Status of crypto libraries for Pharo?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Status of crypto libraries for Pharo?

larrry
Hi, 

I'd seen some mail in the archives saying that the old, Smalltalk native encryption libraries were abandoned and new libraries should wrap some standard implementation. 

I'm looking at the moment for symmetric algorithms and an md5 hash for storing passwords. Does anybody know the status of these things?

Thanks much.

Larry 
Reply | Threaded
Open this post in threaded view
|

Re: Status of crypto libraries for Pharo?

Geoffroy Couprie
IIRC, there's a Smalltalk AES implementation somewhere (I don't know
if it's efficient though).
MD5 and SHA1/SHA2 are there and rapid enough, but storing password
hashes using these algorithms is a very bad practice. You should use
key derivation functions like scrypt and bcrypt. There's no
implementation of these in Smalltalk, so you should wrap their libs in
a plugin.

On 9/4/11, Larry White <[hidden email]> wrote:

> Hi,
>
> I'd seen some mail in the archives saying that the old, Smalltalk native
> encryption libraries were abandoned and new libraries should wrap some
> standard implementation.
>
> I'm looking at the moment for symmetric algorithms and an md5 hash for
> storing passwords. Does anybody know the status of these things?
>
> Thanks much.
>
> Larry
>

Reply | Threaded
Open this post in threaded view
|

Re: Status of crypto libraries for Pharo?

Paul DeBruicker
In reply to this post by larrry
On 09/05/2011 06:02 AM, [hidden email] wrote:

> Date: Sun, 4 Sep 2011 22:27:16 +0200
> From: Geoffroy Couprie<[hidden email]>
> Subject: Re: [Pharo-users] Status of crypto libraries for Pharo?
> To: A friendly place where any question about pharo is welcome
> <[hidden email]>
> Message-ID:
> <[hidden email]>
> Content-Type: text/plain; charset=UTF-8
>
> IIRC, there's a Smalltalk AES implementation somewhere (I don't know
> if it's efficient though).
> MD5 and SHA1/SHA2 are there and rapid enough, but storing password
> hashes using these algorithms is a very bad practice. You should use
> key derivation functions like scrypt and bcrypt. There's no
> implementation of these in Smalltalk, so you should wrap their libs in
> a plugin.

I made something that accesses the standard crypt(3) and libxcrypt
libraries with FFI. I've only used it on linux.  I have made a Gemstone
port.  The package is named PasswordHashingFFI and is in the
Cryptography repository on squeaksource here:

http://www.squeaksource.com/Cryptography

With them you can do md5, DES, sha256, sha512, and bcrypt.  The
Cryptography repository has native implementations of md5, DES, sha256,
sha512.


I don't know about the security implications of using FFI vs. native vs.
a plugin.