Password storage options
Locked
 
|
Hello
I'm working on Pharo-based webserver and right now I got to the topic of storing user passwords. I found SHA256 integrated in Pharo, but hashing with SHA is far from enough. I also looked around the mailing list history to find few posts from 2011 about bcrypt using Linux libraries. I'd like to ask what is current status - what are my options under following conditions: I prefer Pharo 5 compatibility. I could downgrade to Pharo 4 or use beta Pharo 6, but latest stable relase is preferred. I require at least bcrypt or PDKBF2, but I much more prefer GPU-attack-resistant solutions like scrypt or Argon2. I require Linux compatibility, but platform independent solution would be kinda nice (we could use the same algorithm on our local machines with Mac and Win for development). Thank you Jan -- View this message in context: http://forum.world.st/Password-storage-options-tp4927471.html Sent from the Pharo Smalltalk Users mailing list archive at Nabble.com. |
|
|
I made a crypt/bcrypt ffi library for older versions of Pharo that sounds like it meets your needs and is in the cryptography project here:
http://smalltalkhub.com/#!/~Cryptography/Cryptography But I have not updated it for the new FFI versions in Pharo 5/6. And Pierce Ng made a blog post and library about his own set up here: http://www.samadhiweb.com/blog/2013.11.17.shacrypt.html
|
|
|
And to add scrypt to that FFI library would be trivial if you have a 32bit version of scrypt but I don't think there is one. I'd be happy to learn I'm wrong though. And thats assuming you're using 32 bit pharo, which is whats stable/released right now.
|
|
|
This post was updated on .
Thank you a lot! :)
I tried it in Pharo 5 and everything seems to be working (I just had to apt-get install libxcrypt:i386, load packages Cryptography, Blowfish (not sure if really needed though) and PasswordHashingFFI and manually create link in directory where it expected libxcrypt.so.1). About the FFI for Pharo 5/6, maybe that's what Esteban Maringolo did in commit "Cryptography-EstebanMaringolo.50" on 15 September 2016 "Version ready to be loaded in Pharo 5.0 without affecting Kernel or System packages.". Scrypt would be even better to have, but I'm grateful enough for now since it was all easier and faster than I expected. Jan
|
|
|
Ah, it seems I just did not switched it on - it does not work after all.
I tried it with PasswordHashingFFI-PaulDeBrulcker.16.mcz, but also with 15 and 8. On Pharo 5, it calls many methods which I do not have in my environment, for example in BCryptLinuxFFI>>#generateBCryptSalt: there is line with "self randomBCryptSalt: saltSize", but there is no implementor of "randomBCryptSalt:". Also, in many methods of BCryptLinuxFFI there are message sends "greaseString" to variables cointaining probably integers, but there is also no implementor of greaseString. So I tried it on Pharo 4 - it does not even load, because it needs class ExternalStructure. So I found I need to download the FFI, I tried to do so using code below, but loading failed with MessageNotUnderstood: receiver of "selector" is nil. Gofer new squeaksource: 'MetacelloRepository'; package: 'ConfigurationOfFFI'; load. (Smalltalk at: #ConfigurationOfFFI) project lastVersion load So, I'm not sure what to try next to make it work. Jan
|
Re: Password storage options
|
|
Hello Jan,
The latest commit of the Cryptography package loads in Pharo 5 without affecting existing packages, but it does not guarantee that all the methods are working. The FFI related packages will likely not work out of the box, because there was a change in the FFI interface from Pharo 4 to Pharo 5, so the FFI calls should be adapted to use UFFI (new FFI framework). I'd also like to have Scrypt and ECDSA. Regards, Esteban A. Maringolo 2016-12-19 22:54 GMT-03:00 Jan Blizničenko <[hidden email]>: > Ah, it seems I just did not switched it on - it does not work after all. > > I tried it with PasswordHashingFFI-PaulDeBrulcker.16.mcz, but also with 15 > and 8. > > On Pharo 5, it calls many methods which I do not have in my environment, for > example in BCryptLinuxFFI>>#generateBCryptSalt: there is line with "self > randomBCryptSalt: saltSize", but there is no implementor of > "randomBCryptSalt:". Also, in many methods of BCryptLinuxFFI there are > message sends "greaseString" to variables cointaining probably integers, but > there is also no implementor of greaseString. > > So I tried it on Pharo 4 - it does not even load, because it needs class > ExternalStructure. So I found I need to download the FFI, I tried to do so > using code below, but loading failed with MessageNotUnderstood: receiver of > "selector" is nil. > > Gofer new > squeaksource: 'MetacelloRepository'; > package: 'ConfigurationOfFFI'; > load. > (Smalltalk at: #ConfigurationOfFFI) project lastVersion load > > So, I'm not sure what to try next to make it work. > > Jan > > > Jan Blizničenko wrote >> Thank you a lot! :) >> >> I tried it in Pharo 5 and everything seems to be working (I just had to >> apt-get install libxcrypt:i386, load packages Cryptography, Blowfish (not >> sure if really needed though) and PasswordHashingFFI and manually create >> link in directory where it expected libxcrypt.so.1). About the FFI for >> Pharo 5/6, maybe that's what Esteban Maringolo did in commit >> "Cryptography-EstebanMaringolo.50" on 15 September 2016 "Version ready to >> be loaded in Pharo 5.0 without affecting Kernel or System packages.". >> >> Scrypt would be even better to have, but I'm grateful enough for now since >> it was all easier and faster than I expected. >> >> Jan >> Paul DeBruicker wrote >>> And to add scrypt to that FFI library would be trivial if you have a >>> 32bit version of scrypt but I don't think there is one. I'd be happy to >>> learn I'm wrong though. And thats assuming you're using 32 bit pharo, >>> which is whats stable/released right now. >>> >>> >>> >>> >>> Paul DeBruicker wrote >>>> I made a crypt/bcrypt ffi library for older versions of Pharo that >>>> sounds like it meets your needs and is in the cryptography project >>>> here: >>>> >>>> http://smalltalkhub.com/#!/~Cryptography/Cryptography >>>> >>>> But I have not updated it for the new FFI versions in Pharo 5/6. >>>> >>>> >>>> >>>> And Pierce Ng made a blog post and library about his own set up here: >>>> http://www.samadhiweb.com/blog/2013.11.17.shacrypt.html >>>> >>>> >>>> >>>> >>>> Jan Blizničenko wrote >>>>> Hello >>>>> >>>>> I'm working on Pharo-based webserver and right now I got to the topic >>>>> of >>>>> storing user passwords. I found SHA256 integrated in Pharo, but hashing >>>>> with >>>>> SHA is far from enough. I also looked around the mailing list history >>>>> to >>>>> find few posts from 2011 about bcrypt using Linux libraries. I'd like >>>>> to ask >>>>> what is current status - what are my options under following >>>>> conditions: >>>>> >>>>> I prefer Pharo 5 compatibility. I could downgrade to Pharo 4 or use >>>>> beta >>>>> Pharo 6, but latest stable relase is preferred. >>>>> >>>>> I require at least bcrypt or PDKBF2, but I much more prefer >>>>> GPU-attack-resistant solutions like scrypt or Argon2. >>>>> >>>>> I require Linux compatibility, but platform independent solution would >>>>> be >>>>> kinda nice (we could use the same algorithm on our local machines with >>>>> Mac >>>>> and Win for development). >>>>> >>>>> Thank you >>>>> Jan >>>>> >>>>> >>>>> >>>>> -- >>>>> View this message in context: >>>>> http://forum.world.st/Password-storage-options-tp4927471.html >>>>> Sent from the Pharo Smalltalk Users mailing list archive at Nabble.com. > > > > > > -- > View this message in context: http://forum.world.st/Password-storage-options-tp4927480p4927538.html > Sent from the Pharo Smalltalk Users mailing list archive at Nabble.com. > |
|
|
In reply to this post by Jan Blizničenko
I think I last used this in Pharo 1.3
#greaseString is just a cross platform #asString so you could change those for your updated package. here's a version of #randomBCryptSalt: that will work OK. randomBCryptSalt: saltSize | combined targetStream char random | combined:='0123456789ABCDEFGHIJKLMNOPQRSTUVWXZYabcdefghijklmnopqrstuvwxyz'. targetStream := WriteStream on: (String new: saltSize ). random := Random new. [targetStream contents size <= saltSize] whileTrue: [char :=combined at: (random next * (combined size - 1)) rounded + 1. char isAlphaNumeric ifTrue: [targetStream nextPut: char]]. ^targetStream contents After implementing that you could change #randomBCryptSaltData to randomBCryptSaltData ^self randomBCryptSalt: self saltDataLength To load FFI into old pharo its probably not a good idea to use #lastVersion but instead #stableVersion. Gofer new squeaksource: 'MetacelloRepository'; package: 'ConfigurationOfFFI'; load. (Smalltalk at: #ConfigurationOfFFI) project stableVersion load Let me know what other issues you run into.
|
|
|
In reply to this post by Jan Blizničenko
Hi Jan,
I extracted a PBKDF2 implementation from some of my code some time ago. Take a look here: http://readthesourceluke.blogspot.de/2014/07/pbkdf2-for-pharo.html http://www.smalltalkhub.com/#!/~UdoSchneider/PBKDF2 CU, Udo On 19/12/16 18:09, Jan Blizničenko wrote: > Hello > > I'm working on Pharo-based webserver and right now I got to the topic of > storing user passwords. I found SHA256 integrated in Pharo, but hashing with > SHA is far from enough. I also looked around the mailing list history to > find few posts from 2011 about bcrypt using Linux libraries. I'd like to ask > what is current status - what are my options under following conditions: > > I prefer Pharo 5 compatibility. I could downgrade to Pharo 4 or use beta > Pharo 6, but latest stable relase is preferred. > > I require at least bcrypt or PDKBF2, but I much more prefer > GPU-attack-resistant solutions like scrypt or Argon2. > > I require Linux compatibility, but platform independent solution would be > kinda nice (we could use the same algorithm on our local machines with Mac > and Win for development). > > Thank you > Jan > > > > -- > View this message in context: http://forum.world.st/Password-storage-options-tp4927471.html > Sent from the Pharo Smalltalk Users mailing list archive at Nabble.com. > > |
|
|
I'm currently trying it and it seems quite easy to load and use - just working fine.
Of couse it seems kinda slow in comparison with native implementations (2000 iterations of SHA256 into 32 byte hash taking almost a second on my quite powerful PC), but that's expected and not that much of a problem. I'm also not capable to tell whether there are not any security flaws, but anything is better than something I would write myself without reading deep enough into the topic. Anyway, I think I will happily keep with it until there is somehow easy to use implementation or FFI for current Pharo for any more current algorithm. Thank you both. Jan
|
«
Return to Pharo Smalltalk Users
|
1 view|%1 views
| Free forum by Nabble | Edit this page |