Shiro
  1. Shiro
  2. SHIRO-290

Create a BCrypt Hash implementation

    Details

    • Type: New Feature New Feature
    • Status: Reopened
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 1.3.0
    • Component/s: Cryptography & Hashing
    • Labels:
      None

      Description

      Enable BCrypt hashing for those that wish to use it. The following code can probably be modified and included (it is a BSD license):

      http://www.mindrot.org/projects/jBCrypt/

        Activity

        Hide
        Les Hazlewood added a comment -

        Terry Chia Not yet - haven't had the time to look into this, but I'm pretty sure this will be in the next release (either 1.3 or 2.0 - we haven't decided yet).

        Show
        Les Hazlewood added a comment - Terry Chia Not yet - haven't had the time to look into this, but I'm pretty sure this will be in the next release (either 1.3 or 2.0 - we haven't decided yet).
        Hide
        Terry Chia added a comment -

        Hi Les, any updates on this?

        Show
        Terry Chia added a comment - Hi Les, any updates on this?
        Hide
        Terry Chia added a comment -

        I wrote a small patch to add Bcrypt support via a new class that extends PasswordService. The patch is prepared using git format-patch as per https://www.apache.org/dev/git.html so I'm not sure if it's in an acceptable format.

        Show
        Terry Chia added a comment - I wrote a small patch to add Bcrypt support via a new class that extends PasswordService. The patch is prepared using git format-patch as per https://www.apache.org/dev/git.html so I'm not sure if it's in an acceptable format.
        Hide
        Terry Chia added a comment -

        I have looked closer at jBCrypt and the unit test included in the source code.[1]

        The unit test asserts the hashing functions against well known test vectors for Bcrypt which is being used to validate other known implementations of the algorithm including Bcrypt.NET [2] and py-bcrypt [3]. This gives me confidence that jBCrypt has been implemented correctly especially since py-bcrypt is just a python wrapper around the original OpenBSD code.

        If you are agreeable with this, I will take a closer look at your recommendations of writing a PasswordService implementation that delegates to jBCrypt.

        [1] https://github.com/jeremyh/jBCrypt/blob/master/src/test/java/org/mindrot/TestBCrypt.java
        [2] https://bitbucket.org/vadim/bcrypt.net/src/464c41416dc9/BCrypt.Net.Test/TestBCrypt.cs
        [3] https://code.google.com/p/py-bcrypt/source/browse/test/test.py

        Show
        Terry Chia added a comment - I have looked closer at jBCrypt and the unit test included in the source code. [1] The unit test asserts the hashing functions against well known test vectors for Bcrypt which is being used to validate other known implementations of the algorithm including Bcrypt.NET [2] and py-bcrypt [3] . This gives me confidence that jBCrypt has been implemented correctly especially since py-bcrypt is just a python wrapper around the original OpenBSD code. If you are agreeable with this, I will take a closer look at your recommendations of writing a PasswordService implementation that delegates to jBCrypt. [1] https://github.com/jeremyh/jBCrypt/blob/master/src/test/java/org/mindrot/TestBCrypt.java [2] https://bitbucket.org/vadim/bcrypt.net/src/464c41416dc9/BCrypt.Net.Test/TestBCrypt.cs [3] https://code.google.com/p/py-bcrypt/source/browse/test/test.py
        Hide
        Les Hazlewood added a comment -

        Thanks for the blog link! That was helpful.

        I think an even better approach might be to use Shiro's out of the box PasswordMatcher which delegates to a PasswordService (http://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/authc/credential/PasswordService.html). Then you can have a PasswordService implementation that delegates to jBcrypt.

        The benefit of this approach is that you can use the PasswordService for both the PasswordMatcher's needs as well as your application's needs when setting/resetting a password.

        Show
        Les Hazlewood added a comment - Thanks for the blog link! That was helpful. I think an even better approach might be to use Shiro's out of the box PasswordMatcher which delegates to a PasswordService ( http://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/authc/credential/PasswordService.html ). Then you can have a PasswordService implementation that delegates to jBcrypt. The benefit of this approach is that you can use the PasswordService for both the PasswordMatcher's needs as well as your application's needs when setting/resetting a password.
        Hide
        Terry Chia added a comment -

        I could perform some tests to verify the outputs of jBCrypt against other implementations some time this weekend.

        I described the approach I'm using in my blog post here: http://www.infosecstudent.com/2013/07/strong-password-hashing-with-shiro-bcrypt-to-the-rescue/

        It's a dirty hack but it gets the job done. If the results of my tests are acceptable and you are fine with the approach, I could clean up the code a little and remove the toString() and getCredentials() functions I hacked out of Shiro and submit a patch.

        Show
        Terry Chia added a comment - I could perform some tests to verify the outputs of jBCrypt against other implementations some time this weekend. I described the approach I'm using in my blog post here: http://www.infosecstudent.com/2013/07/strong-password-hashing-with-shiro-bcrypt-to-the-rescue/ It's a dirty hack but it gets the job done. If the results of my tests are acceptable and you are fine with the approach, I could clean up the code a little and remove the toString() and getCredentials() functions I hacked out of Shiro and submit a patch.
        Hide
        Les Hazlewood added a comment -

        As an approach, that'd be fine. But I'm not so sure about jBcrypt itself: when I looked into its algorithm almost a year ago, it did not appear to implement the Eksblowfish algorithm correctly (Section 4 in this paper written by the BCrypt authors: https://www.usenix.org/legacy/event/usenix99/provos/provos.pdf).

        One test might be to perform a BCrypt hash on unix and then, using the same password, attempt the BCrypt hash via jBcrypt - if they two results are identical, jBcrypt is probably fine, but I'd want to test the algorithm myself.

        Show
        Les Hazlewood added a comment - As an approach, that'd be fine. But I'm not so sure about jBcrypt itself: when I looked into its algorithm almost a year ago, it did not appear to implement the Eksblowfish algorithm correctly (Section 4 in this paper written by the BCrypt authors: https://www.usenix.org/legacy/event/usenix99/provos/provos.pdf ). One test might be to perform a BCrypt hash on unix and then, using the same password, attempt the BCrypt hash via jBcrypt - if they two results are identical, jBcrypt is probably fine, but I'd want to test the algorithm myself.
        Hide
        Terry Chia added a comment -

        Is extending the CredentialsMatcher class to use jBcrypt for the hashing and verification an acceptable alternative?

        Show
        Terry Chia added a comment - Is extending the CredentialsMatcher class to use jBcrypt for the hashing and verification an acceptable alternative?
        Hide
        Les Hazlewood added a comment -

        Re-opening. While Shiro's hash algorithms effectively accomplish the same thing, it would be convenient from a standards/interoperability perspective to have BCrypt as an option.

        Show
        Les Hazlewood added a comment - Re-opening. While Shiro's hash algorithms effectively accomplish the same thing, it would be convenient from a standards/interoperability perspective to have BCrypt as an option.
        Hide
        Les Hazlewood added a comment -

        Closing with the 1.2.0 release.

        Show
        Les Hazlewood added a comment - Closing with the 1.2.0 release.
        Show
        Les Hazlewood added a comment - Per: http://mail-archives.apache.org/mod_mbox/shiro-dev/201106.mbox/%3CBANLkTi=90YCdVHGFZeStu+uvao+EsNe=7Q@mail.gmail.com%3E

          People

          • Assignee:
            Les Hazlewood
            Reporter:
            Les Hazlewood
          • Votes:
            4 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:

              Development