pwstore icon indicating copy to clipboard operation
pwstore copied to clipboard
verified publisher icon PeterScott

pbkdf2 seems to generate a wrong hash

Open snakamura opened this issue 11 years ago • 6 comments

I tested pbkdf2 function from pwstore-fast and pbkdf packages, and found that these two libraries generated different results.

>>> Crypto.PBKDF.ByteString.sha256PBKDF2 "password" "salt" 1000 32
"c,(\DC2\228mF\EOT\DLE+\167a\142\157m}/\129(\246&kJ\ETX&M*\EOT`\183\220\179"

>>> Crypto.PasswordStore.pbkdf2 "password" (Crypto.PasswordStore.importSalt $ Data.ByteString.Base64.encode "salt") 1000
"\191>\158?\217=\248\233SG\207\231\138\139\&8\255\SUB\185g\SO]\244\&0\159%\255z\229\216\239\133U"

As a reference, I also generated a hash with pbkdf2-ruby and it generated the same result as pbkdf library.

>>> PBKDF2.new(:password=>'password', :salt=>'salt', :iterations=>1000, :hash_function => OpenSSL::Digest::SHA256, :key_length => 32).bin_string
=> "c,(\x12\xE4mF\x04\x10+\xA7a\x8E\x9Dm}/\x81(\xF6&kJ\x03&M*\x04`\xB7\xDC\xB3"

Did I miss something?

snakamura avatar Apr 23 '14 12:04 snakamura

What is the status of this? RFC6070 contains authorative test vectors.

alexanderkjeldaas avatar Oct 02 '14 14:10 alexanderkjeldaas

Hi there, I'm the implementor of the pbkdf2 function. I tested the algorithm myself against the rfc vectors, and used the library to generate legacy hashes for a Django app I had, and it all worked fine, so this issue is coming as a surprise. Is this the second library you tried?

http://hackage.haskell.org/package/pbkdf-1.1.1.1

Alfredo

adinapoli avatar Dec 08 '14 21:12 adinapoli

Yes, it is.

snakamura avatar Dec 08 '14 22:12 snakamura

Ok, I will take a look over the weekend if I have time. Please bear in mind though that the RFC6070 gives you test vector for pbkdf2 which uses HMAC-Sha1 as pseudorandom function derivation. My implementation uses internally hmac-sha256:

http://hackage.haskell.org/package/pwstore-fast-2.4.4/docs/src/Crypto-PasswordStore.html#pbkdf2

adinapoli avatar Dec 09 '14 07:12 adinapoli

@adinapoli do you have any update on this?

tom-bop avatar Aug 23 '18 18:08 tom-bop

The problem apparently is that the salt is base64-encoded before it is used to hash. Indeed, if one bypasses it,

> Crypto.PasswordStore.pbkdf2 "password" (Crypto.PasswordStore.importSalt "salt") 1000
"c,(\DC2\228mF\EOT\DLE+\167a\142\157m}/\129(\246&kJ\ETX&M*\EOT`\183\220\179"

This is pretty irregular. Normally the encoding is just for outputting the string, and the salt is used directly as bytes during hashing. However, I suppose it's not any less secure, and for the sake of those already using this package it shouldn't be changed now. Still, I'd be reluctant to use this package for new projects, given this inconsistency with other PBKDF implementations.

galenhuntington avatar Aug 24 '18 22:08 galenhuntington