Date: Wed, 26 Oct 2011 19:28:47 -0400 From: John Tooheyjohnptoohey@gmail.com Subject: [Cryptography Team] Getting started To: cryptography@lists.squeakfoundation.org Message-ID: CAJOFv+hDN0dAOr17x3zfyhyeJZCZx=sBdwAdX4MeqMSirgF8ig@mail.gmail.com Content-Type: text/plain; charset=UTF-8
Hi,
Just found the project and would appreciate some pointers on getting started. I have a requirement for generating hashes using SHA256 and for generating a secure random string the same length as the hash, for using as a salt for each hash. (All my passwords etc. have a unique hash also).
What do I need to download to get started on Pharo 1.3? I just downloaded the password repo, but just want to get things in the correct order.
Also I develop on OSX and deploy to Ubuntu, so any tips on the native libs for each platform would be great.
Glad I found you guys.
I have a question:
Do you get to choose how the password is hashed as long as its hashed with the SHA256 hashing function?
If you don't get to choose and have can only hash it once (or X times) then you need to use the Cryptography package and its SHA256 class. I think this would work:
SHA256 new hashStream: ('mypassword' , 'randomsalt') readStream.
If you get to choose then you should use the PasswordHashingFFI package because it accesses the implementation of the crypt library in glibc which is used for hashing passwords on modern linux implementations (http://www.akkadia.org/drepper/sha-crypt.html)
The crypt library in glibc runs the password through the hashing scheme many times according to a work factor, and is "future proof" because you can increase the work factor as CPU's get faster. See here for a description of password hashing http://codahale.com/how-to-safely-store-a-password/ He makes a strong case for bcrypt, but as implemented in libcrypt, the SHA256 algorithm has a similar way to increase the cost of cracking the passwords as processors accelerate. If you don't have to use SHA256 then change to bcrypt or SHA512 from the crypt library.
To use the PasswordHashingFFI you'll need to install FFI as well. There is a ConfigurationOfFFI in the http://www.squeaksource.com/MetacelloRepository that works great.
The PasswordHashing package shouldn't be used. I was trying to make a smalltalk implementation of the bcrypt password hashing algorithm but my Blowfish implementation, while accurate, is way too slow to be of practical use. I should rename it.
The PasswordHashingFFI package + FFI is all you need to make SHA256 hashed passwords in Ubuntu. I don't know what it would take to make the FFI method work on the Mac OSX. I don't think very much. You'd just need to make sure the CryptLinuxFFI class>>#ffiCrypt:with: method point to you mac's libcrypt from glibc. I'm not sure if on the Mac you need to point it to a 32bit version of that library or if 64bit is OK. On Ubuntu it has to be a 32 bit version.
Once the CryptLinuxFFI is speaking to the libcrypt library from a workspace you can just do:
"create the hashed password" |pwd randomSalt hashed | pwd:='my password' randomSalt:=CryptLinuxFFI randomSalt: pwd size. hashed := CryptLinuxFFI sha256: pwd with: randomSalt.
"check the hashed password"
CryptLinuxFFI checkPassword: pwd against: hashed.
I realize these classes have unfortunate names. I'm happy to change them to something more sensible once you get the Mac part working. Also I'm happy to include any improvements you think of.
Let me know what other questions you might have.
On 11-10-27 11:06 AM, Paul DeBruicker wrote:
The PasswordHashingFFI package + FFI is all you need to make SHA256 hashed passwords in Ubuntu.
This is because to run Pharo on Ubuntu you already have the libcrypt or Ubuntu 64 bit you've already installed ia32-libs which has the 32 bit version of libcrypt.
If you want to use bcrypt you'll need to install the 32 bit version of libxcrypt1. For 32 bit Ubuntu it should be in Synaptic. For 64Bit you need to download the i386 .deb package from here:
http://packages.ubuntu.com/oneiric/libxcrypt1
extract it in the downloaded directory with
sudo dpkg -x . libxcrypt1_2.4-1build1_i386.deb
then copy the libxcrypt.so.1.2.4 file to wherever the 32 bit libraries on your machine are an then in the 32 bit library directory run
sudo ln -s libxcrypt.so.1 libxcrypt.so.1.2.4
Thanks Paul. I couldn't get it to work on OSX. No pre-built binaries, that I could find. I eventually downloaded the source from OpenWall, and compiled a 32 bit library from that. So :-
$ make $ gcc -shared -m32 -W1,-soname,libbcrypt.so.1.2 -o libbcrypt.so.1.2 crypt_blowfish.o x86.o wrapper.o
The wrapper is to wrap their extensions and expose the API using the standard crypt one. However, I could build the library without the wrapper, but not with it. It was late, so I spun up a Ubuntu VirtualBox and installed the BCryptFFI package there. No surprise that that worked :-)
I have a few questions on the code.
- Should the RNG being used not be one from the crypt libraries rather than the Pharo one?
- The #checkPassWord:against method has the salt hardcoded at 30, yet there is a method to set the length of the salt. Is there a reason for that?
Anyway, really glad I found this project. Its very important that Pharo has good crypto support. I'd like to contribute, is there a list of outstanding issues etc., somewhere?
On Thu, Oct 27, 2011 at 14:24, Paul DeBruicker pdebruic@gmail.com wrote:
On 11-10-27 11:06 AM, Paul DeBruicker wrote:
The PasswordHashingFFI package + FFI is all you need to make SHA256 hashed passwords in Ubuntu.
This is because to run Pharo on Ubuntu you already have the libcrypt or Ubuntu 64 bit you've already installed ia32-libs which has the 32 bit version of libcrypt.
If you want to use bcrypt you'll need to install the 32 bit version of libxcrypt1. For 32 bit Ubuntu it should be in Synaptic. For 64Bit you need to download the i386 .deb package from here:
http://packages.ubuntu.com/oneiric/libxcrypt1
extract it in the downloaded directory with
sudo dpkg -x . libxcrypt1_2.4-1build1_i386.deb
then copy the libxcrypt.so.1.2.4 file to wherever the 32 bit libraries on your machine are an then in the 32 bit library directory run
sudo ln -s libxcrypt.so.1 libxcrypt.so.1.2.4
Cryptography mailing list Cryptography@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
cryptography@lists.squeakfoundation.org