-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.xml
258 lines (211 loc) · 18.9 KB
/
index.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>libpasta</title>
<link>https://libpasta.github.io/</link>
<description>Recent content on libpasta</description>
<generator>Hugo -- gohugo.io</generator>
<language>en-gb</language>
<lastBuildDate>Wed, 21 Feb 2018 00:00:00 +0000</lastBuildDate>
<atom:link href="https://libpasta.github.io/index.xml" rel="self" type="application/rss+xml" />
<item>
<title>Contributing</title>
<link>https://libpasta.github.io/libpasta-dev/contributing/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/libpasta-dev/contributing/</guid>
<description>libpasta is still at an early stage of development and is looking for contribution in all areas.
Some specific areas which are looking for contribution:
Improving these docs - source The core Rust library - source Adding more languages - see adding languages Writing more utility tools - source </description>
</item>
<item>
<title>Overview</title>
<link>https://libpasta.github.io/other-languages/overview/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/other-languages/overview/</guid>
<description>Our goal is for libpasta to be the clear choice for any developers requiring secure password storage. Hence we have initial support for a number of languages.
For any missing languages, please open an issue or click &ldquo;Edit this page&rdquo; and submit a pull request.
Here we list the support:
Language Supported? Repository Documentation C Y TODO TODO Java Y Link Link PHP Y TODO TODO Python Y Link TODO Ruby Y TODO TODO Rust Y (Native) Link Link </description>
</item>
<item>
<title>Adding Languages</title>
<link>https://libpasta.github.io/libpasta-dev/adding-languages/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/libpasta-dev/adding-languages/</guid>
<description>Our initial support for other languages is through the use of SWIG.
So far, this means we have simple bindings for C, Java, PHP, python, and Ruby.
If you want to add new language bindings, this is a good place to start.
The SWIG specification for libpasta reveals the simplicity of the API, and a few important caveats:
# in pasta.h #include &lt;stdbool.h&gt;extern char * hash_password(const char *password); extern bool verify_password(const char* hash, const char *password); extern void free_string(const char *); extern char * read_password(const char *prompt); These bind to the functions exported by the libpasta-ffi crate.</description>
</item>
<item>
<title>What is libpasta?</title>
<link>https://libpasta.github.io/introduction/what-is-libpasta/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/introduction/what-is-libpasta/</guid>
<description>Password breaches have become a regular occurrence. See: Yahoo (twice), LinkedIn, Adobe, Ashley Madison, and a whole lot more.
Furthermore, with the exception of Yahoo who eventually migrated to bcrypt in 2013, the above examples doubles as a list of &ldquo;how NOT to do password storage&rdquo;: simple hashing, unsalted values, misuse of encryption, and failed password migration. (For more information on why these are bad, see our introduction to password hashing theory).</description>
</item>
<item>
<title>Algorithm Selection</title>
<link>https://libpasta.github.io/technical-details/algorithm-choice/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/technical-details/algorithm-choice/</guid>
<description>Currently, we use scrypt as the default algorithm in libpasta. The default parameters are:
N: 2^15 r: 8 p: 1 This results in a memory requirement of approximately 32MiB and about 0.1 seconds to compute. For many systems, this can be increased, and we suggest using the tuning tools to choose suitable parameters.
For more information on the scrypt parameters, see: https://blog.filippo.io/the-scrypt-parameters/
Why scrypt? Scrypt was introduced in 2009 as a memory-hard hash function, designed to reduce the advantage gained by using custom hardware (e.</description>
</item>
<item>
<title>Basic Usage</title>
<link>https://libpasta.github.io/introduction/basic-usage/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/introduction/basic-usage/</guid>
<description>Here we give an overview of the core functionality of libpasta. Examples can be viewed in different languages, with the full list of language support found in other languages.
The full Rust API documentation can be found here.
Password Hashes A common scenario is that a particular user has password, which a service will check on each login to authenticate the user.
Java Python Ruby Rust import io.</description>
</item>
<item>
<title>C</title>
<link>https://libpasta.github.io/other-languages/c/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/other-languages/c/</guid>
<description>We can use the FFI definitions output by Rust directly in C code. However, unlike with the SWIG bindings, we are required to manually free the strings after use, as in the following simple example.
### in pasta.h #include &lt;stdbool.h&gt; extern char * hash_password(const char *password); extern bool verify_password(const char* hash, const char *password); extern void free_string(const char *); extern char * read_password(const char *prompt);#include &#34;pasta.h&#34;#include &lt;stdio.h&gt; int main(void) { char *hash, *password; hash = hash_password(&#34;hello123&#34;); password = read_password(&#34;Please enter the password (hint: hello123):&#34;); if (verify_password(hash, password)) { printf(&#34;Correct password\n&#34;); } else { printf(&#34;Sorry, that is incorrect\n&#34;); } free_string(hash); free_string(password); return 0; } Which is compiled in the usual way:</description>
</item>
<item>
<title>Java</title>
<link>https://libpasta.github.io/other-languages/java/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/other-languages/java/</guid>
<description>There is currently support for the base functionality in Java.
The library can be obtained by following the instruction in the repository. The simplest being to obtain the precompiled jar file from the releases page.
Once obtained a simple example such as the following can be constructed:
import io.github.libpasta.*; public class test { public static void main(String argv[]) { String hash = pasta.hash_password(&#34;hello123&#34;); String password = pasta.read_password(&#34;Please enter the password (hint: hello123):&#34;); if (pasta.</description>
</item>
<item>
<title>Keyed Hashes</title>
<link>https://libpasta.github.io/advanced/keyed/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/advanced/keyed/</guid>
<description>We are currently developing support for keyed hashes: whether through HMAC or encrypted values. For now, keys are generated and stored locally in memory in the running instance, which means that any passwords which are stored while the application is running will be useless if the application terminates and destroys the keys.
The goal is for this structure to be flexible to any kinds of environments with different sources.
For example, the following code configures a key for use in libpasta and sets up HMAC to be used as a wrapping function:</description>
</item>
<item>
<title>PHP</title>
<link>https://libpasta.github.io/other-languages/php/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/other-languages/php/</guid>
<description>For PHP, SWIG generates a pasta.so extension, which can be installed in the system directory (for example, /etc/php/php.ini), and must be enabled. SWIG also generates a pasta.php module file which loads the extension and defines the API for libpasta.
// In pasta_form.php &lt;?php include(&#34;pasta.php&#34;); $password = $_POST[&#39;password&#39;]; $hash = pasta::hash_password(&#34;hello123&#34;); if (pasta::verify_password($hash, $password)) { echo &#34;Correct password.&#34;; } else { echo &#34;Sorry, that is incorrect&#34;; } ?&gt; &lt;html&gt; &lt;head&gt; &lt;title&gt;libpasta PHP example&lt;/title&gt; &lt;/head&gt; &lt;body&gt; &lt;form action=&#34;pasta_form.</description>
</item>
<item>
<title>Password Migration</title>
<link>https://libpasta.github.io/advanced/migration/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/advanced/migration/</guid>
<description>One of the core principles underlying libpasta is that it should be easy to use best practice password hashing algorithms. Unfortunately, many people are currently not using these algorithms, and furthermore, &ldquo;best practice&rdquo; seems to be very hard to pin down. To solve this, we include support for painless migration, which can even be enabled automatically.
Migrating a password hash is a subtle problem. The whole point of password storage is that you cannot recover the password.</description>
</item>
<item>
<title>Python</title>
<link>https://libpasta.github.io/other-languages/python/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/other-languages/python/</guid>
<description>We are currently supporting the base libpasta functionality in python.
The library can be obtained by following the instruction in the repository. Or using pip for supported systems (currently 64-bit linux, most python versions).
Once obtained a simple example such as the following can be constructed:
import libpasta hash = libpasta.hash_password(&#34;hello123&#34;) password = libpasta.read_password(&#34;Please enter the password (hint: hello123):&#34;); if libpasta.verify_password(hash, password): print(&#34;Correct password&#34;) else: print(&#34;Sorry, that is incorrect&#34;)</description>
</item>
<item>
<title>Randomness Problems</title>
<link>https://libpasta.github.io/technical-details/randomness/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/technical-details/randomness/</guid>
<description>One benefit of Rust is that it enforces strict error handling in applications. Rust has unwrap and expect methods which are generally used to mean &ldquo;I have no idea how to recover from this particular error, please kill the program&rdquo;.
For example, imagine some binary application which is used to count the lines of a file cargo run --bin wc some_file.txt it seems reasonable to panic if some_file.txt is not found, which would communicate this issue clearly.</description>
</item>
<item>
<title>Ruby</title>
<link>https://libpasta.github.io/other-languages/ruby/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/other-languages/ruby/</guid>
<description>In the future Ruby will be supported through a Ruby gem. For now, SWIG generates a pasta.so extension which can be used directly by Ruby:
require &#39;./pasta.so&#39; hash = Pasta::hash_password(&#34;hello123&#34;) password = Pasta::read_password(&#34;Please enter the password (hint: hello123):&#34;) if Pasta::verify_password(hash, password) puts &#34;Correct password&#34; else puts &#34;Sorry, that is incorrect&#34; end</description>
</item>
<item>
<title>Serializing Hashes</title>
<link>https://libpasta.github.io/technical-details/phc-string-format/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/technical-details/phc-string-format/</guid>
<description>We use the PHC string format, as defined here, to format password hashes produced by libpasta.
These take the following format:
$&lt;id&gt;[$&lt;param&gt;=&lt;value&gt;(,&lt;param&gt;=&lt;value&gt;)*][$&lt;salt&gt;[$&lt;hash&gt;]] where:
&lt;id&gt; is the symbolic name for the function &lt;param&gt; is a parameter name &lt;value&gt; is a parameter value &lt;salt&gt; is an encoding of the salt &lt;hash&gt; is an encoding of the hash output The string is then the concatenation, in that order, of:</description>
</item>
<item>
<title>Supported Algorithms</title>
<link>https://libpasta.github.io/technical-details/supported/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/technical-details/supported/</guid>
<description>This page lists the hash formats currently supported by libpasta, and the algorithms available for use. For any missing formats/algorithms, please open an issue and/or submit a pull request.
Algorithms Currently, libpasta has support for:
argon2 bcrypt HMAC PBKDF2 scrypt Formats The following hash-formats are supported automatically by libpasta:
Name Format Description bcrypt legacy format $2[abxy]$&lt;cost&gt;$&lt;salthash&gt; salthash is a non-standard base64 encoding PHC format $&lt;id&gt;$&lt;params map&gt;$&lt;salt&gt;$&lt;hash&gt; Also referred to as modular crypt format libpasta specific ($!</description>
</item>
<item>
<title>Installation</title>
<link>https://libpasta.github.io/introduction/installation/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/introduction/installation/</guid>
<description>libpasta is designed to be installed as a system library. Currently, this can be achieved by downloading the repository, compiling it, and moving the library to the system library, e.g /usr/lib.
git clone https://github.com/libpasta/libpasta/ cd libpasta # compiles the library make libpasta # installs the library to ${INSTALL_DIR} - defaults to /usr/lib make install For developing Rust applications, we recommend using it as usual through cargo.
For non-Rust applications, follow the above steps to install the library, and follow the instructions for bindings to other languages.</description>
</item>
<item>
<title>Tuning & Parameter Selection</title>
<link>https://libpasta.github.io/advanced/tuning/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/advanced/tuning/</guid>
<description>libpasta comes with a set of secure default algorithm and parameter choices. However, there is no single set of parameters which is suitable for all purposes and we provide tools to help with parameter selection.
These tools also have the benefit of working as a benchmarking platform for the target system; if the system performs significantly worse than the expected times, this could result in suboptimal, or even insecure, parameters selected.</description>
</item>
<item>
<title>Password hashing theory</title>
<link>https://libpasta.github.io/introduction/password-hashing-theory/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/introduction/password-hashing-theory/</guid>
<description>Why hash passwords? Let&rsquo;s start with the most common use of passwords: user authentication.
The general setting is that an individual has a username and a password, e.g. username: alice and password: hunter2.
When Alice first registers on a website, a new account is created, and the password is stored in the database, so that Alice can prove she is indeed Alice
id | username | password | creation-date | .</description>
</item>
<item>
<title>Alternatives</title>
<link>https://libpasta.github.io/introduction/alternatives/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/introduction/alternatives/</guid>
<description>There are currently a few options for password hashing. These vary from general crypto libraries, to specific password hashing libraries, to in-built helpers. The functionality, security, ease-of-use and compatibility of these varies, and we compare them to libpasta here.
The design of libpasta was inspired by libsodium (a cross-platform, cross- language crypto library), and passlib (a python-based password hashing library). libpasta is an effort to take the best features of these two libraries combined into one, and more.</description>
</item>
<item>
<title>Rust for Cross-Language System Libraries</title>
<link>https://libpasta.github.io/blog/bindings/</link>
<pubDate>Wed, 21 Feb 2018 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/blog/bindings/</guid>
<description>We have been building libpasta as a simple, usable solution to password hashing and migration. The goal for libpasta is to be a cross-platform, cross-language system library.
libpasta is written in Rust, exports a C-style API, and builds to a static/shared library. Most languages support calling external libraries through foreign function interfaces (FFIs), and the end result can be seen in the documentation where each language has access to the libpasta functionality.</description>
</item>
<item>
<title>Announcing libpasta</title>
<link>https://libpasta.github.io/blog/release/</link>
<pubDate>Wed, 29 Nov 2017 00:00:00 +0000</pubDate>
<guid>https://libpasta.github.io/blog/release/</guid>
<description>Today we are announcing the alpha release of libpasta!
libpasta is intended to be a cross-language, cross-platform, easy-to-use password hashing library for developers. In particular, libpasta offers a simple API, which uses sane defaults, offering a relatively high security level with zero configuration or parameter choice for the developer. Storing/verifying a password is as simple as libpasta.hash_password(pw) and libpasta.verify_password(hash, pw).
Furthermore, libpasta is built to handle migrating from old hashes, finally allowing developers to move away from old, outdated algorithms and parameters.</description>
</item>
</channel>
</rss>