Password Hashing was: [Cryptography Team] Getting started
Paul DeBruicker
pdebruic at gmail.com
Sat Oct 29 00:45:06 UTC 2011
> I have a few questions on the code.
>
> - Should the RNG being used not be one from the crypt libraries rather
> than the Pharo one?
>
Probably, but I don't know the difference. I didn't want to have to
load the Cryptography package to be able to use the FFI functions
because I wanted to use the same code on Gemstone. And I'm not capable
of knowing whether I ported the RNG or other parts accurately. Is there
a way to use the Cryptography package RNG when its available or the
default when its not? That might be helpful if people want to take
advantage of it.
> - The #checkPassWord:against method has the salt hardcoded at 30, yet
> there is a method to set the length of the salt. Is there a reason for
> that?
Yes. Thats an error. It should have been 29. The extra character was
dropped by the C library.
Bcrypt truncates the salt to the first 22 characters. The other 7 that
are copied are the $2a$10$ that precedes the salt.
So it should be
BCryptLinuxFFI class>>#checkPassWord:against:
checkPassword: password against: hash
|salt|
salt := hash copyFrom: 1 to:29.
^hash = (self ffiCrypt: password with: salt).
See:
http://stackoverflow.com/questions/5881169/storing-a-hashed-password-bcrypt-in-a-database-type-length-of-column/5882472#5882472
I uploaded a new version with the above fix. I don't know of a list of
issues that need some work. You might send a separate email to the list
to see if anyone knows of one.
More information about the Cryptography
mailing list