Rev 67 | Rev 69 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 67 | Rev 68 | ||
---|---|---|---|
Line 46... | Line 46... | ||
46 | Valid <mode> : |
46 | Valid <mode> : |
47 | sp = salt + password |
47 | sp = salt + password |
48 | ps = password + salt |
48 | ps = password + salt |
49 | sps = salt + password + salt |
49 | sps = salt + password + salt |
50 | hmac = HMAC (salt is the key) |
50 | hmac = HMAC (salt is the key) |
51 | pbkdf2 = PBKDF2 (Additional param i= contains the number of iterations) |
51 | pbkdf2 = PBKDF2-HMAC (Additional param i= contains the number of iterations) |
52 | Like most Crypt-hashes, <salt> and <hash> are Radix64 coded |
52 | Like most Crypt-hashes, <salt> and <hash> are Radix64 coded |
53 | with alphabet './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' and no padding. |
53 | with alphabet './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' and no padding. |
54 | Link to the online specification: |
54 | Link to the online specification: |
55 | https://oidplus.viathinksoft.com/oidplus/?goto=oid%3A1.3.6.1.4.1.37476.3.0.1.1 |
55 | https://oidplus.viathinksoft.com/oidplus/?goto=oid%3A1.3.6.1.4.1.37476.3.0.1.1 |
56 | Reference implementation in PHP: |
56 | Reference implementation in PHP: |
Line 180... | Line 180... | ||
180 | $bits = explode('-',$algo)[1]; |
180 | $bits = explode('-',$algo)[1]; |
181 | $bin_hash = \bb\Sha3\Sha3::hash_pbkdf2($str_password, $str_salt, $iterations, $bits, 0, true); |
181 | $bin_hash = \bb\Sha3\Sha3::hash_pbkdf2($str_password, $str_salt, $iterations, $bits, 0, true); |
182 | } else { |
182 | } else { |
183 | if ($iterations == 0) { |
183 | if ($iterations == 0) { |
184 | // Recommendations taken from https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 |
184 | // Recommendations taken from https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 |
185 | // I am not sure if these recommendations are correct. They write PBKDF2-HMAC-SHA1... |
- | |
186 | // Does this count for us, or does hash_pbkdf2() implement PBKDF2-SHA1 rather than PBKDF2-HMAC-SHA1? |
185 | // Note that hash_pbkdf2() implements PBKDF2-HMAC-* |
187 | if ($algo == 'sha3-512') $iterations = 100000; |
186 | if ($algo == 'sha3-512') $iterations = 100000; |
188 | else if ($algo == 'sha3-384') $iterations = 100000; |
187 | else if ($algo == 'sha3-384') $iterations = 100000; |
189 | else if ($algo == 'sha3-256') $iterations = 100000; |
188 | else if ($algo == 'sha3-256') $iterations = 100000; |
190 | else if ($algo == 'sha3-224') $iterations = 100000; |
189 | else if ($algo == 'sha3-224') $iterations = 100000; |
191 | else if ($algo == 'sha512') $iterations = 210000; // value by owasp.org cheatcheat (28.02.2023) |
190 | else if ($algo == 'sha512') $iterations = 210000; // value by owasp.org cheatcheat (28 February 2023) |
192 | else if ($algo == 'sha512/256') $iterations = 210000; // value by owasp.org cheatcheat (28.02.2023) |
191 | else if ($algo == 'sha512/256') $iterations = 210000; // value by owasp.org cheatcheat (28 February 2023) |
193 | else if ($algo == 'sha512/224') $iterations = 210000; // value by owasp.org cheatcheat (28.02.2023) |
192 | else if ($algo == 'sha512/224') $iterations = 210000; // value by owasp.org cheatcheat (28 February 2023) |
194 | else if ($algo == 'sha384') $iterations = 600000; |
193 | else if ($algo == 'sha384') $iterations = 600000; |
195 | else if ($algo == 'sha256') $iterations = 600000; // value by owasp.org cheatcheat (28.02.2023) |
194 | else if ($algo == 'sha256') $iterations = 600000; // value by owasp.org cheatcheat (28 February 2023) |
196 | else if ($algo == 'sha224') $iterations = 600000; |
195 | else if ($algo == 'sha224') $iterations = 600000; |
197 | else if ($algo == 'sha1') $iterations = 1300000; // value by owasp.org cheatcheat (28.02.2023) |
196 | else if ($algo == 'sha1') $iterations = 1300000; // value by owasp.org cheatcheat (28 February 2023) |
198 | else if ($algo == 'md5') $iterations = 5000000; |
197 | else if ($algo == 'md5') $iterations = 5000000; |
199 | else $iterations = 5000; |
198 | else $iterations = 5000; |
200 | } |
199 | } |
201 | $bin_hash = hash_pbkdf2($algo, $str_password, $str_salt, $iterations, 0, true); |
200 | $bin_hash = hash_pbkdf2($algo, $str_password, $str_salt, $iterations, 0, true); |
202 | } |
201 | } |