Re: Password and hash management

Tue, 02 Nov 2010 17:38:36 -0700 

On Nov 1, 2010, at 2:37 PM, Mike K wrote:

> 
> Another thought:
> From   http://tools.ietf.org/html/rfc2898#page-6 PKCS#5 rfc2898  section 4.1
> (Salt):
>         For instance, the salt could have
>         an additional non-random octet that specifies the purpose of
>         the derived key. Alternatively, it could be the encoding of a
>         structure that specifies detailed information about the derived
>         key, such as the encryption or authentication technique and a
>         sequence number among the different keys derived from the
>         password.  The particular format of the additional data is left
>         to the application.
> I wonder if this suggestion makes for a reasonable approach for salt:
> Allow the first byte of the salt to be interpreted by a user-provided class
> that implements a simple Shiro interface.
> Of course it is more transparent and simple to have some sort of
> configuration in the data store specifying how the the password was hashed -
> algorithm, number of iterations, but it seems to me there is some value in
> the attacker with access to hashed passwords and salt values not knowing
> that information. 
> -- 
> View this message in context: 
> http://shiro-developer.582600.n2.nabble.com/Password-and-hash-management-tp5667050p5695239.html
> Sent from the Shiro Developer mailing list archive at Nabble.com.

Yeah, # of hash iterations, etc., should be stored somewhere else. What I 
usually do is to generate a random sting key to be used to index the # of hash 
iterations, etc., and that is what gets stored w/ the hashed data is this key. 

The same is true for encrypted data as well as well. 

I'm not sure I would create VersionedSaltedAuthenticationInfo. I might create a 
general class hierarchy 

class Hash<K> { 
   public K key; 
   public byte[] hash; 
} 

class Encrypted<K> {
   public K key; 
   public byte[] data; 
}

interface HashManager<K, PD, Hasher<K, PD>> extends Map<K, Hasher<K, PD>> {
  public Hash<K> hash(K key, byte[] data, PD perData);
}

interface Hasher<K, PD> {
  public Hash<K> hash(byte[] data, PD perData);
}

interface EncryptionManager<K, PD, Encryptor<K, PD>> extends Map<K, 
Encryptor<K, PD>> {
  public Encrypted<K> encrypt(K key, byte[] data, PD perData);
  public byte[]  decrypt(Encrypted<K> encrypted, PD perData);
}

interface Encryptor<K, PD> {
  public Encrypted<K> encrypt(byte[] data, PD perData);
}

Reply via email to