is scrypt available?

classic Classic list List threaded Threaded
34 messages Options
12
Reply | Threaded
Open this post in threaded view
|

is scrypt available?

wkitty42

i've found scrypt for delphi but desire to use it cross-platform and don't know
enough about removing stuff for windows... is there an scrypt available for FPC
or lazarus that is easily implemented and used?


--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

Michael Van Canneyt


On Mon, 26 Oct 2015, [hidden email] wrote:

>
> i've found scrypt for delphi but desire to use it cross-platform and don't
> know enough about removing stuff for windows... is there an scrypt available
> for FPC or lazarus that is easily implemented and used?

Did you try dcrypt, I think it works with FPC ?
Also, there is a hmac unit in fpc, as well as a sha1 unit.
It should work cross-platform, but there is an optimized version for i386.

Michael.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

Mark Morgan Lloyd-5
Michael Van Canneyt wrote:

> On Mon, 26 Oct 2015, [hidden email] wrote:
>
>>
>> i've found scrypt for delphi but desire to use it cross-platform and
>> don't know enough about removing stuff for windows... is there an
>> scrypt available for FPC or lazarus that is easily implemented and used?
>
> Did you try dcrypt, I think it works with FPC ? Also, there is a hmac
> unit in fpc, as well as a sha1 unit. It should work cross-platform, but
> there is an optimized version for i386.

Depends on whether he's specifically looking for Scrypt or just
something to do the job. I've used (parts of) DCPcrypt with Lazarus.

--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk

[Opinions above are the author's, not those of his employers or colleagues]
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

wkitty42
In reply to this post by Michael Van Canneyt
On 10/26/2015 03:29 PM, Michael Van Canneyt wrote:

>
>
> On Mon, 26 Oct 2015, [hidden email] wrote:
>
>>
>> i've found scrypt for delphi but desire to use it cross-platform and don't
>> know enough about removing stuff for windows... is there an scrypt available
>> for FPC or lazarus that is easily implemented and used?
>
> Did you try dcrypt, I think it works with FPC ? Also, there is a hmac unit in
> fpc, as well as a sha1 unit. It should work cross-platform, but there is an
> optimized version for i386.

no, i haven't heard of dcrypt... i'm specifically after scrypt for securing
passwords in a database... i don't know if dcrypt is using a different method
than scrypt or if that's just the name of the code...

--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

Michael Van Canneyt


On Mon, 26 Oct 2015, [hidden email] wrote:

> On 10/26/2015 03:29 PM, Michael Van Canneyt wrote:
>>
>>
>> On Mon, 26 Oct 2015, [hidden email] wrote:
>>
>>>
>>> i've found scrypt for delphi but desire to use it cross-platform and don't
>>> know enough about removing stuff for windows... is there an scrypt
>>> available
>>> for FPC or lazarus that is easily implemented and used?
>>
>> Did you try dcrypt, I think it works with FPC ? Also, there is a hmac unit
>> in
>> fpc, as well as a sha1 unit. It should work cross-platform, but there is an
>> optimized version for i386.
>
> no, i haven't heard of dcrypt... i'm specifically after scrypt for securing
> passwords in a database... i don't know if dcrypt is using a different method
> than scrypt or if that's just the name of the code...

It is of course DCPCrypt:
http://wiki.freepascal.org/DCPcrypt

As for the exact algorithm: there are many algorithms available, you can choose any one, really.

Unless you're writing military grade or intelligence agency applications,
I don't think it really matters which one you use...

Michael.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

David W Noon-2
In reply to this post by wkitty42
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 26 Oct 2015 16:54:16 -0400, Wkitty42 ([hidden email])
wrote about "Re: [fpc-pascal] is scrypt available?" (in
<[hidden email]>):

[snip]
> no, i haven't heard of dcrypt... i'm specifically after scrypt for
> securing passwords in a database...

So what you are really after is a hash, rather than streaming or block
cryptography.

I use PostgreSQL, which offers MD5 hashing of passwords as a built-in,
without me adding any of my own (or anybody else's) code to perform
hashing.

HTH
- --
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
[hidden email] (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlYuqQIACgkQogYgcI4W/5RChQCeJxDxcBuycuHZRJKywuQdhwDo
8DYAoIXF4Q0kgOpMZNdHtNIcH8RFfO/n
=tvjb
-----END PGP SIGNATURE-----
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

wkitty42
In reply to this post by Michael Van Canneyt
On 10/26/2015 05:09 PM, Michael Van Canneyt wrote:

> On Mon, 26 Oct 2015, [hidden email] wrote:
>> On 10/26/2015 03:29 PM, Michael Van Canneyt wrote:
>>> On Mon, 26 Oct 2015, [hidden email] wrote:
>>>> i've found scrypt for delphi but desire to use it cross-platform and don't
>>>> know enough about removing stuff for windows... is there an scrypt available
>>>> for FPC or lazarus that is easily implemented and used?
>>>
>>> Did you try dcrypt, I think it works with FPC ? Also, there is a hmac unit in
>>> fpc, as well as a sha1 unit. It should work cross-platform, but there is an
>>> optimized version for i386.
>>
>> no, i haven't heard of dcrypt... i'm specifically after scrypt for securing
>> passwords in a database... i don't know if dcrypt is using a different method
>> than scrypt or if that's just the name of the code...
>
> It is of course DCPCrypt:
> http://wiki.freepascal.org/DCPcrypt

ahh! that makes a difference ;)

> As for the exact algorithm: there are many algorithms available, you can choose
> any one, really.

i'll take a look... one thing that might be problematic is if it relies on
additional units... the use case in question uses all custom written units and
nothing much from the FCL or similar...

> Unless you're writing military grade or intelligence agency applications, I
> don't think it really matters which one you use...

that's true ;)

--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

wkitty42
In reply to this post by David W Noon-2
On 10/26/2015 06:28 PM, David W Noon wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 26 Oct 2015 16:54:16 -0400, Wkitty42 ([hidden email])
> wrote about "Re: [fpc-pascal] is scrypt available?" (in
> <[hidden email]>):
>
> [snip]
>> no, i haven't heard of dcrypt... i'm specifically after scrypt for
>> securing passwords in a database...
>
> So what you are really after is a hash, rather than streaming or block
> cryptography.

pretty much, yes...

> I use PostgreSQL, which offers MD5 hashing of passwords as a built-in,
> without me adding any of my own (or anybody else's) code to perform
> hashing.

sadly MD5 have been being cracked in little time for over a decade... that's why
we're looking at other means... bcrypt came up first in the searched and then
scrypt was pointed out along with bcrypt's failings... the question now is being
able/willing to use someone else's code or to reinvent the wheel... if it were
me, i'd use the other code if its license fits the app in question...

> HTH

it does... it is always good to hear from you, too :)

--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

wkitty42
In reply to this post by Michael Van Canneyt
On 10/26/2015 05:09 PM, Michael Van Canneyt wrote:

> On Mon, 26 Oct 2015, [hidden email] wrote:
>> On 10/26/2015 03:29 PM, Michael Van Canneyt wrote:
>>> On Mon, 26 Oct 2015, [hidden email] wrote:
>>>> i've found scrypt for delphi but desire to use it cross-platform and don't
>>>> know enough about removing stuff for windows... is there an scrypt available
>>>> for FPC or lazarus that is easily implemented and used?
>>>
>>> Did you try dcrypt, I think it works with FPC ? Also, there is a hmac unit in
>>> fpc, as well as a sha1 unit. It should work cross-platform, but there is an
>>> optimized version for i386.
>>
>> no, i haven't heard of dcrypt... i'm specifically after scrypt for securing
>> passwords in a database... i don't know if dcrypt is using a different method
>> than scrypt or if that's just the name of the code...
>
> It is of course DCPCrypt:
> http://wiki.freepascal.org/DCPcrypt

how do you use it without lazarus being anywhere around? the wiki only talks
about how to install lpk files and how to pull from a git repo...

sorry if this is very basic... the information available leaves much to be
desired :(

--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

Graeme Geldenhuys-6
In reply to this post by wkitty42
On 2015-10-27 01:59, [hidden email] wrote:
> i'll take a look... one thing that might be problematic is if it relies on
> additional units...

not sure what you mean by that. DCPcrypt is a project that consists of a
few units. It can be used in Console or GUI (eg: LCL or fpGUI)
applications. I've used it for both Console and GUI for many years.


Regards,
  - Graeme -

--
fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal
http://fpgui.sourceforge.net/

My public PGP key:  http://tinyurl.com/graeme-pgp
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

Graeme Geldenhuys-6
In reply to this post by wkitty42
On 2015-10-27 02:02, [hidden email] wrote:
> use someone else's code or to reinvent the wheel...

When it comes to security the first rule of thumb applies... Never
reinvent the wheel! It takes years for security related code to be well
tested and vetted.

Regards,
  - Graeme -

--
fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal
http://fpgui.sourceforge.net/

My public PGP key:  http://tinyurl.com/graeme-pgp
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

Graeme Geldenhuys-6
In reply to this post by wkitty42
On 2015-10-27 02:09, [hidden email] wrote:
> the wiki only talks
> about how to install lpk files and how to pull from a git repo...

No it doesn't. Please read the wiki again. There are two packages:

"dcpcrypt.lpk" which is a run-time only packages, and doesn't require
  any installation.

"dcpcrypt_laz.plk" which is a design-time only package - this is what
  is installed in Lazarus so icons appear in the component palette of
  the IDE. This is 100% optional.

The first package just makes it easier for you to associated DCPcrypt
with your project, and for Lazarus to find the units. But you don't need
to use Lazarus or Lazarus Packages. If you don't, then simply include
the units you need in your project, set up the Unit Paths to find
DCPcrypt and instantiated the classes you need.

Regards,
  - Graeme -

--
fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal
http://fpgui.sourceforge.net/

My public PGP key:  http://tinyurl.com/graeme-pgp
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

wkitty42
In reply to this post by Graeme Geldenhuys-6
On 10/27/2015 06:14 AM, Graeme Geldenhuys wrote:
> On 2015-10-27 01:59, [hidden email] wrote:
>> i'll take a look... one thing that might be problematic is if it relies on
>> additional units...
>
> not sure what you mean by that.

the project in question uses very few outside developed libraries or units... we
don't want to drag in a whole lot of stuff that's not needed or used by the rest
of the project... it is one reason why some existing procedures are reinvented
instead of using them from the FCL or similar...

> DCPcrypt is a project that consists of a few units. It can be used in Console
> or GUI (eg: LCL or fpGUI) applications. I've used it for both Console and GUI
> for many years.

ok... one thing that confused me when looking at the wiki is it pointing out the
lpk files and the repo but not much of anything else... the screen shot is ok
for how it looks in the lazarus gui but aside from that, there's not much else
describing the capabilities available or giving examples...

i'll probably take a closer look at it soonish... it depends on other factors at
hand, though...

--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

wkitty42
In reply to this post by Graeme Geldenhuys-6
On 10/27/2015 06:19 AM, Graeme Geldenhuys wrote:
> On 2015-10-27 02:02, [hidden email] wrote:
>> use someone else's code or to reinvent the wheel...
>
> When it comes to security the first rule of thumb applies... Never reinvent
> the wheel! It takes years for security related code to be well tested and
> vetted.

very true... which is why things are looked at very closely to see if they are
going to drag in a bunch of other unwanted stuff... in some cases, it is
possible to recreate those other needed routines but not always ;)

--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

David W Noon-2
In reply to this post by wkitty42
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 26 Oct 2015 22:02:23 -0400, Wkitty42 ([hidden email])
wrote about "Re: [fpc-pascal] is scrypt available?" (in
<[hidden email]>):

> On 10/26/2015 06:28 PM, David W Noon wrote:
[snip]
>> I use PostgreSQL, which offers MD5 hashing of passwords as a
>> built-in, without me adding any of my own (or anybody else's)
>> code to perform hashing.
>
> sadly MD5 have been being cracked in little time for over a
> decade... that's why we're looking at other means...

Well, we can start here:

<https://en.wikipedia.org/wiki/Secure_Hash_Algorithm>

I also own a couple of books by Bruce Schneier, the doyen of cryptography.

More recently, there is RFC 6234. This was published in 2011 and its
hashes are considered secure at the moment.

<https://tools.ietf.org/html/rfc6234>

> bcrypt came up first in the searched and then scrypt was pointed
> out along with bcrypt's failings... the question now is being
> able/willing to use someone else's code or to reinvent the wheel...
> if it were me, i'd use the other code if its license fits the app
> in question...

I could code up almost any of these algorithms you want. I have
reference implementations under Linux to test the validity of my code.
I would make any such code available under the Berkeley License (or
GPL v3). Indeed, I would make the source code available to all FPC
users if there is interest in hashing here.
- --
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
[hidden email] (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlYvuqwACgkQogYgcI4W/5QTEACeIgNf72/m5i1d4XY4RkMbN0UR
QocAnRBkqsYbQR7e7LGDOFK/ZVkG6/G7
=qaUT
-----END PGP SIGNATURE-----
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

Michael Van Canneyt


On Tue, 27 Oct 2015, David W Noon wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 26 Oct 2015 22:02:23 -0400, Wkitty42 ([hidden email])
> wrote about "Re: [fpc-pascal] is scrypt available?" (in
> <[hidden email]>):
>
>> On 10/26/2015 06:28 PM, David W Noon wrote:
> [snip]
>>> I use PostgreSQL, which offers MD5 hashing of passwords as a
>>> built-in, without me adding any of my own (or anybody else's)
>>> code to perform hashing.
>>
>> sadly MD5 have been being cracked in little time for over a
>> decade... that's why we're looking at other means...
>
> Well, we can start here:
>
> <https://en.wikipedia.org/wiki/Secure_Hash_Algorithm>
>
> I also own a couple of books by Bruce Schneier, the doyen of cryptography.
>
> More recently, there is RFC 6234. This was published in 2011 and its
> hashes are considered secure at the moment.
>
> <https://tools.ietf.org/html/rfc6234>
>
>> bcrypt came up first in the searched and then scrypt was pointed
>> out along with bcrypt's failings... the question now is being
>> able/willing to use someone else's code or to reinvent the wheel...
>> if it were me, i'd use the other code if its license fits the app
>> in question...
>
> I could code up almost any of these algorithms you want. I have
> reference implementations under Linux to test the validity of my code.
> I would make any such code available under the Berkeley License (or
> GPL v3). Indeed, I would make the source code available to all FPC
> users if there is interest in hashing here.

There always is, I think.

From my point of view: when coding internet-connected applications,
you often meet all kinds of hashing algorithms.

Michael.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

Graeme Geldenhuys-6
In reply to this post by wkitty42
On 2015-10-27 14:14, [hidden email] wrote:
>
> the project in question uses very few outside developed libraries or units... we
> don't want to drag in a whole lot of stuff that's not needed or used by the rest

The reason there are many units is because it is well refactored. Each
unit represents a new Hash or Cipher implementation. So if you only want
one (out of the many options), it will probably only pull in 2, maybe 3
units.


> ok... one thing that confused me when looking at the wiki is it pointing out the
> lpk files and the repo but not much of anything else...

The wiki contains many Lazarus related things.... lpk is a Lazarus
feature - ie: Lazarus Packages. The DCPCrypt project supplies a Lazarus
Package for easy integration, but it is NOT required. I never use lpk's
any more in any of my projects.

> the screen shot is ok

I guess the problem with that is that there is nothing else to take a
screenshot of - how does a screenshot of Hashes or Ciphers look like.
;-) So the brighten up the wiki page, a screenshot of the Component
Palette icons was chosen.


> there's not much else
> describing the capabilities available or giving examples...

If you looked at the actual "Ciphers" and "Hashes" directories, those
units are pretty self explanatory. eg: Blowfish, TwoFish, Mars, ICE,
IDEA etc can be seen in the unit names.

The wiki also gives an example (pure code) if you look in the Bug
section of the wiki page. As for the bug, that is a corner case, and I
haven't tested or reseached it much. But I doubt it would affect many
people, so don't judge the whole DCPCrypt project based on that alone.


Regards,
  - Graeme -

--
fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal
http://fpgui.sourceforge.net/

My public PGP key:  http://tinyurl.com/graeme-pgp
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

wkitty42
On 10/28/2015 03:48 PM, Graeme Geldenhuys wrote:
> On 2015-10-27 14:14, [hidden email] wrote:
>>
>> the project in question uses very few outside developed libraries or units... we
>> don't want to drag in a whole lot of stuff that's not needed or used by the rest
>
> The reason there are many units is because it is well refactored. Each
> unit represents a new Hash or Cipher implementation. So if you only want
> one (out of the many options), it will probably only pull in 2, maybe 3
> units.

my comment was directed more at (eg) not using FCL or LCL to avoid pulling in
all their stuff that is not needed... currently the project's server binary is
less than 500K... the next largest binary is ~700K... the server implements 5 or
6 different protocols for connections... pretty sweet for such a small package
compared to other things that do less but are much larger... oh yeah, this is
completely non-GUI, too... all text/console mode  O:)

>> the screen shot is ok
>
> I guess the problem with that is that there is nothing else to take a
> screenshot of - how does a screenshot of Hashes or Ciphers look like.
> ;-) So the brighten up the wiki page, a screenshot of the Component
> Palette icons was chosen.

the real problem, which i was apparently not clear about, is that it is a screen
shot... that's all fine and good but a simple text list is easier to
copy'n'paste into a plain text message when conversing with others  ;)

>> there's not much else
>> describing the capabilities available or giving examples...
>
> If you looked at the actual "Ciphers" and "Hashes" directories, those
> units are pretty self explanatory. eg: Blowfish, TwoFish, Mars, ICE,
> IDEA etc can be seen in the unit names.

yeah, that means i already have it... this is/was research before wasting the
time downloading something that may not fit  B)

> The wiki also gives an example (pure code) if you look in the Bug
> section of the wiki page. As for the bug, that is a corner case, and I
> haven't tested or reseached it much. But I doubt it would affect many
> people, so don't judge the whole DCPCrypt project based on that alone.

no, that's not possible :lol:

--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

Klaus Hartnegg-3
In reply to this post by David W Noon-2
Am 27.10.2015 um 18:55 schrieb David W Noon:
> <https://en.wikipedia.org/wiki/Secure_Hash_Algorithm>

> <https://tools.ietf.org/html/rfc6234>

Do not use a normal hash function to store passwords. If the password
file is stolen, the attackers can quickly determine most passwords.

There are special algorithms to securely store passwords. Common
recommendations are: PBKDF2, bcrypt, scrypt.

Explanation from
https://en.wikipedia.org/wiki/Password_cracking#Prevention

"Many hashes used for storing passwords, such as MD5 and the SHA family,
are designed for fast computation and efficient implementation in
hardware. As a result, they are ineffective in preventing password
cracking, especially with methods like rainbow tables. Using key
stretching Algorithms, such as PBKDF2, to form password hashes can
significantly reduce the rate at which passwords can be tested."

See also:
https://en.wikipedia.org/wiki/Key_derivation_function

scrypt for pascal appears to be offered here:
http://www.wolfgang-ehrhardt.de/crchash_en.html
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: is scrypt available?

Frederic Da Vitoria
2015-10-29 17:56 GMT+01:00 Klaus Hartnegg <[hidden email]>:
Am 27.10.2015 um 18:55 schrieb David W Noon:
<https://en.wikipedia.org/wiki/Secure_Hash_Algorithm>

<https://tools.ietf.org/html/rfc6234>

Do not use a normal hash function to store passwords. If the password file is stolen, the attackers can quickly determine most passwords.

There are special algorithms to securely store passwords. Common recommendations are: PBKDF2, bcrypt, scrypt.

Explanation from
https://en.wikipedia.org/wiki/Password_cracking#Prevention

"Many hashes used for storing passwords, such as MD5 and the SHA family, are designed for fast computation and efficient implementation in hardware. As a result, they are ineffective in preventing password cracking, especially with methods like rainbow tables. Using key stretching Algorithms, such as PBKDF2, to form password hashes can significantly reduce the rate at which passwords can be tested."

See also:
https://en.wikipedia.org/wiki/Key_derivation_function

scrypt for pascal appears to be offered here:
http://www.wolfgang-ehrhardt.de/crchash_en.html

Good point. I'd even ask the question: do you really need to store the passwords? IOW, do you want to be able to send them back to the user? Or do you only need to check them?

--
Frederic Da Vitoria
(davitof)

Membre de l'April - « promouvoir et défendre le logiciel libre » - http://www.april.org

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
12