Re: Hashing functions in Firefox OS
Hi, On 01/15/2014 06:40 PM, Garrett Robinson wrote: On 01/15/2014 08:33 AM, Kurt Roeckx wrote: On 2013-12-17 16:02, Stéphanie Ouillon wrote: I'm confused what passwords have to do with hashes. Do you want to store hash(pass)? This is a bad idea, please use something that is designed to store passwords instead like bcrypt, scrypt or PBKDF2. Excellent point. (I assumed they wanted access to the underlying hash functions so they could build PBKDF2 or similar). PBKDF2 is implemented in CryptoUtils.js [0], along with some other convenience functions. I don't think this is exposed as the kind of API OP is looking for, but perhaps it could be. [0] http://dxr.mozilla.org/mozilla-central/source/services/crypto/modules/utils.js Another option would be to use JS implementations of password hashing functions (or Emscripten-compiled native versions of the same, which should get near-native performance, especially important for slow hash functions). For example: * https://github.com/tonyg/js-scrypt (Emscripten-compiled) * https://code.google.com/p/crypto-js/ (includes PBKDF2) I'm not sure why the people who worked before me on this started to think about hashing. From my understanding, the point was to hash the password, and compare hashes when unlocking the screen. So there was no encryption involved. There might be a performance concern or maybe the crypto stuff in FxOS wasn't mature enough at the time, I don't really know. Christiane Ruetten recently released a FxOS Crypto Concept draft [1]. Using the CryptoUtils module and PBKDF2 would make absolute sense. For that, the functions still need to be exposed as a web API. According the architecture taking place in FxOS, I guess this API would be part of the Crypto Worker (which has nothing to do with WebCrypto's WorkerCrypto). [1] https://docs.google.com/a/mozilla.com/document/d/13dnmH4OsJc0ItMa0Z21VJcYJBK6kIb1om4B-DJk7N2E/edit# -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Hashing functions in Firefox OS
Device locking is managed in Gaia system app currently, not in gecko. So I believe we either need a hashing support of some kind exposed to content, or we need to an API which control devices locking. Maybe dev-b2g is a better place for that discussion, but can anyone answer Stephanie's original questions? Anyone working on this? Any considerations if we just start working on this? On Jan 16, 2014, at 12:32 AM, Kai Engert wrote: On Di, 2013-12-17 at 16:02 +0100, Stéphanie Ouillon wrote: I'm in the Firefox OS Security team and I'm starting working on adding support for stronger passwords in the Firefox OS lockscreen (bug 877541) [1]. At the moment, only a 4-digit password can be configured and we want to improve that for FxOS 1.4 (March 2014). Some time ago, David Dahl provided on a patch for having hashing functions in Gecko: it's a JSM living next to the SettingsManager for FxOS [2]. Supported algorithms are sha256, sha384 and sha512. It's not clear why you need something new. I'd assume your device locking code is privileged code. Can't you use nsICryptoHash? Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Hashing functions in Firefox OS
Er ignore me, at least my second comments about replying to stephanie. I didn't realize I wasn't subscribed. On Jan 17, 2014, at 10:01 AM, Paul Theriault wrote: Device locking is managed in Gaia system app currently, not in gecko. So I believe we either need a hashing support of some kind exposed to content, or we need to an API which control devices locking. Maybe dev-b2g is a better place for that discussion, but can anyone answer Stephanie's original questions? Anyone working on this? Any considerations if we just start working on this? On Jan 16, 2014, at 12:32 AM, Kai Engert wrote: On Di, 2013-12-17 at 16:02 +0100, Stéphanie Ouillon wrote: I'm in the Firefox OS Security team and I'm starting working on adding support for stronger passwords in the Firefox OS lockscreen (bug 877541) [1]. At the moment, only a 4-digit password can be configured and we want to improve that for FxOS 1.4 (March 2014). Some time ago, David Dahl provided on a patch for having hashing functions in Gecko: it's a JSM living next to the SettingsManager for FxOS [2]. Supported algorithms are sha256, sha384 and sha512. It's not clear why you need something new. I'd assume your device locking code is privileged code. Can't you use nsICryptoHash? Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Hashing functions in Firefox OS
On Di, 2013-12-17 at 16:02 +0100, Stéphanie Ouillon wrote: I'm in the Firefox OS Security team and I'm starting working on adding support for stronger passwords in the Firefox OS lockscreen (bug 877541) [1]. At the moment, only a 4-digit password can be configured and we want to improve that for FxOS 1.4 (March 2014). Some time ago, David Dahl provided on a patch for having hashing functions in Gecko: it's a JSM living next to the SettingsManager for FxOS [2]. Supported algorithms are sha256, sha384 and sha512. It's not clear why you need something new. I'd assume your device locking code is privileged code. Can't you use nsICryptoHash? Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Hashing functions in Firefox OS
On 15.01.2014 14:32, Kai Engert wrote: It's not clear why you need something new. I'd assume your device locking code is privileged code. Can't you use nsICryptoHash? There is no privileged JS in FxOS as there is in Firefox Desktop :) All code must be an open web API. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Hashing functions in Firefox OS
On 2013-12-17 16:02, Stéphanie Ouillon wrote: Hi, I'm in the Firefox OS Security team and I'm starting working on adding support for stronger passwords in the Firefox OS lockscreen (bug 877541) [1]. At the moment, only a 4-digit password can be configured and we want to improve that for FxOS 1.4 (March 2014). Some time ago, David Dahl provided on a patch for having hashing functions in Gecko: it's a JSM living next to the SettingsManager for FxOS [2]. Supported algorithms are sha256, sha384 and sha512. But having a set of hashing functions that could be called from anywhere would definitely be best. I'm confused what passwords have to do with hashes. Do you want to store hash(pass)? This is a bad idea, please use something that is designed to store passwords instead like bcrypt, scrypt or PBKDF2. Kurt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Hashing functions in Firefox OS
On 01/15/2014 08:33 AM, Kurt Roeckx wrote: On 2013-12-17 16:02, Stéphanie Ouillon wrote: Hi, I'm in the Firefox OS Security team and I'm starting working on adding support for stronger passwords in the Firefox OS lockscreen (bug 877541) [1]. At the moment, only a 4-digit password can be configured and we want to improve that for FxOS 1.4 (March 2014). Some time ago, David Dahl provided on a patch for having hashing functions in Gecko: it's a JSM living next to the SettingsManager for FxOS [2]. Supported algorithms are sha256, sha384 and sha512. But having a set of hashing functions that could be called from anywhere would definitely be best. I'm confused what passwords have to do with hashes. Do you want to store hash(pass)? This is a bad idea, please use something that is designed to store passwords instead like bcrypt, scrypt or PBKDF2. Excellent point. (I assumed they wanted access to the underlying hash functions so they could build PBKDF2 or similar). PBKDF2 is implemented in CryptoUtils.js [0], along with some other convenience functions. I don't think this is exposed as the kind of API OP is looking for, but perhaps it could be. [0] http://dxr.mozilla.org/mozilla-central/source/services/crypto/modules/utils.js Another option would be to use JS implementations of password hashing functions (or Emscripten-compiled native versions of the same, which should get near-native performance, especially important for slow hash functions). For example: * https://github.com/tonyg/js-scrypt (Emscripten-compiled) * https://code.google.com/p/crypto-js/ (includes PBKDF2) Kurt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
