Using Argon2 for hashing/storing passwords

Johannes Lichtenberger

unread,

Jun 11, 2018, 2:59:55 PM6/11/18

to vert.x

Hey, is it possible to use a strong password hashing function as for instance Argon2, scrypt or PBKDF2? I want to use very basic authentication/authorization over HTTPS (basic auth) to protect resources in a versioned storage system from getting manipulated by everyone before publishing a first draft of a RESTful API (so, providing a very basic user management).

I set up some demo code what I've done so far in a few days work (learning both Vert.x and Kotlin plus using Intellij ;-)) in [1] which needs a lot of testing as well as documentation. I've used Shiro, with a simple properties file but as of now not even hashed at all. So I read about storing passwords safely, but often times it seems even SHA1 is still being used by frameworks. So basically I'd love to store which hashing algorithm has been used along with the hashed passwords, such that I can switch anytime :-)

Kind regards
Johannes

[1] https://github.com/sirixdb/sirix/tree/master/bundles/sirix-rest-api

javadevmtl

unread,

Jun 12, 2018, 2:28:52 PM6/12/18

to vert.x

Vertx JDBC auth supports PBKDF2

https://vertx.io/docs/vertx-auth-jdbc/java/#_jdbc_auth_provider_implementation

Once you have instantiated your JDBCAuth it's as easy as doing...

jdbcAuth.setHashStrategy(JDBCHashStrategy.createPBKDF2(vertx));

javadevmtl

unread,

Jun 12, 2018, 2:36:01 PM6/12/18

to vert.x

Also hashing happens on the backend/server side there's no need to switch algos. You only move forward really. I.e: Go to stronger algos.
From client side you supply clear text of the password using HTTPS as the transport. The password gets hashed by the backend and then compares hashes stored in the DB. So even if you connect to another "framework" that has a different algo, it doesn't matter.

Paulo Lopes

unread,

Jun 12, 2018, 2:48:00 PM6/12/18

to vert.x

Hi,

That is totally possible, it all starts from the interface:

https://github.com/vert-x3/vertx-auth/blob/master/vertx-auth-common/src/main/java/io/vertx/ext/auth/HashingStrategy.java

So to add Argon2 you need to implement a class like:

https://github.com/vert-x3/vertx-auth/blob/master/vertx-auth-common/src/main/java/io/vertx/ext/auth/impl/hash/PBKDF2.java

and register it to the service loader:

https://github.com/vert-x3/vertx-auth/blob/master/vertx-auth-common/src/main/resources/META-INF/services/io.vertx.ext.auth.HashingAlgorithm

This implementation does not need to be on vertx it self, since it is a service loader any local jar that defines the proper meta inf will be available at runtime.

Johannes Lichtenberger

unread,

Jun 13, 2018, 12:45:23 PM6/13/18

to vert.x

Do you have an example of how to use PBKDF2? I'd be fine with it for now. Just want to be sure that the simple prototype of my Restful API is really useful in practice. Is there a simple auth handler which reads/stores the hased passwords together with the salt and probably a user role in a simple properties file as with Shiro? :-)

Kind regards

Paulo Lopes

unread,

Jun 14, 2018, 3:52:07 AM6/14/18

to vert.x

Yes, you can do something like this:

// loads all available strategies (this is only needed once, say initialization of your code)

HashingStrategy strategy = HashingStrategy.load();

// encode (the arguments are: "algorithm", "options", "salt value", "password")

String hash = strategy.hash("pbkdf2", null, "random-salt", "SuperSecret$!");

// verify (hash is the string received by your app)

boolean valid = strategy.verify(hash, "SuperSecret$!");

The verification algorithm is time constant to avoid guess attacks based on the duration of the execution of the "verify" function.

Reply all

Reply to author

Forward