http://danlimerick.wordpress.com/2013/02/03/build-your-open-source-net-project-on-travis-ci/

Write a suite of unit tests and have them run automatically on Travis-CI.

It does not check or use the specified hash algorithm in the string that gets validated. This needs to be fixed.

Remove this code from the pages (force them to come to github).

Thanks for having the time to create something like this.

The PHP code in the compartible-versions can be used in production? Or should wait for the it to reach a certain tag? (although there are no tags right now)

Is == sufficient in Ruby? Or should a timing safe comparison method be patched in?

A password validation can fail for more than one reason. Either the password is wrong, or the hash is invalid (malformed), or something even weirder is going on. In any case, client code should be able to distinguish (as best possible) between these scenarios. Create standard exception names for the various cases so that they are consistent across the different implementations.

PHP has supported classes since version 4, so I don't ever see anyone needing one that isn't a class, and if they really need one, they can take responsibility for converting it. Let's not waste effort maintaining it.

Make a compatible python implementation.

As titled above.

Apply the two-clause BSD license to all of code.

http://opensource.org/licenses/BSD-2-Clause

<?php
/* 
 * Copyright (c) 2013, Taylor Hornby
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice, 
 * this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright notice,
 * this list of conditions and the following disclaimer in the documentation 
 * and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
 * POSSIBILITY OF SUCH DAMAGE.
 */
?>

Make test-vector unit tests for all of the implementations.

http://www.ietf.org/rfc/rfc6070.txt

It does not check or use the specified hash algorithm in the string that gets validated. This needs to be fixed.

There should only be one version of all the code, all of which is compatible with each other. The reason they weren't compatible in the first place is because I could save a few microseconds by avoiding a base64 encode/decode by writing it in a different way for each language. Obviously, that's retarded, since compatibility is 1000x more important.

As titled above

Either:

• Use HMAC with a random key for constant-time comparison, or
• Evaluate the worst attack if the salt is known/unknown and possibly decide to drop the constant time compare.

/**
 * Converts a byte array into a hexadecimal string.
 *
 * @param   array       the byte array to convert
 * @return              a length*2 character string encoding the byte array
 */
private static String toBase64(byte[] array)
{
    return DatatypeConverter.printBase64Binary(array);
}

lol

Get the tests up and running on Travis-CI.

The example won't work because it assumes you have a SQLITE db already with tables set. It is depending on a deleted file that was removed during cleanup of the repo. We made a ticket for this file issue: #20

The example doesn't seem to include its own DB.php file. I don't know what's up with that, but it needs to be fixed as well.

This is error prone and can lead to whitespace being outputted when we don't want any to be.

@redragonx Please fix all the FIXMEs I added to the tests (grep for FIXME and you'll see them all).

1000 iterations is too few. In practice, logins are infrequent, and if someone is really processing more than 10 logins per second they probably already have significant infrastructure. Let's increase the default iteration count to 32000, which takes 0.08 seconds (~12.5/logins/sec/core) on my system.

https://docs.oracle.com/javase/7/docs/api/javax/crypto/spec/PBEKeySpec.html

"Different PBE mechanisms may consume different bits of each password character. For example, the PBE mechanism defined in PKCS #5 looks at only the low order 8 bits of each character, whereas PKCS #12 looks at all 16 bits of each character."

We need to verify that all of the character is being included in the hash calculation, not just the lower 8 bits. Write a unit test for this.

From email:

Just wanted to note that the classes RNGCryptoServiceProvider and Rfc2898DeriveBytes implement IDisposable because they're using the operating system's cryptography API which needs to be freed after use. I've changed your code to wrap those instances in a using() block.

Move @sarciszewski's simple_login example into compatible on the compatible-versions branch. Then test it.

@redragonx please do this if you can, as well.

https://stackoverflow.com/questions/2620975/strange-n-in-base64-encoded-string-in-ruby

Using the word "hash" to refer to CreateHash's return value is a misnomer. It's not a hash. It's a bunch of different things, including the output of PBKDF2 which isn't a hash. We should standardize the codebase and documentation to use the term "verifier" for this string.

Any plans to have this ported to Node.js? Should be pretty easy, it has all the requirements out of the box (that means, on npm)

If it's not already in the makings, I could try to hack something together

Look and see if Travis supports multiple languages (and their versions) being specified in the configuration. Ideally, we want to test compatibility between the cross product of all versions of one language with all versions of another.

The length parameter to PBKDF2 is determined, when validating a password, by taking the strlen() of the hash component of the saved hash. This means that if, say, the hash part is intentionally or accidentally truncated to 1 byte then the hash will only provide 8 bits of security. This should not be a problem in practice since hashes should never be truncated, but it might affect some users who use it with a broken database that likes to truncate things so it should be fixed.

• Add a test case for this issue
• Add a length field, then compare it to the length of the hash that's there and return false if the length isn't what it's expected to be. That way we can raise a different error in the future so the user can distinguish "Something is SERIOUSLY wrong, the database truncated a hash" from "The user got their password wrong but everything is fine."
• Ensure the test passes.

Edit: Changed the second point above. It used to say add the length to the salt, but that's bad because: (1) It doesn't let the user distinguish the hash being broken in that way from the user getting their password wrong (really, it should be a fatal exception whereas passwords are gotten wrong every day), and (2) If the hash is truncated to one byte, it will be correct with 1/256 probability even with the wrong length anyway.

(I'll probably end up referencing this in a PR before the day is over.)

Let's include some examples (e.g. a simple login form, etc) that implement this class, to help visually-inclined developers better understand how to use it.

'nuff said :)

The tests are really messy and inconsistent. Clean them up.

There may be a timing attack against the “SlowEquals” implementation in C#.

Should slow equals be decorated with

[MethodImpl(MethodImplOptions.NoOptimization)]

From:

http://stackoverflow.com/questions/20448765/methodimplnooptimization-on-this-method-what-does-it-do-and-is-it-really-nes

“
If a "smart" compiler turned that function into something that returns false as soon as a mismatch was found, it could make code using this function vulnerable to a "timing attack"---an attacker could conceivably figure out where the first mismatch in a string was based on how long the function took to return.
This isn't just science fiction, actually, even though it may seem like it is. Even with the Internet in the way, you can take a whole bunch of samples and use some statistics to figure out what's going on if you have a guess that the implementation short-circuits.
”

Just before we release v2.0, after all of the other tickets in the milestone have been closed, it should be audited by me and some other volunteers. Maybe we can set up a bug bounty.

(Maybe @sarciszewski will be interested).

This library uses PBKDF2. There are much better options now. I'm going to finish all of the currently-open tickets, and then "abandon" it. By abandon, I mean: No new features, only fixes to bugs (especially security bugs) reported by users.

The only case where you want to use this library is if you really needed compatibility between languages. Otherwise, there are better options.

Travis-CI can't test multiple languages in a single repository. We have to use something like Vagrant. Supersedes #26.

Didn't check the other implementions, but only PHP, it's checking:

for($i = 0; $i < strlen($a) && $i < strlen($b); $i++) //...

When supplying a bigger password for $b (like 100000 in length), the function will stop at the length of $a, which is much smaller, which after sometime and persistence can actually discover the length of the pbkdf2 stored, defeating the purpose of a constant time comparision.

both values should be sha1-hashed and transformed to hex, then compared. they will always have the same length, thus avoiding the problem.

The implementation, IMHO, should be more like this https://github.com/pocesar/password-hashing/blob/true-constant-time/PasswordHash.js#L94-L111

In the old branch, there was a PHP implementation that was a class, instead of putting functions in the global namespace. That's better for 99% of users. Bring that back and make it compatible.

https://travis-ci.org/defuse/password-hashing/jobs/60788535

PHP<->Ruby Compatibility
---------------------------------------------
PHP hash validating in Ruby: pass
PHP hash validating bad password in Ruby: pass
Could not open input file: ./tests/phpVerify.php
Ruby hash validating in PHP: FAIL
FAIL.

Nobody should ever be using PBKDF2-CRC32. Therefore, we should limit the options to:

• SHA224, SHA256, SHA384, SHA512, etc.
• SHA1
• RipeMD160 (and 256, and 320 but NOT 128)
• whirlpool
• gost (is it broken?)
• haval (is it broken?)
• snefru?
• tiger?

Add a README that documents how to safely use this library.

It does not check or use the specified hash algorithm in the string that gets validated. This needs to be fixed.

PHP now has a native implementation of PBKDF2. We should use it when available:

http://php.net/manual/en/function.hash-pbkdf2.php

Someone has already done this, but unfortunately their code is broken:

http://pastebin.com/f5PDq735

Make sure to benchmark it and check that it's not slower, though. Sadly, with PHP, that's a real possibility. The other language implementations are all already using native implementations.

We should keep an eye out for native scrypt implementations, too.