New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1932: Provide a PBKDF2 PasswordEncoder implementation #2158

Closed
spring-issuemaster opened this Issue Mar 5, 2012 · 4 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster

spring-issuemaster commented Mar 5, 2012

Tom Fitzhenry (Migrated from SEC-1932) said:

StandardPasswordEncoder is an implementation of PBKDF1. PBKDF1 has been superceded by PBKDF2[0].

If StandardPasswordEncoder became an implementation of PBKDF2, applications that currently use StandardPasswordEncoder would break, so I propose creating a new class: PBKDF2PasswordEncoder, or some such.

  1. "PBKDF2 is recommended for new applications; PBKDF1 is included only for compatibility with existing applications, and is not recommended for new applications." -- http://tools.ietf.org/html/rfc2898
@spring-issuemaster

This comment has been minimized.

Show comment
Hide comment
@spring-issuemaster

spring-issuemaster commented Mar 5, 2012

Tom Fitzhenry said:

RFC specification: http://tools.ietf.org/html/rfc2898
Example Java implementation: http://www.rtner.de/software/PBKDF2.html

@spring-issuemaster

This comment has been minimized.

Show comment
Hide comment
@spring-issuemaster

spring-issuemaster Dec 6, 2012

Clemens Fuchslocher said:

PBKDF2 support was also added to the SecretKeyFactory of Java 6: Java 6 Security Enhancements.

char[] password = "12345678".toCharArray();
byte[] salt = BinTools.hex2bin("5149C23A6263BAA1");
int iterations = 1000;

try {
    PBEKeySpec spec = new PBEKeySpec(password, salt, iterations, 160);
    SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
    SecretKey key = factory.generateSecret(spec);
    spec.clearPassword();
    String hash = BinTools.bin2hex(key.getEncoded());

    System.out.println(hash);
} catch (Throwable t) {
    ...
}

spring-issuemaster commented Dec 6, 2012

Clemens Fuchslocher said:

PBKDF2 support was also added to the SecretKeyFactory of Java 6: Java 6 Security Enhancements.

char[] password = "12345678".toCharArray();
byte[] salt = BinTools.hex2bin("5149C23A6263BAA1");
int iterations = 1000;

try {
    PBEKeySpec spec = new PBEKeySpec(password, salt, iterations, 160);
    SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
    SecretKey key = factory.generateSecret(spec);
    spec.clearPassword();
    String hash = BinTools.bin2hex(key.getEncoded());

    System.out.println(hash);
} catch (Throwable t) {
    ...
}
@spring-issuemaster

This comment has been minimized.

Show comment
Hide comment
@spring-issuemaster

spring-issuemaster May 2, 2013

Pavel Shchegolevatykh said:

We surely need this feature. By the way here is another implementation of PBKDF2 in Java at the bottom of the article. http://crackstation.net/hashing-security.htm

spring-issuemaster commented May 2, 2013

Pavel Shchegolevatykh said:

We surely need this feature. By the way here is another implementation of PBKDF2 in Java at the bottom of the article. http://crackstation.net/hashing-security.htm

@spring-issuemaster

This comment has been minimized.

Show comment
Hide comment
@spring-issuemaster

spring-issuemaster Oct 21, 2013

Rob Worsnop said:

I have submitted a pull request for this: #51

spring-issuemaster commented Oct 21, 2013

Rob Worsnop said:

I have submitted a pull request for this: #51

@spring-issuemaster spring-issuemaster added this to the 4.0 Backlog milestone Feb 5, 2016

@rwinch rwinch modified the milestones: 4.1.0 RC2, 4.0 Backlog Apr 12, 2016

@rwinch rwinch self-assigned this Apr 12, 2016

rwinch added a commit that referenced this issue Apr 12, 2016

Added PBKDF2PasswordEncoder.
 - Also moved some logic into a new class, AbstractPasswordEncoder.
Both PBKDF2PasswordEncoder and the now-simplified
StandardPasswordEncoder extend AbstractPasswordEncoder.
 - Added tests for PBKDF2PasswordEncoder

Issue gh-2158

@rwinch rwinch closed this in 95a3e30 Apr 12, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment