Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 28 Oct 2022 18:00:21 +0200
From: Matthias Apitz <>
Subject: Re: Improving security of old DES hashes with fixed salt
 with "yescrypt"

El día viernes, octubre 28, 2022 a las 04:57:52p. m. +0200, Solar Designer escribió:

> > The last problem to solve is, that also some Java-written application is
> > doing the same encryption and checks and I can't find any Java
> > implementation of yescrypt. Before writing a NIF to a C-function, I
> > wanted to ask the experts.
> I'm not aware of an existing Java implementation/bindings of/for
> yescrypt.  Writing your own bindings for your C function is probably the
> way to go.
> As a possible alternative (not necessarily the best one), you can call
> the underlying system's crypt(3) from Java.  yescrypt is supported in
> crypt(3) on recent Linux distributions that use recent libxcrypt.  It is
> supported even by some distributions that don't or didn't yet use
> yescrypt by default.  For example, on Ubuntu yescrypt is supported in
> libxcrypt since 20.04, but is the default since 22.04.  This means that
> on Ubuntu you can use yescrypt via crypt(3) starting with 20.04.

While doing the implementation, I wrote a small C-pgm for demo and test
purpose which expects two parameters, a PIN and a yescrypt hash, and
checks if the PIN, re-encrypted with DES and yescrypt with the hash as
the salt, results again in the same hash:

./a.out 4711 '$y$jFT$4jf8BiOvgz14CJJ4lxBCi/$DD3S4PuniWVVuXr37GxmDXuP2XclbzIYB2JbgekVxg5'
pin: 4711
hash: $y$jFT$4jf8BiOvgz14CJJ4lxBCi/$DD3S4PuniWVVuXr37GxmDXuP2XclbzIYB2JbgekVxg5

result: matched

./a.out 4712 '$y$jFT$4jf8BiOvgz14CJJ4lxBCi/$DD3S4PuniWVVuXr37GxmDXuP2XclbzIYB2JbgekVxg5'
pin: 4712
hash: $y$jFT$4jf8BiOvgz14CJJ4lxBCi/$DD3S4PuniWVVuXr37GxmDXuP2XclbzIYB2JbgekVxg5

result: don't match

Perhaps we will use a similar approach, starting from the Java
application such a programm and check its exit value.

Matthias Apitz, ✉, +49-176-38902045
Public GnuPG key:

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.