tailorlala / guava-libraries

Automatically exported from code.google.com/p/guava-libraries
Apache License 2.0
0 stars 0 forks source link

Hashing support for bcrypt #1849

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Please support bcrypt in com.google.common.hash.Hashing

http://en.wikipedia.org/wiki/Bcrypt

"A Future-Adaptable Password Scheme" by Niels Provos and David Mazieres 
(USENIX, 1999)
http://www.openbsd.org/papers/bcrypt-paper.ps

Original issue reported on code.google.com by sebastia...@gmail.com on 17 Sep 2014 at 12:34

GoogleCodeExporter commented 9 years ago
No one should be using bcrypt for hash tables, which is what Hashing is for.

Original comment by tavianator@gmail.com on 24 Sep 2014 at 6:27

GoogleCodeExporter commented 9 years ago
Hashing is not only (or even primarily) for hash tables: 
https://code.google.com/p/guava-libraries/wiki/HashingExplained

Original comment by cgdecker@google.com on 24 Sep 2014 at 6:39

GoogleCodeExporter commented 9 years ago
Bcrypt is one of the three good password hashing schemes -- md5() or sha256() 
are outdated and insecure.

https://password-hashing.net

http://security.stackexchange.com/questions/4781/do-any-security-experts-recomme
nd-bcrypt-for-password-storage

http://codahale.com/how-to-safely-store-a-password/

Original comment by sebastia...@gmail.com on 24 Sep 2014 at 7:03

GoogleCodeExporter commented 9 years ago
> sha256() are outdated and insecure.

That's pure nonsense. SHA-256 is still rather modern (SHA-3 is out, but it'll 
take years) and secure HASH FUNCTION.

bcrypt is NO hash function, it's a key derivation function. Using hash 
functions as a KDF is insecure, no matter how good the function.

A KDF is no com.google.common.hash.HashFunction as it always needs a salt. This 
is can be an additional input[1] or generated randomly[2]. Fitting it to the 
interface by fixing an argument would be a very stupid idea. Allowing a hash 
function to behave randomly would be no smarter.

I'm not saying that it doesn't belong to Guava, I'm just saying that it doesn't 
belong to the hash package. No HF is a KDF and vice versa.

[1]:
http://docs.spring.io/autorepo/docs/spring-security/3.1.7.RELEASE/apidocs/org/sp
ringframework/security/crypto/bcrypt/BCrypt.html
[2]:
https://github.com/wg/scrypt/blob/master/src/main/java/com/lambdaworks/crypto/SC
rypt.java

Original comment by Maaarti...@gmail.com on 25 Sep 2014 at 12:55

GoogleCodeExporter commented 9 years ago
This issue has been migrated to GitHub.

It can be found at https://github.com/google/guava/issues/<issue id>

Original comment by cgdecker@google.com on 1 Nov 2014 at 4:08

GoogleCodeExporter commented 9 years ago

Original comment by cgdecker@google.com on 1 Nov 2014 at 4:17

GoogleCodeExporter commented 9 years ago

Original comment by cgdecker@google.com on 3 Nov 2014 at 9:07