PBKDF2 Support

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

PBKDF2 Support

arr2036
A few people have asked for this.

There’s now support for PBKDF2 in v4.0.x for the following hashes:

        { "HMACSHA1", FR_SSHA_PASSWORD },
        { "HMACSHA2+224", FR_SSHA2_224_PASSWORD },
        { "HMACSHA2+256", FR_SSHA2_256_PASSWORD },
        { "HMACSHA2+384", FR_SSHA2_384_PASSWORD },
        { "HMACSHA2+512", FR_SSHA2_512_PASSWORD },

Format of hash string currently supported is the ‘ldap’ format from the CPAN library Crypt::PBKDF2:

        {hash_algorithm}:base64(iterations):base64(salt):base64(hash)

...but there doesn’t seem to be a standard for the hash string format.

Ideally we’d like to add support for common generators of PBKDF2 strings out of the box, in addition
to allowing people to support their own via unlang policies.

…so can anyone suggest what the common formats for PBKDF2 might be?

-Arran

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PBKDF2 Support

Adam Bishop-2
On 27 Jul 2017, at 00:19, Arran Cudbard-Bell <[hidden email]> wrote:
> …so can anyone suggest what the common formats for PBKDF2 might be?

I've seen dollar separated fields in a lot of places.

I don't know of the canonical source for that format, but passlib has an implementation.

http://passlib.readthedocs.io/en/stable/lib/passlib.hash.pbkdf2_digest.html

Regards,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PBKDF2 Support

arr2036

> On Jul 26, 2017, at 9:55 PM, Adam Bishop <[hidden email]> wrote:
>
> On 27 Jul 2017, at 00:19, Arran Cudbard-Bell <[hidden email]> wrote:
>> …so can anyone suggest what the common formats for PBKDF2 might be?
>
> I've seen dollar separated fields in a lot of places.
>
> I don't know of the canonical source for that format, but passlib has an implementation.
>
> http://passlib.readthedocs.io/en/stable/lib/passlib.hash.pbkdf2_digest.html
$pbkdf2-sha256$8000$XAuBMIYQQogxRg$tRRlz8hYn63B9LYiCd6PRo6FMiunY9ozmMMI3srxeRE

which is similar, yet subtly different to:

Crypt::PBKDF2 (crypt)

$PBKDF2$HMACSHA1:1000:4q9OTg==$9Pb6bCRgnct/dga+4v4Lyv8x31s=

which is similar, yet subtly different to:

http://www.openldap.org/lists/openldap-technical/201311/msg00055.html

{PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw

*sigh*

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PBKDF2 Support

Adam Bishop-2
On 27 Jul 2017, at 19:56, Arran Cudbard-Bell <[hidden email]> wrote:
> which is similar, yet subtly different to:
>
> which is similar, yet subtly different to:

Maybe it would be better to take a regex with named capture groups for salt, iterations etc.

Regards,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PBKDF2 Support

arr2036

> On 27 Jul 2017, at 16:04, Adam Bishop <[hidden email]> wrote:
>
> On 27 Jul 2017, at 19:56, Arran Cudbard-Bell <[hidden email]> wrote:
>> which is similar, yet subtly different to:
>>
>> which is similar, yet subtly different to:
>
> Maybe it would be better to take a regex with named capture groups for salt, iterations etc.

Yes, that’s the plan.

But it’s also good to support common formats out of the box.

-Arran


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PBKDF2 Support

arr2036

> On 28 Jul 2017, at 07:18, Arran Cudbard-Bell <[hidden email]> wrote:
>
>
>> On 27 Jul 2017, at 16:04, Adam Bishop <[hidden email]> wrote:
>>
>> On 27 Jul 2017, at 19:56, Arran Cudbard-Bell <[hidden email]> wrote:
>>> which is similar, yet subtly different to:
>>>
>>> which is similar, yet subtly different to:
>>
>> Maybe it would be better to take a regex with named capture groups for salt, iterations etc.
>
> Yes, that’s the plan.
>
> But it’s also good to support common formats out of the box.
Also the passlib implementation requires a modified base64 decoder.

-Arran

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (817 bytes) Download Attachment
Loading...