Date: Wed, 26 Oct 2011 19:28:47 -0400 From: John Tooheyjohnptoohey@gmail.com Subject: [Cryptography Team] Getting started To: cryptography@lists.squeakfoundation.org Message-ID: CAJOFv+hDN0dAOr17x3zfyhyeJZCZx=sBdwAdX4MeqMSirgF8ig@mail.gmail.com Content-Type: text/plain; charset=UTF-8

Hi,

Just found the project and would appreciate some pointers on getting started. I have a requirement for generating hashes using SHA256 and for generating a secure random string the same length as the hash, for using as a salt for each hash. (All my passwords etc. have a unique hash also).

What do I need to download to get started on Pharo 1.3? I just downloaded the password repo, but just want to get things in the correct order.

Also I develop on OSX and deploy to Ubuntu, so any tips on the native libs for each platform would be great.

Glad I found you guys.

I have a question:

Do you get to choose how the password is hashed as long as its hashed with the SHA256 hashing function?

If you don't get to choose and have can only hash it once (or X times) then you need to use the Cryptography package and its SHA256 class. I think this would work:

SHA256 new hashStream: ('mypassword' , 'randomsalt') readStream.

If you get to choose then you should use the PasswordHashingFFI package because it accesses the implementation of the crypt library in glibc which is used for hashing passwords on modern linux implementations (http://www.akkadia.org/drepper/sha-crypt.html)

The crypt library in glibc runs the password through the hashing scheme many times according to a work factor, and is "future proof" because you can increase the work factor as CPU's get faster. See here for a description of password hashing http://codahale.com/how-to-safely-store-a-password/ He makes a strong case for bcrypt, but as implemented in libcrypt, the SHA256 algorithm has a similar way to increase the cost of cracking the passwords as processors accelerate. If you don't have to use SHA256 then change to bcrypt or SHA512 from the crypt library.

To use the PasswordHashingFFI you'll need to install FFI as well. There is a ConfigurationOfFFI in the http://www.squeaksource.com/MetacelloRepository that works great.

The PasswordHashing package shouldn't be used. I was trying to make a smalltalk implementation of the bcrypt password hashing algorithm but my Blowfish implementation, while accurate, is way too slow to be of practical use. I should rename it.

The PasswordHashingFFI package + FFI is all you need to make SHA256 hashed passwords in Ubuntu. I don't know what it would take to make the FFI method work on the Mac OSX. I don't think very much. You'd just need to make sure the CryptLinuxFFI class>>#ffiCrypt:with: method point to you mac's libcrypt from glibc. I'm not sure if on the Mac you need to point it to a 32bit version of that library or if 64bit is OK. On Ubuntu it has to be a 32 bit version.

Once the CryptLinuxFFI is speaking to the libcrypt library from a workspace you can just do:

"create the hashed password" |pwd randomSalt hashed | pwd:='my password' randomSalt:=CryptLinuxFFI randomSalt: pwd size. hashed := CryptLinuxFFI sha256: pwd with: randomSalt.

"check the hashed password"

CryptLinuxFFI checkPassword: pwd against: hashed.

I realize these classes have unfortunate names. I'm happy to change them to something more sensible once you get the Mac part working. Also I'm happy to include any improvements you think of.

Let me know what other questions you might have.