Collaborate Disseminate
In the NIST SP 800-132, they specified two ways to use the data protection key (DPK) that is derived from a password. One of them is to use the DPK to encrypt data, and then, if I am not mistaken, destroying the DPK. To verify whether an… Continue reading Why is "not storing data protection keys" not a popular choice?
Background:
We have an application with password authentication. We now need to raise the number of PBKDF2-iterations and this means that the login takes quite a bit longer than before. Therefore, instead of a spinning wheel animation, we … Continue reading How to track PBKDF2 progress?
I am not totally sure how the following concepts are related, could someone please explain?
password-based key derivation
passphrase that can be passed to crypto.generateKeyPairSync (in Node.js)
PBKDF2
I am creating a simple chat applica… Continue reading relation passphrase and password-based key derivation
So if I got this right from my intense research, the following procedure would be preferrable:
Use the PBKDF2 key derivation function to derive a secret key from the users password on the client side.
Use the derived key, which was generat… Continue reading Algorithms when using client side hashing plus server side hashing
I have some passwords hashed with C# using Rfc2898DeriveBytes.Pbkdf2(bytes,src,5000,HashAlgorithmName.SHA1,24) (an older implementation) and would like to port this code to java.
However I don’t seem to get the two hashes to be the same.
… Continue reading Working Rfc2898DeriveBytes.Pbkdf2 in Java [migrated]
Question:
I am working on a password-based file encryption and decryption system in Python using the PBKDF2 key derivation function and Fernet encryption. I have a specific requirement: I want to verify a user’s password without storing th… Continue reading Verification of Password without Storing Hash – Security Considerations
For a web service, I am considering generating random 25-49 recovery codes as a kind of pass that can be stored in a pass manager (no usernames).
Instead of pass(word) hashing on the server, I consider hashing the pass on the client with p… Continue reading Is pass -> [via pbkdf2] -> seed -> ECDSA key pair better than pass(word) hashing?
We (collectively) salt passwords, then hash them; maybe even run them through something like PBKDF2 first (depending on how the password will be used).
The end result is that we have a string p and map it to a fixed-length string p’ using … Continue reading How certain is it that a shorter password can’t match the salted hash of a long one? [migrated]
I have a PCKS#8 RSA Key encrypted with a passphrase and would like to retrieve the iteration count used for the PBKDF2 used to derive the AES Key used for encryption, in order to make sure that they conform to the standard https://www.rfc-… Continue reading OpenSSL get PKCS#8 encrypted rsa PBKDF2 iteration count
I am looking for a technical estimate of how bad the situation is regarding the recent hack of lastpass. The hack was covered by several outlets: Naked Security, Ars Technica.
Lastpass has admitted that a hack took place over its servers a… Continue reading What is the math behind iterations in PBKDF2-SHA256 for lastpass users?