SEC-1932: Provide a PBKDF2 PasswordEncoder implementation #2158

Closed
spring-issuemaster opened this Issue Mar 5, 2012 · 4 comments

Comments

Projects
None yet
2 participants

Tom Fitzhenry (Migrated from SEC-1932) said:

StandardPasswordEncoder is an implementation of PBKDF1. PBKDF1 has been superceded by PBKDF2[0].

If StandardPasswordEncoder became an implementation of PBKDF2, applications that currently use StandardPasswordEncoder would break, so I propose creating a new class: PBKDF2PasswordEncoder, or some such.

  1. "PBKDF2 is recommended for new applications; PBKDF1 is included only for compatibility with existing applications, and is not recommended for new applications." -- http://tools.ietf.org/html/rfc2898

Clemens Fuchslocher said:

PBKDF2 support was also added to the SecretKeyFactory of Java 6: Java 6 Security Enhancements.

char[] password = "12345678".toCharArray();
byte[] salt = BinTools.hex2bin("5149C23A6263BAA1");
int iterations = 1000;

try {
    PBEKeySpec spec = new PBEKeySpec(password, salt, iterations, 160);
    SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
    SecretKey key = factory.generateSecret(spec);
    spec.clearPassword();
    String hash = BinTools.bin2hex(key.getEncoded());

    System.out.println(hash);
} catch (Throwable t) {
    ...
}

Pavel Shchegolevatykh said:

We surely need this feature. By the way here is another implementation of PBKDF2 in Java at the bottom of the article. http://crackstation.net/hashing-security.htm

Rob Worsnop said:

I have submitted a pull request for this: #51

@spring-issuemaster spring-issuemaster added this to the 4.0 Backlog milestone Feb 5, 2016

@rwinch rwinch modified the milestones: 4.1.0 RC2, 4.0 Backlog Apr 12, 2016

@rwinch rwinch self-assigned this Apr 12, 2016

rwinch added a commit that referenced this issue Apr 12, 2016

Added PBKDF2PasswordEncoder.
 - Also moved some logic into a new class, AbstractPasswordEncoder.
Both PBKDF2PasswordEncoder and the now-simplified
StandardPasswordEncoder extend AbstractPasswordEncoder.
 - Added tests for PBKDF2PasswordEncoder

Issue gh-2158

@rwinch rwinch closed this in 95a3e30 Apr 12, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment