Posted by Paul DeBruicker on Jun 30, 2017; 4:18am
URL: https://forum.world.st/Validate-password-with-PBKDF2-tp4952973p4952985.html

Looks like you'll have to store the salt when making the original hash of the password.  

With that you can do


| salt originalPassword userInputPassword originalHash  newHash secretKey |
salt:='salt'.
originalPassword:='password'.
userInputPassword:='12345678'.
originalHash:=PBKDF2 derivedKeySHA1Password: originalPassword salt: salt.
newHash:=PBKDF2 derivedKeySHA1Password: userInputPassword salt: salt.

secretKey:= SecureRandom new nextBytes: 16.

((SHA256 new hmac key: secretKey) digestMessage: originalHash) = ((SHA256 new hmac key: secretKey) digestMessage: newHash).



We do the double SHA256 HMAC signing of the hashes because of https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/

You can store the #secretKey and each user should get a new #salt every time they change their password and you shouldn't reuse the salts for other users or password.  

For PBKDF2 there is probably a max (or recommended) salt length but I don't know it.  

I also don't know anything about the SecureRandom class but it says it on the tin, so maybe it is.  Maybe not though.  I don't know how to find out. But I don't know that it matters in this instance as its only used for the SHA256 HMAC internally in the comparison function.


Hope this helps.  

Francis wrote

Hi folks

I'm playing with the PBKDF2 package of Udo: http://www.smalltalkhub.com/#!/~UdoSchneider/PBKDF2
(thanks Udo), but I can't find how to validate a stored hash.
Can you point me in the right direction?

Thanks
Francis