samadhiweb

smalltalk programming for the web



« Previous  |  Next »

SHA256/512 Password Hashing for Pharo

17 November 2013

Recently, Adobe was hacked, resulting in, among other breakages, the loss of 130 million passwords. It was revealed that the passwords were encrypted using ECB, electronic cookbook mode, which is a rather poor way of securing passwords.

The MacRumors forum site was also hacked recently. The site runs the vBulletin forumware, which protects passwords using md5crypt.

md5crypt is a password hashing scheme devised by Poul-Henning Kamp in 1995. The hashed password takes the format $1$<salt>$<password-hash>. The hash is designed to be expensive to compute, to slow down attacks. In 2012, Poul-Henning announced that md5crypt was no longer considered safe, in view of advances in computing power.

sha-crypt, from Ulrich Depper, is a public domain implementation of SHA-256/512-based password hashing, which works similarly to md5crypt, using SHA-256/512 and allowing an arbitrary number of rounds through the hashing algorithm.

The following commands build and run sha(256|512)crypt.c as self-test programs:

$ cc -DTEST -std=c99 -m32 sha256crypt.c
$ ./a.out
all tests OK
$ cc -DTEST -std=c99 -m32 sha512crypt.c
$ ./a.out
all tests OK

Next, build shared library:

$ cc -std=c99 -m32 -fPIC -c sha256crypt.c
$ cc -std=c99 -m32 -fPIC -c sha512crypt.c
linux$ cc -m32 -shared -o libshacrypt.so *.o
osx$ cc -m32 -shared -o libshacrypt.dylib *.o

Move the .so or .dylib file to where your plugins are.

PCPasswordCrypt is a Smalltalk interface to libshacrypt using NativeBoost. It is very simple to use:

PCPasswordCrypt sha256Crypt: 'Hello world!' withSalt: 'saltstring'.
'$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5'

Tested on OSX (Mountain Lion) and Linux (Mint 14). The C programs work on FreeBSD, but my self-built FreeBSD Cog VM doesn't have NativeBoost.

The C programs are found here. Once I figure out how, I'll put them on GitHub. PCPasswordCrypt is published on SqueakSource3.

Blog comments powered by Disqus