[PATCH 07/10] password: add pbkdf2 support

Jan Lübbe jlu at pengutronix.de
Mon Mar 16 04:58:45 PDT 2015 

On Mo, 2015-03-16 at 12:52 +0100, Jean-Christophe PLAGNIOL-VILLARD
wrote:
> On 12:41 Mon 16 Mar     , Jan Lübbe wrote:
> > On Mo, 2015-03-16 at 12:25 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> > > > Yes, definitely. We must use the algorithms as they are intended to be
> > > > used.
> > > > 
> > > > If we try to move users away from RSA2048 because it will be vulnerable
> > > > in the future, we should not go against established practice for
> > > > password salts by hard-coding it. 
> > > I'm not against it but with the barebox entropy did not see the point to use
> > > it.
> > > 
> > > so how do we generate the salt? what length
> > > 
> > > Personnaly I'll prefer
> > > 
> > > a random 64 bytes | sha256 | take first 32bytes. | pbkdf2 10000 round
> > 
> > Running SHA-256 on random data is useless for security.
> SHA256 is to improve the entrpopy not security

Running a deterministic algorithm cannot increase entropy (only reduce
it).

> > Just get
> > <hash-size> bytes from /dev/urandom on the host. We could generate a
> > file with the compile-time SALT which is then included.
> > 
> > On the running barebox, we could use SHA to hash the old password file
> > together with the current timer value. At least until we have something
> > better.
> > 
> > > result a 64 bytes password file <salt 32 byes><key 32 bytes>
> > 
> > Yes. As we select the algorithm at compile time, we don't the to save it
> > in the file.
> 
> this is for barebox as we may not have any passwd file

The same applies also to the default_passwd compiled in variable.

Currently we have:
PASSWD_FILE := $(shell cd $(srctree); find $(CONFIG_PASSWORD_DEFAULT) -type f)
cmd_pwd_h = echo -n "static const char default_passwd[] = \"" > $@; \
        cat $< | tr -d '\n' >> $@; \
        echo "\";" >> $@

include/generated/passwd.h: $(PASSWD_FILE)
        $(call if_changed,pwd_h)

This would need to run the hash/pbkdf2 and store salt+key.

Regards,
Jan
-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

More information about the barebox mailing list