Open alexgoldstone opened 6 years ago
Absolutely! I'll try and post this in the next few days, feel free to nag me if I forget 😄
Hi Linus. I've resurrected my project and was re-reading your README which suggests using PBKDF2.
Just therefore wanted to drop you a friendly reminder that you were going to share an example implementation for this.
Thanks.
You can see how I'm using it here:
and here:
Basically it boils down to something like:
const pbkdf2 = require('@ctrlpanel/pbkdf2')
const encodeUtf8 = require('encode-utf8')
const PBKDF2_HASH = 'SHA-512'
const PBKDF2_ITERATIONS = 500000
const PBKDF2_KEYLEN = 32
// ...
async function (username, password) {
// get `salt` from server
const salt = '...'
// generate hash
const privateKey = arrayBufferToHex(await pbkdf2(encodeUtf8(`${username}:${password}`), salt, PBKDF2_ITERATIONS, PBKDF2_KEYLEN, PBKDF2_HASH))
// use hash with SRP
const verifier = srp.deriveVerifier(privateKey)
}
I would love for this to be improved and added to the readme!
I made a PR to add this to the README:
@dobesv @LinusU I used another pbkdf2 hashing using fash-sha256, and I have the output as a Uint8Array.
What am I supposed to convert this into?
an arrayBuffer then to Hex?
coz on trying to login, I am seeing
RangeError: Expected string to be an even number of characters
at hexToArrayBuffer (index.js:7)
at sha256.js:25
at Array.map (<anonymous>)
at sha256 (sha256.js:23)
at Object.push.../../node_modules/secure-remote-password/client.js.exports.deriveSession (client.js:96)
at deriveClientSession (deriveClientSession.js:5)
at _callee6$ (actions.js:264)
at tryCatch (runtime.js:62)
at Generator.invoke [as _invoke] (runtime.js:288)
at Generator.prototype.<computed> [as next] (runtime.js:114)
at asyncGeneratorStep (asyncToGenerator.js:5)
at _next (asyncToGenerator.js:27)
also I have to use the same pbkdf2 while deriving the privateKey in step 3 right?
Yeah any time you are making a private key from a password input and salt, use the same algorithm.
@dobesv The key should be in hex
format to the verifier derive and client session derive functions right?
You can try converting it to hex. Experiment, look at the source code, you can figure it out.
I converted it to a hex.
after using the pbkdf2 derivation, sometimes, the user is successfully logged in, sometimes it throws this error
RangeError: Expected string to be an even number of characters
at hexToArrayBuffer (index.js:7)
at sha256.js:25
at Array.map (<anonymous>)
at sha256 (sha256.js:23)
at Object.push.../../node_modules/secure-remote-password/client.js.exports.deriveSession (client.js:96)
at deriveClientSession (deriveClientSession.js:5)
at _callee6$ (actions.js:264)
at tryCatch (runtime.js:62)
at Generator.invoke [as _invoke] (runtime.js:288)
at Generator.prototype.<computed> [as next] (runtime.js:114)
at asyncGeneratorStep (asyncToGenerator.js:5)
at _next (asyncToGenerator.js:27)
Edit: I found this was due to the bogus value sent when user was not found or the verifier/salt was not found in DB
Do you have an example using PBKDF2 that you can share for reference since that is your recommended implementation?