- Find a modern hashing algorithm PKBDF2 or Argon2.
- Must allow hash to be salted and the salt to be different every-time.
- Allow for the number of iterations to be specified.
- Previously I have also store a version number with the hash, this would also be a useful option.
- Validation should not require the original salt. Some solutions (one well known 3rd party company) says that you store the hash of the password and the salt in the database.
- Works with existing Javascript hashing solutions e.g. CryptoJS, I imagine once the same parameters are applied it should work so that the hash can be created in Javascript and the validation can be done by Delphi.
Does anyone no of any 3rd party components that do password hashing well?
TMS Cryptography Pack wouldn't do this?
ReplyDelete(Disclaimer, I haven't used it, but am looking at their all access package)
With TMS you also need to store the salt. So when a user enters the password you hash it with the previous salt and compare the hash values. In Visual Studio you can have different salt values that produce different hash value but the validation matches them (PKBDF2).
DeleteI don't see how it would be possible to validate the hashed salted password without the salt. There seems to be something fundamentally broken if you are able to accomplish that task. You typically store the cleartext username, hashed password, and cleartext salt. Your salt can/should be unique per user. The salt should be cryptographically secure random data and not overly short. If you want to be overly secure, store the salt in a separate location than the username and hash. Certainly don't have one salt value for the entire database as that would dramatically reduce it's value. I haven't used TMS components, but from the face of it they seem fine. SecureBlackBox.com has the 'best' Delphi components for security, and StreamSec would be a runner up. I just purchased a TMS all-access license and I will be testing their cipher set soon and plan on using it.
DeleteSpecifically, PKDBF2 is calculated as: DK = PBKDF2(PRF, Password, Salt, c, dkLen) One character difference in salt should produce a completely unintellible/uncomparable derived key result....there should be no way to compare two hashes with different salts.
https://github.com/Xor-el/HashLib4Pascal
ReplyDeletehttps://bitbucket.org/sergworks/tforge/downloads/
ReplyDeleteCheck TSynSigner.PBKDF2 in https://github.com/synopse/mORMot/blob/master/SynCrypto.pas#L2050
ReplyDeleteThis supports SHA-1, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHA3-S128, SHA3-S256 as internal hashing algorithm, and it is the fastest implementation in Delphi AFAIK.
Try Bcrypt for Delphi or Scrypt for Delphi
ReplyDeletehttps://github.com/JackTrapper/bcrypt-for-delphi
https://github.com/JackTrapper/scrypt-for-delphi
I can recommend this bcrypt library too. Bcrypt is a standard solution for this task and the library is working without a problem for our systems.
DeleteYes BCrypt does seem to do what I am after. Thanks
DeleteBy definition, salt could be known and stored within the DB, e.g. as 'salt|hashedpassword'. It just should be genuine, even better associated with a timestamp and an expiration time.
ReplyDelete