Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Y1v8laVpkhtYYsc2@c720-r368166>
Date: Fri, 28 Oct 2022 18:00:21 +0200
From: Matthias Apitz <guru@...xarea.de>
To: yescrypt@...ts.openwall.com
Subject: Re: Improving security of old DES hashes with fixed salt
 with "yescrypt"

El día viernes, octubre 28, 2022 a las 04:57:52p. m. +0200, Solar Designer escribió:

> > The last problem to solve is, that also some Java-written application is
> > doing the same encryption and checks and I can't find any Java
> > implementation of yescrypt. Before writing a NIF to a C-function, I
> > wanted to ask the experts.
> 
> I'm not aware of an existing Java implementation/bindings of/for
> yescrypt.  Writing your own bindings for your C function is probably the
> way to go.
> 
> As a possible alternative (not necessarily the best one), you can call
> the underlying system's crypt(3) from Java.  yescrypt is supported in
> crypt(3) on recent Linux distributions that use recent libxcrypt.  It is
> supported even by some distributions that don't or didn't yet use
> yescrypt by default.  For example, on Ubuntu yescrypt is supported in
> libxcrypt since 20.04, but is the default since 22.04.  This means that
> on Ubuntu you can use yescrypt via crypt(3) starting with 20.04.

While doing the implementation, I wrote a small C-pgm for demo and test
purpose which expects two parameters, a PIN and a yescrypt hash, and
checks if the PIN, re-encrypted with DES and yescrypt with the hash as
the salt, results again in the same hash:

./a.out 4711 '$y$jFT$4jf8BiOvgz14CJJ4lxBCi/$DD3S4PuniWVVuXr37GxmDXuP2XclbzIYB2JbgekVxg5'
pin: 4711
hash: $y$jFT$4jf8BiOvgz14CJJ4lxBCi/$DD3S4PuniWVVuXr37GxmDXuP2XclbzIYB2JbgekVxg5

result: matched

./a.out 4712 '$y$jFT$4jf8BiOvgz14CJJ4lxBCi/$DD3S4PuniWVVuXr37GxmDXuP2XclbzIYB2JbgekVxg5'
pin: 4712
hash: $y$jFT$4jf8BiOvgz14CJJ4lxBCi/$DD3S4PuniWVVuXr37GxmDXuP2XclbzIYB2JbgekVxg5

result: don't match

Perhaps we will use a similar approach, starting from the Java
application such a programm and check its exit value.

	matthias
-- 
Matthias Apitz, ✉ guru@...xarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.