I guess I could integrate Udo's PBKDF2 into ApplicationSecurity. See under "Using the CheckPoint" if matches your API you're looking for:
http://80738163270632.blogspot.com.ar/2014/10/application-security-2-checkpoint.html Cheers, Hernán 2017-06-30 4:43 GMT-03:00 Francis via Pharo-users < pharo-users@lists.pharo.org>: > > > ---------- Mensaje reenviado ---------- > From: Francis <falzonidav...@libero.it> > To: pharo-users@lists.pharo.org > Cc: > Bcc: > Date: Fri, 30 Jun 2017 00:43:23 -0700 (PDT) > Subject: Re: Validate password with PBKDF2 > Thank you Paul, > Saving the salt is not a big issue but I'd like something more simple. > In python I can store the salt with the password > see:https://pypi.python.org/pypi/bcrypt/3.1.0 > > # Hash a password for the first time, with a randomly-generated salt > hashed = bcrypt.hashpw(password, bcrypt.gensalt()) > > and retrieve it subsequently > if bcrypt.checkpw(password, hashed): > ... print("It Matches!") > > Are you (smalltalkers) aware of something similar? > > Thanks again > Francis > > > > Paul DeBruicker wrote > > Looks like you'll have to store the salt when making the original hash of > > the password. > > > > With that you can do > > > > > > | salt originalPassword userInputPassword originalHash newHash secretKey > > | > > salt:='salt'. > > originalPassword:='password'. > > userInputPassword:='12345678'. > > originalHash:=PBKDF2 derivedKeySHA1Password: originalPassword salt: salt. > > newHash:=PBKDF2 derivedKeySHA1Password: userInputPassword salt: salt. > > > > secretKey:= SecureRandom new nextBytes: 16. > > > > ((SHA256 new hmac key: secretKey) digestMessage: originalHash) = ((SHA256 > > new hmac key: secretKey) digestMessage: newHash). > > > > > > > > We do the double SHA256 HMAC signing of the hashes because of > > https://www.nccgroup.trust/us/about-us/newsroom-and-events/ > blog/2011/february/double-hmac-verification/ > > > > You can store the #secretKey and each user should get a new #salt every > > time they change their password and you shouldn't reuse the salts for > > other users or password. > > > > For PBKDF2 there is probably a max (or recommended) salt length but I > > don't know it. > > > > I also don't know anything about the SecureRandom class but it says it on > > the tin, so maybe it is. Maybe not though. I don't know how to find > out. > > But I don't know that it matters in this instance as its only used for > the > > SHA256 HMAC internally in the comparison function. > > > > > > Hope this helps. > > > > > > Francis wrote > >> Hi folks > >> > >> I'm playing with the PBKDF2 package of Udo: > >> http://www.smalltalkhub.com/#!/~UdoSchneider/PBKDF2 > >> (thanks Udo), but I can't find how to validate a stored hash. > >> Can you point me in the right direction? > >> > >> Thanks > >> Francis > > > > > > -- > View this message in context: http://forum.world.st/ > Validate-password-with-PBKDF2-tp4952973p4953004.html > Sent from the Pharo Smalltalk Users mailing list archive at Nabble.com. > > >
