Closed junque1r4 closed 1 year ago
The final element of the salt must be base64 encoded, using the bcrypt base64 alphabet.
On Wed, Apr 5, 2023 at 6:28 PM João Junqueira @.***> wrote:
I have been trying to use a custom salt with bcrypt.hashpw() but it always returns an error, stating that the salt is invalid. It seems that the salt generated by bcrypt.gensalt() works fine, but when I try to generate a salt on my own, it fails to work with the hash function. I am not sure why this is happening, but I suspect that the hash function expects a specific format or structure for the salt, which I am not meeting with my own custom salt. I would appreciate any insights on this issue.
My desire is to demonstrate the possibility of attack vectors, but I am unable to do so when I am forced to use a secure method.
My function:
def generate_salt(self, rounds=22): first_phrase = ''.join(str(random.randint(0,9)) for i in range(rounds)) second_phase = '$2b$12$' + first_phrase return second_phase.encode()
Error:
====================================================================== ERROR: test_1 (main.TestTaxPayer)
Traceback (most recent call last): File "/Users/joaojunqueira/codes/secure-code-gaming/Level-5/tests.py", line 10, in test_1 pass_ver = sha256.password_verification("abc", sha256.password_hash("abc", rd.generate_salt())) File "/Users/joaojunqueira/codes/secure-code-gaming/Level-5/code.py", line 37, in password_hash password_hash = bcrypt.hashpw(password, salt) File "/Users/joaojunqueira/Library/Python/3.9/lib/python/site-packages/bcrypt/init.py", line 84, in hashpw return _bcrypt.hashpass(password, salt) ValueError: Invalid salt
Ran 2 tests in 0.002s
— Reply to this email directly, view it on GitHub https://github.com/pyca/bcrypt/issues/531, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBCXMI7BEWZRNZFBRITW7X5ZDANCNFSM6AAAAAAWUWB5OQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
-- All that is necessary for evil to succeed is for good people to do nothing.
I tried copying the exactly same method, changing only the base64 code generated in _bcrypt.encode_base64
inside gensalt
And the error persists...
Debugging a little more i saw that the base64 generated by bcrypt is different from all other b64 encode/decode: The bcrypt b64 compared to others:
1 == Bcrypt Generated 2 == base64.encode Generated 3 == Base64 website Generated
Yes, as I stated, "using the bcrypt base64 alphabet". You changed precisely the thing to make it incorrect.
On Wed, Apr 5, 2023 at 10:33 PM João Junqueira @.***> wrote:
I tried copying the exactly same method, changing only the base64 code generated in _bcrypt.encode_base64 inside gensalt [image: telegram-cloud-photo-size-1-5003617564353473604-y] https://user-images.githubusercontent.com/39351332/230265434-e2b1592d-2eed-44bc-b6d8-6ff4417763a8.jpg And the error persists... [image: telegram-cloud-photo-size-1-5003617564353473603-y] https://user-images.githubusercontent.com/39351332/230264817-92daefeb-3102-4556-8631-465445215762.jpg [image: telegram-cloud-photo-size-1-5003617564353473601-y] https://user-images.githubusercontent.com/39351332/230262726-e3578d09-9578-4194-a9e7-9fd12ea2bf43.jpg
- A = Clone Method generated
- B = bcrypt.gensalt()
Debugging a little more a saw that the base64 generated by bcrypt is different from all other b64 encode/decode: The bcrypt b64 is different from the others: [image: image] https://user-images.githubusercontent.com/39351332/230265126-b4ef6f05-a698-4f70-9198-44fa4fc7afc6.png 1 == Bcrypt Generated 2 == base64.encode Generated 3 == Base64 website Generated
— Reply to this email directly, view it on GitHub https://github.com/pyca/bcrypt/issues/531#issuecomment-1498444432, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBG2SXVNPTWAXLY7TR3W7Y2SDANCNFSM6AAAAAAWUWB5OQ . You are receiving this because you commented.Message ID: @.***>
-- All that is necessary for evil to succeed is for good people to do nothing.
Is there a way to use the bcript base64 alphabet? I need to create my "own salt" so i can simulate vulnerabilities... Thanks regards! 😊
There's no public API for that, no. This library exists to enable people to use modern(-ish) password hashing, not as a research tool.
On Wed, Apr 5, 2023 at 11:19 PM João Junqueira @.***> wrote:
Is there a way to use the bcript base64 alphabet? I need to create my "own salt" so i can simulate vulnerabilities... Thanks regards! 😊
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>
-- All that is necessary for evil to succeed is for good people to do nothing.
Respectfully, I suggest considering the possibility of publishing the generation of Bcrypt's own B64 as a viable option. This change would be relatively simple, no? I created a simple function inside Bcrypt and everything works normally but it wouldn't be a viable option for everyone, turns this easy access would be great!
As I said, it's for education purposes! https://github.com/skills/secure-code-game/issues/18 Here the issue related if you want to see
There's no public API for this, and we have no interest in adding one, because it doesn't contribute to the purpose of this library: providing modern(-ish) password hashing. While educational purposes are laudable, we have no interest in adding extra API surface for it.
I have been trying to use a custom salt with bcrypt.hashpw() but it always returns an error, stating that the salt is invalid. It seems that the salt generated by bcrypt.gensalt() works fine, but when I try to generate a salt on my own, it fails to work with the hash function. I am not sure why this is happening, but I suspect that the hash function expects a specific format or structure for the salt, which I am not meeting with my own custom salt. I would appreciate any insights on this issue.
My desire is to demonstrate the possibility of attack vectors, but I am unable to do so when I am forced to use a secure method.
My function:
Error: