Skip to content

GunioRobot/fshp-is-not-secure-anymore

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

44 Commits

dotnet

dotnet

 
 

java

java

 
 

javascript

javascript

 
 

perl

perl

 
 

php

php

 
 

python

python

 
 

ruby

ruby

 
 

.gitignore

.gitignore

 
 

README.rst

README.rst

 
 

Repository files navigation

FSHP: Fairly Secure Hashed Password

What is FSHP?

Fairly Secure Hashed Password (FSHP) is a salted, iteratively hashed password hashing implementation.

Design principle is similar with PBKDF1 specification in RFC 2898 (a.k.a: PKCS #5: Password-Based Cryptography Specification Version 2.0)

FSHP allows choosing the salt length, number of iterations and the underlying cryptographic hash function among SHA-1 and SHA-2 (256, 384, 512).

Security

Default FSHP1 uses 8 byte salts, with 4096 iterations of SHA-256 hashing.

  • 8 byte salt renders rainbow table attacks impractical by multiplying the required space with 2^64.
  • 4096 iterations causes brute force attacks to be fairly expensive.
  • There are no known attacks against SHA-256 to find collisions with a computational effort of fewer than 2^128 operations at the time of this release.

Implementations

  • Python: Tested with 2.3.5 (w/ hashlib), 2.5.1, 2.6.1

    Available in PyPI. http://pypi.python.org/pypi/fshp

    Install: easy_install fshp

  • Ruby : Tested with 1.8.6

    Available in RubyForge. http://rubyforge.org/projects/fshp/

    Install: gem install fshp

  • Perl : Tested with 5.8.8

    Available in CPAN http://search.cpan.org/~bdd/Crypt-FSHP/

    Install: perl -MCPAN -e 'install Crypt::FSHP'

  • PHP5 : Tested with 5.2.6
  • Java : Tested with 1.4, 1.5, 1.6. Dependency: Apache Commons - Codec (Base64)
  • JavaScript: SHA-1 and SHA-256 support only. Tested with Safari 4, Firefox 3.0.

Everyone is more than welcome to create missing language implementations or polish the current ones.

Basic Operation

Calling crypt() with a single parameter of cleartext password, implies the default configuration of FSHP1.

  • salt length: 8 bytes long random salt will be generated.
  • hash rounds: 4096 iterations of hashing will be applied in output chaining mode.
  • FSHP variant: Variant 1 uses SHA-256 as underlying hash function.

>>> hashed_pw = fshp.crypt('OrpheanBeholderScryDoubt') >>> print hashed_pw {FSHP14096}GVSUFDAjdh0vBosn1GUhzGLHP7BmkbCZVH/3TQqGIjADXpc+6NCg3g== >>> fshp.check('OrpheanBeholderScryDoubt', hashed_pw) True

Customizing the Crypt

Let's set a higher password storage security baseline.

  • Increase the salt length from default 8 to 16.
  • Increase the hash rounds from default 4096 to 8192.
  • Select FSHP3 with SHA-512 as the underlying hash algorithm.

>>> hashed_pw = fshp.crypt('ExecuteOrder66', saltlen=16, rounds=8192, variant=3) >>> print hashed_pw {FSHP38192}0aY7rZQ+/PR+Rd5/I9ssRM7cjguyT8ibypNaSp/U1uziNO3BVlg5qPUng+zHUDQC3ao/JbzOnIBUtAeWHEy7a2vZeZ7jAwyJJa2EqOsq4Io=

About

Fairly Secure Hashed Password

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages

  • PHP 20.3%
  • JavaScript 20.1%
  • C# 17.1%
  • Ruby 12.6%
  • Python 12.2%
  • Java 9.9%
  • Perl 7.8%