|
Message-ID: <20221028145752.GA17027@openwall.com> Date: Fri, 28 Oct 2022 16:57:52 +0200 From: Solar Designer <solar@...nwall.com> To: yescrypt@...ts.openwall.com Subject: Re: Improving security of old DES hashes with fixed salt with "yescrypt" On Fri, Oct 28, 2022 at 04:25:31PM +0200, Matthias Apitz wrote: > We run large databases wherein the user credentials of many thousands of > users are crypt'ed with DES (Unix crypt(3) with fixed salt). To improve > the security we implemented a hint "why not just re-encrypt the existing > DES hash with yescrypt". This works fine in all our C-written > application servers. For others reading this, the mentioned hint was by me in a thread on john-users, and I described the various aspects to be aware of here: https://www.openwall.com/lists/john-users/2022/10/13/5 > I have implemented this now in all our C-written application > servers. The clear "PIN" is hashed by: > > hash = MakeCryptYescrypt(MakeCryptDes(PIN), NULL); > > and the hash is stored in the database row for the user. > > The check if the "PIN" is correct entered is made later on login with > something like this: > > if (strcmp(hash, MakeCryptYescrypt(MakeCryptDes(PIN), hash)) == 0) { > /* PIN is good */ > } > > This is all fine now. > > The last problem to solve is, that also some Java-written application is > doing the same encryption and checks and I can't find any Java > implementation of yescrypt. Before writing a NIF to a C-function, I > wanted to ask the experts. I'm not aware of an existing Java implementation/bindings of/for yescrypt. Writing your own bindings for your C function is probably the way to go. As a possible alternative (not necessarily the best one), you can call the underlying system's crypt(3) from Java. yescrypt is supported in crypt(3) on recent Linux distributions that use recent libxcrypt. It is supported even by some distributions that don't or didn't yet use yescrypt by default. For example, on Ubuntu yescrypt is supported in libxcrypt since 20.04, but is the default since 22.04. This means that on Ubuntu you can use yescrypt via crypt(3) starting with 20.04. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.