dlmarion commented on issue #2700: URL: https://github.com/apache/accumulo/issues/2700#issuecomment-1134855111
Looking at [NIST SP800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5) Section 5.1.1.2, it says > Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive. Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [[SP 800-132]](https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132) and Balloon [[BALLOON]](https://pages.nist.gov/800-63-3/sp800-63b.html#balloon). A memory-hard function SHOULD be used because it increases the cost of an attack. The key derivation function SHALL use an approved one-way function such as Keyed Hash Message Authentication Code (HMAC) [[FIPS 198-1]](https://pages.nist.gov/800-63-3/sp800-63b.h tml#FIPS198-1), any approved hash function in [SP 800-107](https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-107), Secure Hash Algorithm 3 (SHA-3) [[FIPS 202]](https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS202), CMAC [[SP 800-38B]](https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-38B) or Keccak Message Authentication Code (KMAC), Customizable SHAKE (cSHAKE), or ParallelHash [[SP 800-185]](https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-185). The chosen output length of the key derivation function SHOULD be the same as the length of the underlying one-way function output. This section doesn't deal strictly with passwords, but I wrote a [test](https://github.com/dlmarion/accumulo/blob/password_test/server/base/src/test/java/org/apache/accumulo/server/security/handler/PasswordHashTest.java) to compare the performance difference between the Commons-Codec Crypt approach that is being used currently vs `PBKDF2WithHmacSHA512` as suggested in NIST SP800-63B. It looks to be roughly 3x faster. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
