PBKDF2 Password Hashing - Proof of concept for comments

Hi All,

Please can I have comments on the following PBKDF2 password hashing proof
of concept:

I’m not really that familiar with this type of thing so I want some outside
comments on it.

Thanks.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon
mso http://www.mso.net - Lucee http://lucee.org - Member

I’m not really that familiar with this type of thing so I want some
outside comments on it.

Are you trying to learn, or do you just want something that works?

If the latter then…

http://sorcerersisle.com/projects:cfpassphrase

The equivalent to what you posted, without the hassle of
casting/chars/etc…

<cfscript>
	password = 'password';
	secret = PassphraseHash( password , 'pbkdf2' , { iterations:10000 , SaltBytes:50 , HashBytes:256 } );
	dump(secret);
</cfscript>

Except 10k iterations is the bare minimum you should use - more would
be better. (The default is 86k.)

https://github.com/boughtonp/cfpassphrase/wiki/Tuning-Algorithm-Params#pbkdf2

If you don’t want to install the extension, you can use the jar direct…

PassObj = createObject('java','sorcerersisle.cfpassphrase.Impl','cfpassphrase-v0.1.jar');
secret = PassObj.hash( password , 'pbkdf2' , { iterations:10000 , SaltBytes:50 , HashBytes:256 } );

And if you specifically need an array of bytes of just the hash (which
is what your code outputs), you can use:

secret = createObject('java','javax.xml.bind.DatatypeConverter').parseHexBinary( ListLast(secret,':') );

But that’s probably unnecessary; a hex string is likely more
convenient, and you should be storing the whole thing anyway (i.e.
including the iterations and salt).

Hi Peter,

Little bit of learning but really just need something to use that I know is
working correctly. This looks great. You mention a Lucee extension but how
do I get it? I checked the Lucee Admin and it’s not listed in the default
extension provider, so I tried the Lucee zip file from your link but that
errors that saying “There is no config.xml file available in the
extension!” which when looking at the zip is correct. What have I missed?

Thanks.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon
mso http://www.mso.net - Lucee http://lucee.org - MemberOn 15 April 2015 at 23:00, Peter Boughton <@Peter_Boughton> wrote:

I’m not really that familiar with this type of thing so I want some
outside comments on it.

Are you trying to learn, or do you just want something that works?

If the latter then…

http://sorcerersisle.com/projects:cfpassphrase

The equivalent to what you posted, without the hassle of
casting/chars/etc…

    <cfscript>
            password = 'password';
            secret = PassphraseHash( password , 'pbkdf2' , {

iterations:10000 , SaltBytes:50 , HashBytes:256 } );
dump(secret);

Except 10k iterations is the bare minimum you should use - more would
be better. (The default is 86k.)

https://github.com/boughtonp/cfpassphrase/wiki/Tuning-Algorithm-Params#pbkdf2

If you don’t want to install the extension, you can use the jar direct…

    PassObj =

createObject(‘java’,‘sorcerersisle.cfpassphrase.Impl’,‘cfpassphrase-v0.1.jar’);
secret = PassObj.hash( password , ‘pbkdf2’ , { iterations:10000 ,
SaltBytes:50 , HashBytes:256 } );

And if you specifically need an array of bytes of just the hash (which
is what your code outputs), you can use:

    secret =

createObject(‘java’,‘javax.xml.bind.DatatypeConverter’).parseHexBinary(
ListLast(secret,’:’) );

But that’s probably unnecessary; a hex string is likely more
convenient, and you should be storing the whole thing anyway (i.e.
including the iterations and salt).


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/20150415230007.00000262%40sorcerersisle.com
.
For more options, visit https://groups.google.com/d/optout.

Hi Peter,

I have just been trying this out but I can’t get it working using the
instructions provided. I’ve added the files in the variable places but on
server start in the catalina.out file I’m seeing the error:

WARNING: Failed to process TLD found at
[/WEB-INF/lucee/library/tld/cfPassphrase.tld]java.io.FileNotFoundException:
Could not resolve XML resource [[dtd]] with public ID [-//Lucee//DTD CFML
Tag Library 1.0//EN], system ID [dtd/web-cfmtaglibrary_1_0.dtd] and base
URI [null] to a known, local entity.

I’m assuming this means that it hasn’t installed correctly as I then get:

No matching function [PASSPHRASEHASH] found

When attempting to run the example code.

Any ideas?

Kind regards,

Andrew
about.me http://about.me/andrew_dixon
mso http://www.mso.net - Lucee http://lucee.org - MemberOn 15 April 2015 at 23:43, Andrew Dixon <@Andrew_Dixon> wrote:

Cool, thanks Peter.

Certainly know what you mean about life getting in the way.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon
mso http://www.mso.net - Lucee http://lucee.org - Member

On 15 April 2015 at 23:36, Peter Boughton <@Peter_Boughton> wrote:

Sorry I should have said about that, I’ve not done the auto-deploy thing
yet - it’s at the top of my todo list but life keeps getting in the way.

Installing manually is copying three files, as described here:

https://github.com/boughtonp/cfpassphrase/wiki/Installation#lucee--railo


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/20150415233600.000073b2%40sorcerersisle.com
.
For more options, visit https://groups.google.com/d/optout.

I will check if there is a easier way to do it.

MichaOn Wednesday, April 15, 2015, Andrew Dixon <@Andrew_Dixon> wrote:

Hi All,

Please can I have comments on the following PBKDF2 password hashing proof
of concept:

https://gist.github.com/andrew-dixon/8363711ee2b9687c57a3

I’m not really that familiar with this type of thing so I want some
outside comments on it.

Thanks.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon
mso http://www.mso.net - Lucee http://lucee.org - Member


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee%2Bunsubscribe@googlegroups.com’);>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee@googlegroups.com’);>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAG1WijUEA2P5SW92Y6VG5dV-4BWpV3ThFy194tKmEU86MRZ1Pg%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAG1WijUEA2P5SW92Y6VG5dV-4BWpV3ThFy194tKmEU86MRZ1Pg%40mail.gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Hi Micha,

I did raise this ticket a couple of weeks ago for ACF compatibility as
ACF11 has the function built-in:

https://bitbucket.org/lucee/lucee/issue/259/implement-generatepbkdfkey

Kind regards,

Andrew
about.me http://about.me/andrew_dixon
mso http://www.mso.net - Lucee http://lucee.org - MemberOn 18 April 2015 at 07:56, Michael Offner <@Michael_Offner> wrote:

I will check if there is a easier way to do it.

Micha

On Wednesday, April 15, 2015, Andrew Dixon <@Andrew_Dixon> wrote:

Hi All,

Please can I have comments on the following PBKDF2 password hashing proof
of concept:

https://gist.github.com/andrew-dixon/8363711ee2b9687c57a3

I’m not really that familiar with this type of thing so I want some
outside comments on it.

Thanks.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon
mso http://www.mso.net - Lucee http://lucee.org - Member


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAG1WijUEA2P5SW92Y6VG5dV-4BWpV3ThFy194tKmEU86MRZ1Pg%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAG1WijUEA2P5SW92Y6VG5dV-4BWpV3ThFy194tKmEU86MRZ1Pg%40mail.gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAG%2BEEBx0BkgD7J9631iNbm_BD18OfEXgNj38Hr-8HfZ_1VZw2Q%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAG%2BEEBx0BkgD7J9631iNbm_BD18OfEXgNj38Hr-8HfZ_1VZw2Q%40mail.gmail.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

It’s ok, I figured it out. I had the /context/library/fld and
/context/library/tld directories in a couple of different locations and it
was just a matter of getting them in the right one. All working now.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon
mso http://www.mso.net - Lucee http://lucee.org - MemberOn 17 April 2015 at 23:46, Andrew Dixon <@Andrew_Dixon> wrote:

Hi Peter,

I have just been trying this out but I can’t get it working using the
instructions provided. I’ve added the files in the variable places but on
server start in the catalina.out file I’m seeing the error:

WARNING: Failed to process TLD found at
[/WEB-INF/lucee/library/tld/cfPassphrase.tld]java.io.FileNotFoundException:
Could not resolve XML resource [[dtd]] with public ID [-//Lucee//DTD CFML
Tag Library 1.0//EN], system ID [dtd/web-cfmtaglibrary_1_0.dtd] and base
URI [null] to a known, local entity.

I’m assuming this means that it hasn’t installed correctly as I then get:

No matching function [PASSPHRASEHASH] found

When attempting to run the example code.

Any ideas?

Kind regards,

Andrew
about.me http://about.me/andrew_dixon
mso http://www.mso.net - Lucee http://lucee.org - Member

On 15 April 2015 at 23:43, Andrew Dixon <@Andrew_Dixon> wrote:

Cool, thanks Peter.

Certainly know what you mean about life getting in the way.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon
mso http://www.mso.net - Lucee http://lucee.org - Member

On 15 April 2015 at 23:36, Peter Boughton <@Peter_Boughton> wrote:

Sorry I should have said about that, I’ve not done the auto-deploy thing
yet - it’s at the top of my todo list but life keeps getting in the way.

Installing manually is copying three files, as described here:

https://github.com/boughtonp/cfpassphrase/wiki/Installation#lucee--railo


You received this message because you are subscribed to the Google
Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/20150415233600.000073b2%40sorcerersisle.com
.
For more options, visit https://groups.google.com/d/optout.

Andrew wrote:

It’s ok, I figured it out. I had the /context/library/fld and
/context/library/tld directories in a couple of different locations
and it was just a matter of getting them in the right one. All
working now.

Sorry for not responding sooner, but can you clarify on that - was it a
matter of getting files in the right WEB-INF dir, or did you need to put
them in the server-context ones for it to work?

It should work per web-context (i.e. WEB-INF), but I don’t remember if
I tested that on Lucee.

(Hopefully at some point this weekend I’ll get onto the auto-deploy
bundling stuff which should make this a non-issue anyway.)

Hi Peter,

Just managed to get back to this. I noticed in the function call and the
documentation there is no mention of salting the passphrase, either before
it is passed in or as a parameter in the function call itself.

Is it required to salt the passphrase manually? I assume it is and that it
would be recommended to do so. If so I will add something to the wiki on
Github.

Also what would you recommend for adding the salt, I have seen something
like this:

passphrase = "password"; random = createObject("java", "java.security.SecureRandom"); salt_bytes = javaCast("byte[]", [].set(1,50,0)); random.nextBytes(salt_bytes); salt = toBase64(salt_bytes); passphrase = passphrase & salt;

Thanks.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Member http://lucee.orgOn 2 May 2015 at 20:41, Peter Boughton <@Peter_Boughton> wrote:

Andrew wrote:

It’s ok, I figured it out. I had the /context/library/fld and
/context/library/tld directories in a couple of different locations
and it was just a matter of getting them in the right one. All
working now.

Sorry for not responding sooner, but can you clarify on that - was it a
matter of getting files in the right WEB-INF dir, or did you need to put
them in the server-context ones for it to work?

It should work per web-context (i.e. WEB-INF), but I don’t remember if
I tested that on Lucee.

(Hopefully at some point this weekend I’ll get onto the auto-deploy
bundling stuff which should make this a non-issue anyway.)


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/20150502204145.00004c16%40sorcerersisle.com
.
For more options, visit https://groups.google.com/d/optout.

Hi Andrew,

You don’t need to provide the salt manually, it is done automatically:
https://github.com/boughtonp/cfpassphrase/blob/master/src/crackstation/PBKDF2/PasswordHash.java#L97

You can increase the length of the salt with the SaltBytes parameter:
https://github.com/boughtonp/cfpassphrase/wiki/Tuning-Algorithm-Params#saltbytes

The docs do gloss over this, so I’ll update them to make it clear.

Thanks,

Peter

Hi Peter,

Yeah, I worked that out after sending the message, but forgot to follow up
and say.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Member http://lucee.orgOn 14 May 2015 at 14:58, Peter Boughton <@Peter_Boughton> wrote:

Hi Andrew,

You don’t need to provide the salt manually, it is done automatically:

https://github.com/boughtonp/cfpassphrase/blob/master/src/crackstation/PBKDF2/PasswordHash.java#L97

You can increase the length of the salt with the SaltBytes parameter:

https://github.com/boughtonp/cfpassphrase/wiki/Tuning-Algorithm-Params#saltbytes

The docs do gloss over this, so I’ll update them to make it clear.

Thanks,

Peter


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/20150514205808.000036ba%40sorcerersisle.com
.
For more options, visit https://groups.google.com/d/optout.

Here is my version of PBKDF2 hashing in CFML if you’re
interested: https://gist.github.com/ryanguill/11405725On Wednesday, April 15, 2015 at 7:04:38 AM UTC-5, Andrew Dixon wrote:

Hi All,

Please can I have comments on the following PBKDF2 password hashing proof
of concept:

https://gist.github.com/andrew-dixon/8363711ee2b9687c57a3

I’m not really that familiar with this type of thing so I want some
outside comments on it.

Thanks.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon
mso http://www.mso.net - Lucee http://lucee.org - Member