[PATCH 07/10] password: add pbkdf2 support
Jan Lübbe
jlu at pengutronix.de
Mon Mar 16 04:58:45 PDT 2015
On Mo, 2015-03-16 at 12:52 +0100, Jean-Christophe PLAGNIOL-VILLARD
wrote:
> On 12:41 Mon 16 Mar , Jan Lübbe wrote:
> > On Mo, 2015-03-16 at 12:25 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> > > > Yes, definitely. We must use the algorithms as they are intended to be
> > > > used.
> > > >
> > > > If we try to move users away from RSA2048 because it will be vulnerable
> > > > in the future, we should not go against established practice for
> > > > password salts by hard-coding it.
> > > I'm not against it but with the barebox entropy did not see the point to use
> > > it.
> > >
> > > so how do we generate the salt? what length
> > >
> > > Personnaly I'll prefer
> > >
> > > a random 64 bytes | sha256 | take first 32bytes. | pbkdf2 10000 round
> >
> > Running SHA-256 on random data is useless for security.
> SHA256 is to improve the entrpopy not security
Running a deterministic algorithm cannot increase entropy (only reduce
it).
> > Just get
> > <hash-size> bytes from /dev/urandom on the host. We could generate a
> > file with the compile-time SALT which is then included.
> >
> > On the running barebox, we could use SHA to hash the old password file
> > together with the current timer value. At least until we have something
> > better.
> >
> > > result a 64 bytes password file <salt 32 byes><key 32 bytes>
> >
> > Yes. As we select the algorithm at compile time, we don't the to save it
> > in the file.
>
> this is for barebox as we may not have any passwd file
The same applies also to the default_passwd compiled in variable.
Currently we have:
PASSWD_FILE := $(shell cd $(srctree); find $(CONFIG_PASSWORD_DEFAULT) -type f)
cmd_pwd_h = echo -n "static const char default_passwd[] = \"" > $@; \
cat $< | tr -d '\n' >> $@; \
echo "\";" >> $@
include/generated/passwd.h: $(PASSWD_FILE)
$(call if_changed,pwd_h)
This would need to run the hash/pbkdf2 and store salt+key.
Regards,
Jan
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
More information about the barebox
mailing list