[Cryptography Team] bcrypt password hashing

Ron Teitelbaum ron at usmedrec.com
Fri Apr 22 15:24:39 UTC 2011 

Hi Paul,

Looks like a fun project.  I'm sorry I don't have time to help.  Have you
looked at the other Smalltalk crypto classes?  Having an implementation that
works but doesn't match definitely means you didn't do something correctly.
It could be something very small like a constant that is wrong.  Or it could
be issues with endianess or something silly like that.  Have a look at how
some of the others are done, get familiar with the tricks.   I recommend
reading "Practical Cryptography" Ferguson & Schneier if you haven't already.
Reading the pseudo code with the Smalltalk implementations  that are already
done should help.

Good luck with it!

Ron Teitelbaum

> -----Original Message-----
> From: cryptography-bounces at lists.squeakfoundation.org
> [mailto:cryptography-bounces at lists.squeakfoundation.org] On Behalf Of
> Paul DeBruicker
> Sent: Friday, April 22, 2011 10:58 AM
> To: cryptography at lists.squeakfoundation.org
> Subject: [Cryptography Team] bcrypt password hashing
> 
> Hi -
> 
> I've never implemented any cryptographic algorithms before but I'm trying
to
> make an implementation of the bcrypt password hashing algorithm [1] in
> Pharo. I'm using the OpenBSD C implementation [2] as a reference. To make
> it work I need a port of the Blowfish algorithm and am also using the
> OpenBSD C blowfish implementation [3] as a reference.
> 
> With what I have so far my "blowfish" can accurately encrypt and decrypt a
> string using a key. But the encrypted string does not match any of the
> reference implementations. I can take '0123456789' and encrypt it with the
> key 'AAAAA' and decrypt the result and get '0123456789' but my encrypted
> string is different than the C or Java encrypted string.  So I
> believe I've done something wrong.   I think my Feistel Network method
> is wrong because it eventually starts returning increasingly large 5 byte
> integers rather than the 4 bytes integers it should.  At least that's my
current
> guess about the problem.
> 
> Is there an open source version of Blowfish in Smalltalk I could look at
to see
> where I may be going wrong?
> 
> 
> 
> 
>   Thanks
> 
> Paul
> 
> 
> [1] http://www.usenix.org/events/usenix99/provos.html &
> http://codahale.com/how-to-safely-store-a-password/
> 
> [2] http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/crypt/bcrypt.c
> 
> [3] http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/crypt/blowfish.c
> _______________________________________________
> Cryptography mailing list
> Cryptography at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography

More information about the Cryptography mailing list