diff options
author | Jack Lloyd <[email protected]> | 2017-03-23 15:45:50 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2017-03-24 10:55:38 -0400 |
commit | c0901e801d72bb2fdf3a205f6debf5ed954567f8 (patch) | |
tree | a959f1ce5fb348d8160938a5bb4fb2070f3a6c71 /doc/manual | |
parent | c936086354203ddf275435fff611d3e2c99e6975 (diff) |
Fix incorrect password truncation in bcrypt password hashing.
The 56 char bound is bogus; Blowfish itself allows at most 448 bits
in the key schedule, but Bcrypt's modification allows up to 72 chars
for the password. Bug pointed out by Solar Designer.
Also reject work factors 0...3 since all other extant bcrypt
implementations require at least work factor 4.
Adds more bcrypt tests generated by crypt_bcrypt and OpenBSD's version.
Diffstat (limited to 'doc/manual')
-rw-r--r-- | doc/manual/passhash.rst | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/doc/manual/passhash.rst b/doc/manual/passhash.rst index b3db1f3e7..725fc5535 100644 --- a/doc/manual/passhash.rst +++ b/doc/manual/passhash.rst @@ -85,12 +85,22 @@ Bcrypt provides outputs that look like this:: "$2a$12$7KIYdyv8Bp32WAvc.7YvI.wvRlyVn0HP/EhPmmOyMQA4YKxINO0p2" +Currently only the `2a` bcrypt format is supported. + .. cpp:function:: std::string generate_bcrypt(const std::string& password, \ RandomNumberGenerator& rng, u16bit work_factor = 10) - Takes the password to hash, a rng, and a work factor. Higher values - increase the amount of time the algorithm runs, increasing the cost - of cracking attempts. The resulting hash is returned as a string. + Takes the password to hash, a rng, and a work factor. Higher work + factors increase the amount of time the algorithm runs, increasing + the cost of cracking attempts. The increase is exponential, so a + work factor of 10 takes roughly twice as long as work factor 9. + + The resulting password hash is returned as a string. + + Work factor must be at least 4. The bcrypt format allows up to 31, + but Botan currently rejects all work factors greater than 18 since + even that work factor requires roughly 30 seconds of computation on + a fast machine. .. cpp:function:: bool check_bcrypt(const std::string& password, \ const std::string& hash) @@ -105,7 +115,9 @@ Passhash9 ---------------------------------------- Botan also provides a password hashing technique called passhash9, in -``passhash9.h``, which is based on PBKDF2. Its outputs look like:: +``passhash9.h``, which is based on PBKDF2. + +Passhash9 hashes look like:: "$9$AAAKxwMGNPSdPkOKJS07Xutm3+1Cr3ytmbnkjO6LjHzCMcMQXvcT" @@ -113,6 +125,11 @@ This function should be secure with the proper parameters, and will remain in the library for the forseeable future, but it is specific to Botan rather than being a widely used password hash. Prefer bcrypt. +.. warning:: + + This password format string ("$9$") conflicts with the format used + for scrypt password hashes on Cisco systems. + .. cpp:function:: std::string generate_passhash9(const std::string& password, \ RandomNumberGenerator& rng, u16bit work_factor = 10, byte alg_id = 1) |