bcrypt support

[OlafvdSpek]

PHP defaults to bcrypt for password hashing: http://php.net/password_hash Could bcrypt be supported by crypto++ as well to allow interoperability?

[noloader]

Thanks @OlafvdSpek.

I was looking into this last week. There was a Stack Overflow question asking about bcrypt in OpenSSL. Let me think about it a little more.

[OlafvdSpek]

What does cryptopp recommend for password hashing?

[noloader]

@OlafvdSpek,

What does cryptopp recommend for password hashing?

It depends on your requirements. You might want to take a look at John Steven's Password Storage Cheat Sheet. It enumerates threats to passwords, and recommends security controls to contain the threats.

Another good reference is Peter Gutmann's Engineering Security. You should familiarize your self with chapter seven, Passwords. After reading the chapter, you may find you don't want them or need them.

Stepping back a bit, I try to avoid passwords altogether and use client certificates for authentication. The password is still used, but its used locally to unlock the private key. The traditional "password reset" workflows generally become an "upload new identity" (new certificate or public key).

As far as algorithms, I generally use HKDF as an extractor and SHA256/SHA512 as the hash when handling them. Iteration counts can be tricky depending on how you use them and where they are calculated.

---

The interop request is still on the table. I tested some code that provides Bcrypt, but it was a bad cut-in because the fit was not quite right. The fit was off because of the way the keying occurs.

I till want to provide a wiki example of how to do it so folks can mostly copy/paste code.

[OlafvdSpek]

Thanks for the tip! My use case is the 'traditional' web app / site. I'd love to avoid passwords but I don't think I can. So let's assume passwords..

Would it make sense for cryptopp to provide functions like password_hash / password_verify? If interop with PHP wasn't an issue another algorithm wouldn't be a problem.

[noloader]

My use case is the 'traditional' web app / site. I'd love to avoid passwords but I don't think I can.

You probably don't need them.

Checkout Self Authenticating URLs in Gutmann's Engineering Security. Python uses them to authenticate packages. The idea is a user clicks Login, and you email them a link to authenticate. If the user follows the link, then they get their authentication token and can use the web services. The email link last for 5 minutes or so. If the user does not follow the link, then it expires on the server.

The Self Authenticating URLs avoids three problems. First, it avoids storing passwords on the server. Second, it avoids putting passwords (or their representations) on the wire. Third, it also avoids asking a user to enter a strong password on a mobile device with a soft-input panel (SIP) or virtual keyboard. (VK). Those SIPs and VKs are responsible for users selecting weaker passwords because its too much work to access all the available keys.

[OlafvdSpek]

I've implemented login via email links already (elsewhere)..

Though it does depend on email transmission being secure doesn't it?

[OlafvdSpek]

Let me think about it a little more.

Any thoughts?

[noloader]

@OlafvdSpek,

I checked in where I am at with Bcrypt. Also see the Bcrypt test branch.

I believe the code is broken at the moment. I can't find a reference implementation from the OpenBSD folks and their source files don't compile stand-alone. The Crypto++ code is also missing test vectors because I can't find the OpenBSD ones and lack of a reference implementation.

The code is out there in case someone else wants to take it further. I'm inclined to drop Bcrypt due to the engineering problems but there seems to be interest in it. I do not want to be a bottleneck so the code is available on a testing branch.

Also, it is not clear to me if PHP aligns with OpenBSD.

[OlafvdSpek]

PHP added support for Argon2 in 7.2.0 - December 2017. I don't think it makes sense anymore to spend time on bcrypt.