-
Notifications
You must be signed in to change notification settings - Fork 0
/
pbkdf2.go
65 lines (52 loc) · 1.54 KB
/
pbkdf2.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
package pbkdf2
import (
"crypto/sha256"
"golang.org/x/crypto/pbkdf2"
"github.com/colt3k/utils/crypt"
)
/*
SECRET_KEY_ALGORITHM : PBKDF2WithHmacSHA1
PBKDF2WithHmacSHA256
PBKDF2: key derivation function PBKDF2 as defined in RFC2898 / PKCS #5 v2.0
i.e. PBKDF2 SHA1 vs SHA256 Hash algorithm strength is important, but it is not so important in key derivation functions.
It is unlikely that even if SHA-1 is broken that it would influence the security of PBKDF2. You are better off using
SHA-1, and increase the iteration count up to a level that is tweaked for your specific configuration.
If you want to protect against hardware acceleration use SCrypt Instead of PBKDF2
https://cryptobook.nakov.com/mac-and-key-derivation/pbkdf2
Password is passed by user
Salt is a unique salt for the system this will be running on and doesn't change
Considered OLD, use Scrypt or Argon2id
*/
const (
iterationsDFLT = 600001
keyLengthDFLT = 32
)
type PBKDF2 struct {
pass []byte
salt []byte
keyLength int
iterations int
}
/*
New
keyLength recommended 16 or 32(default)
iterations recommended per OWASP 600,000+
*/
func New(pass, salt []byte, keyLength, iterations int) *PBKDF2 {
t := new(PBKDF2)
t.pass = pass
t.salt = salt
t.keyLength = keyLengthDFLT
if keyLength > 0 {
t.keyLength = keyLength
}
t.iterations = iterationsDFLT
if iterations > 0 {
t.iterations = iterations
}
return t
}
func (p *PBKDF2) Generate() []byte {
p.salt = crypt.GenSalt(p.salt, p.keyLength/2)
return pbkdf2.Key(p.pass, p.salt, p.iterations, p.keyLength, sha256.New)
}