PBKDF2 Password Hashing - Proof of concept for comments

[Andrew Dixon]

Hi All,

Please can I have comments on the following PBKDF2 password hashing proof of concept:

https://gist.github.com/andrew-dixon/8363711ee2b9687c57a3

I'm not really that familiar with this type of thing so I want some outside comments on it.

Thanks.

Kind regards,

Andrew

about.me
mso - Lucee - Member

[Peter Boughton]

> I'm not really that familiar with this type of thing so I want some
> outside comments on it.

Are you trying to learn, or do you just want something that works?

If the latter then...

http://sorcerersisle.com/projects:cfpassphrase

The equivalent to what you posted, without the hassle of
casting/chars/etc...

<cfscript>
password = 'password';
secret = PassphraseHash( password , 'pbkdf2' , { iterations:10000 , SaltBytes:50 , HashBytes:256 } );
dump(secret);
</cfscript>

Except 10k iterations is the bare minimum you should use - more would
be better. (The default is 86k.)

https://github.com/boughtonp/cfpassphrase/wiki/Tuning-Algorithm-Params#pbkdf2


If you don't want to install the extension, you can use the jar direct...

PassObj = createObject('java','sorcerersisle.cfpassphrase.Impl','cfpassphrase-v0.1.jar');
secret = PassObj.hash( password , 'pbkdf2' , { iterations:10000 , SaltBytes:50 , HashBytes:256 } );

And if you specifically need an array of bytes of just the hash (which
is what your code outputs), you can use:

secret = createObject('java','javax.xml.bind.DatatypeConverter').parseHexBinary( ListLast(secret,':') );

But that's probably unnecessary; a hex string is likely more
convenient, and you should be storing the whole thing anyway (i.e.
including the iterations and salt).

[Andrew Dixon]

Hi Peter,

Little bit of learning but really just need something to use that I know is working correctly. This looks great. You mention a Lucee extension but how do I get it? I checked the Lucee Admin and it's not listed in the default extension provider, so I tried the Lucee zip file from your link but that errors that saying "There is no config.xml file available in the extension!" which when looking at the zip is correct. What have I missed?

Thanks.

Kind regards,

Andrew

about.me
mso - Lucee - Member

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/20150415230007.00000262%40sorcerersisle.com.
For more options, visit https://groups.google.com/d/optout.

[Peter Boughton]

Sorry I should have said about that, I've not done the auto-deploy thing
yet - it's at the top of my todo list but life keeps getting in the way.

Installing manually is copying three files, as described here:
https://github.com/boughtonp/cfpassphrase/wiki/Installation#lucee--railo

[Andrew Dixon]

Cool, thanks Peter.

Certainly know what you mean about life getting in the way.

Kind regards,

Andrew

about.me
mso - Lucee - Member

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/20150415233600.000073b2%40sorcerersisle.com.

[Andrew Dixon]

Hi Peter,

I have just been trying this out but I can't get it working using the instructions provided. I've added the files in the variable places but on server start in the catalina.out file I'm seeing the error:

WARNING: Failed to process TLD found at [/WEB-INF/lucee/library/tld/cfPassphrase.tld]
java.io.FileNotFoundException: Could not resolve XML resource [[dtd]] with public ID [-//Lucee//DTD CFML Tag Library 1.0//EN], system ID [dtd/web-cfmtaglibrary_1_0.dtd] and base URI [null] to a known, local entity.

I'm assuming this means that it hasn't installed correctly as I then get:

No matching function [PASSPHRASEHASH] found

When attempting to run the example code.

Any ideas?

Kind regards,

Andrew

about.me
mso - Lucee - Member

[Andrew Dixon]

It's ok, I figured it out. I had the /context/library/fld and /context/library/tld directories in a couple of different locations and it was just a matter of getting them in the right one. All working now.

Kind regards,

Andrew

about.me
mso - Lucee - Member

[Michael Offner]

I will check if there is a easier way to do it.

Micha

--

You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAG1WijUEA2P5SW92Y6VG5dV-4BWpV3ThFy194tKmEU86MRZ1Pg%40mail.gmail.com.

[Andrew Dixon]

Hi Micha,

I did raise this ticket a couple of weeks ago for ACF compatibility as ACF11 has the function built-in:

https://bitbucket.org/lucee/lucee/issue/259/implement-generatepbkdfkey

Kind regards,

Andrew

about.me
mso - Lucee - Member

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAG%2BEEBx0BkgD7J9631iNbm_BD18OfEXgNj38Hr-8HfZ_1VZw2Q%40mail.gmail.com.

[Peter Boughton]

Andrew wrote:
> It's ok, I figured it out. I had the /context/library/fld and
> /context/library/tld directories in a couple of different locations
> and it was just a matter of getting them in the right one. All
> working now.

Sorry for not responding sooner, but can you clarify on that - was it a
matter of getting files in the right WEB-INF dir, or did you need to put
them in the server-context ones for it to work?

It should work per web-context (i.e. WEB-INF), but I don't remember if
I tested that on Lucee.

(Hopefully at some point this weekend I'll get onto the auto-deploy
bundling stuff which should make this a non-issue anyway.)

[Andrew Dixon]

Hi Peter,

Just managed to get back to this. I noticed in the function call and the documentation there is no mention of salting the passphrase, either before it is passed in or as a parameter in the function call itself. 

Is it required to salt the passphrase manually? I assume it is and that it would be recommended to do so. If so I will add something to the wiki on Github.

Also what would you recommend for adding the salt, I have seen something like this:

<cfscript>

    passphrase = "password";

    random = createObject("java", "java.security.SecureRandom");

    salt_bytes = javaCast("byte[]", [].set(1,50,0));

    random.nextBytes(salt_bytes);

    salt = toBase64(salt_bytes);

    passphrase = passphrase & salt;

</cfscript>

Thanks.

Kind regards,

Andrew

about.me - mso - Lucee Member

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/20150502204145.00004c16%40sorcerersisle.com.

[Peter Boughton]

Hi Andrew,

You don't need to provide the salt manually, it is done automatically:
https://github.com/boughtonp/cfpassphrase/blob/master/src/crackstation/PBKDF2/PasswordHash.java#L97

You can increase the length of the salt with the SaltBytes parameter:
https://github.com/boughtonp/cfpassphrase/wiki/Tuning-Algorithm-Params#saltbytes

The docs do gloss over this, so I'll update them to make it clear.

Thanks,

Peter

[Andrew Dixon]

Hi Peter,

Yeah, I worked that out after sending the message, but forgot to follow up and say.

Kind regards,

Andrew

about.me - mso - Lucee Member

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/20150514205808.000036ba%40sorcerersisle.com.

[Ryan Guill]

Here is my version of PBKDF2 hashing in CFML if you're interested: https://gist.github.com/ryanguill/11405725