Collaborate Disseminate
Whenever I need to generate a token (email account confirmation, password reset, remember me cookie, view email in browser etc) I generate a string of random bytes (typically 32 using the Fortuna PRNG) and use PBKDF2 to creat… Continue reading Safe to switch from PBKDF2 to SHA-1 for token verification?
I wanted to implement PBKDF2 with SHA1 in python using python3. After implementation, my goal was calculating the time of the process. I used random salt and tried multiple rounds for result. So far so good.
My code:
from p… Continue reading Iteration time confusion about PBKDF2 key derivation with SHA1 hash function
This is regarding a web application where a user has to login with their personal email as the ID, and a password they have chosen personally.
If an attacker somehow gained access to a credential store with a list of all the… Continue reading What could an attacker do if they gained access to PBKDF2 hashes?
I am trying to implement a function, let’s say in Python to compute Pairwise Master Key Identifier (PMKID) after reading the previously discovered bug in WPA2. Googling gave me this logical statement:
PMKID = HMAC-SHA1-128(… Continue reading Implementation of PMKID computing function
I have read bunch of answers and tutorials on how client side cryptography is not a good idea because of many reasons listed mainly in Javascript Cryptography Considered Harmful article. Some facts
The app will be using HTT… Continue reading How to encrypt data in frontend/backend with a key that is not stored anywhere and is only known to owner?
In my application I would like to encrypt user data in such a way that I do not have access to it. To do this I will follow the following steps:
Generate 256-bit key
Encrypt data with key
Derive second key from password (PB… Continue reading Encrypt data using PBKDF2, but still provide password reset feature
In regards to PSK, a salt (the SSID) is used as part of the four-way handshake.
PSK = PBKDF2(PassPhrase, ssid, ssidLength, 4096, 256)
Would it not be more secure requiring users input a second “password”, which would act … Continue reading Wi-Fi – Proposal for stronger OpSec with PSK
This is a theoretical question: does this make sense and is secure?
My goal is to strengthen the passphrase. The flow is the following:
I enter a pssphrase admin1234. This passphrase is going to be used to derive a key for… Continue reading Automatic choice of the hash function for key derivation
I found this presentation how Facebook stores customer passwords and how they do authentication.
This slide shows how they hash passwords:
Is it a good idea to do such operations with a raw password? Isn’t it “security-by-obscurity”? D… Continue reading How Facebook hashes passwords
I have implemented PBKDF2 authentication for some web services.
The client is given the following information, so they can duplicate the PBKDF2 function:
the hashing algorithm (SHA256)
a password that is 30 bytes long
the … Continue reading Web Service Authentication Using PBKDF2 and a Public Salt – Does the salt need to change on every request?