure, and for the sake of those already using this package it shouldn't be changed now. Still, I'd be reluctant to use this package for new projects, given this inconsistency with other PBKDF implementations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alexanderkjeldaas @adinapoli @snakamura @galenhuntington @tom-bop