Yes that does help Les. Thanks for the reply. However I need a few
explanations from you since I want to write my own PasswordService for
Shiro that will use sCrypt.
1. Why is it necessary to have a password in the MCF format ? I am no
cryptography expert but shouldn't just hashing and salting work fine ?
2. What is the Shiro1 Crypto format ? Why use it ? I have seen passwords
hashed by it as "shiro1$50000...." isn't that a security breach ? I mean
you basically giving away the framework and crypto format used.
3. Could you please explain what the ParsableHashFormat ? Why use it ?
The implementation of DefaultPasswordService says that
//First check to see if we can reconstitute the original hash - this
allows us to
//perform password hash comparisons even for previously saved
passwords that don't
//match the current HashService configuration values. This is a
very nice feature
//for password comparisons because it ensures backwards
compatibility even after
//configuration changes.
Correct me if I am wrong. This means that if passwords were stored with
different crypto formats and different iteration values then
ParsableHashFormat would be able to detect those. Am I right ?
4. What's a HashRequest ? Whats the use of having such a design pattern
? Why not just go straight to hashing ?
On Wed, Sep 9, 2015 at 11:05 PM, Les Hazlewood <[email protected]>
wrote:
> A HashService is a general-purpose hashing mechanism for any type of data
> that needs to be hashed - files, strings, passwords, etc. The output of a
> HashService invocation is a Hash object, which wraps a byte array (aka the
> 'digest').
>
> Password hashing builds upon general purpose hashing - not only does the
> password need to be hashed, but the resulting hash output is almost always
> encoded in a text format - typically Modular Crypt Format (MCF) - suitable
> for database storage. The password service should also know how to compare
> one of these stored MCF strings with a submitted raw password and indicate
> whether or not the submitted value is correct. These two features are an
> extra layer of functionality 'on top of' general purpose hashing.
>
> This is why there are two separate concepts - password hashing should not
> be tightly coupled to general purpose hashing and vice versa. If you look
> at the DefaultPasswordService implementation [1], you will see that it
> delegates to a HashService to do the hashing and then it delegates to a
> HashFormat instance to do the MCF-formatting. This is a common theme in
> Shiro's design: lower-level functionality is built upon by layering in
> additional functionality (via OO Composition) to compose more and more
> capabilities.
>
> I hope that helps!
>
> Cheers,
>
> Les
>
> [1]
> https://svn.apache.org/repos/asf/shiro/branches/2.0-api-design-changes/core/src/main/java/org/apache/shiro/authc/credential/DefaultPasswordService.java
>
> On Wed, Sep 9, 2015 at 6:42 AM, Sreyan Chakravarty <
> [email protected]> wrote:
>
>>
>> If there is already a Hash Service is Shiro then why is there a Password
>> Service in Shiro ? What is the reason for there to be two similar things
>> there ?
>>
>> Whats the difference ? Where would you use which ?
>>
>> Regards
>> Sreyan Chakravarty
>>
>>
>
