Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add scrypt and pbkdf2 password encoder in module security #110

Closed
6 tasks done
jeevatkm opened this issue Sep 5, 2017 · 5 comments
Closed
6 tasks done

Add scrypt and pbkdf2 password encoder in module security #110

jeevatkm opened this issue Sep 5, 2017 · 5 comments
Assignees
Labels
enhancement lib-security Security (Authc, Authz, Password Crypto, etc)
Projects

Comments

@jeevatkm
Copy link
Member

jeevatkm commented Sep 5, 2017

Currently aah supports bcrypt password encoder.

Add scrypt and pbkdf2 too with configurable options.

Enhance interface acrypto.PasswordEncoder to support Generate password hash by algorithm.

type PasswordEncoder interface {
	Generate(password []byte) ([]byte, error)
	Compare(hash, password []byte) bool
}
  • Implement scrypt
  • Implement pdkdf2
  • Expose convince access of all three algorithm
    - security.Bcrypt.*
    - security.Scrypt.*
    - security.Pbkdf2.*
  • CLI update on aah new command get password algorithm
  • App Template update
  • Documentation
@jeevatkm jeevatkm created this issue from a note in aah Roadmap (v0.9 - Iteration (Not Started)) Sep 5, 2017
@jeevatkm jeevatkm added enhancement lib-security Security (Authc, Authz, Password Crypto, etc) labels Sep 5, 2017
@jeevatkm jeevatkm modified the milestone: v0.9 Milestone Sep 5, 2017
@jeevatkm jeevatkm self-assigned this Sep 5, 2017
@jeevatkm jeevatkm moved this from v0.9 - Iteration to v0.9 - In Progress in aah Roadmap Sep 10, 2017
jeevatkm added a commit to go-aah/security that referenced this issue Sep 11, 2017
jeevatkm added a commit to go-aah/docs that referenced this issue Sep 12, 2017
@jeevatkm jeevatkm moved this from v0.9 - In Progress to v0.9 - Completed in aah Roadmap Sep 12, 2017
@julienkosinski
Copy link

julienkosinski commented Sep 12, 2017

@jeevatkm Great job! :)

I read some stuff about PBKDF2.

It seems that these days in 2017, PBKDF2 should be avoided... Maybe could be important to advise for scrypt and bcrypt...?
Also, maybe, I think if someone uses PBKDF2, it really should be with SHA-512 (SHA-1 has security breaches, PBKDF2 over SHA-1 should still be quite secure but I would not tempt it) it to prevent a bit more GPU based attacks than other hashes.

Prefer bcrypt or even better, scrypt over PBKDF2.

https://medium.com/@mpreziuso/password-hashing-pbkdf2-scrypt-bcrypt-1ef4bb9c19b3
https://security.stackexchange.com/questions/133239/what-is-the-specific-reason-to-prefer-bcrypt-or-pbkdf2-over-sha256-crypt-in-pass

@jeevatkm
Copy link
Member Author

jeevatkm commented Sep 12, 2017

Thank you @julienkosinski.

Default password encoder enabled in aah is bcrypt with cost 12. Also supports scrypt and pdkdf2 comes with default values to start with. There on user can tune those parameters as per their compliance requirements.

I believe those post/article discussing about SHA256-crypt, SHA512-crypt vs bcrypt, pbkdf2 hashes.
Good read about password hashes https://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage/

Things should be avoided; just hash (md5, SHA- *), just hash with salt (md5, SHA- *).

Typically its recommended to use bcrypt, scrypt or pbkdf2 (with HMAC-SHA256 or HMAC-SHA512). These algorithms supported by aah. So that aah user can choose by their choice.

@julienkosinski
Copy link

@jeevatkm You do take care of aah users very well! Great link thanks! You're right! :D

@jeevatkm
Copy link
Member Author

jeevatkm commented Sep 12, 2017

@julienkosinski Thank you.

For every feature and enhancement in aah I do lot of study and research for the implementation and default values to align with real world usage.

Also I just read your updated comment info. I will add warning message via logging if user choose pbkdf2 with non SHA-256 or SHA-512 hash.

Do you mind reviewing this doc https://github.com/go-aah/docs/blob/v0.9-dev/password-encoders.md and add your inputs in it?

@julienkosinski
Copy link

julienkosinski commented Sep 12, 2017

@jeevatkm Yeah, gonna propose some words about it. SHA-1 collision attacks are not that severe as I wrote in my first edit in that case because of the way PBKDF2 works. Maybe gonna propose something in the doc to advise to avoid SHA-1 anyway :).

Recent Google searches : http://thehackernews.com/2017/02/sha1-collision-attack.html
https://crypto.stackexchange.com/questions/15218/is-pbkdf2-hmac-sha1-really-broken

@jeevatkm jeevatkm moved this from v0.9 - Completed to Released to Audience in aah Roadmap Oct 4, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement lib-security Security (Authc, Authz, Password Crypto, etc)
Projects
aah Roadmap
  
Released to Audience
Development

No branches or pull requests

2 participants