Re: Using PBKDF2_SHA256 Hashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 03/27/2018 09:11 PM, Joe Cooter wrote:
> Hi,
>
> I’m attempting to build an application using the userPassword attribute, with hashes stored using PBKDF2_SHA256.  However, using the passlib hash library for pbkdf2_sha256 is complaining about a malformed hash.  Looking at the hash, it appears that there aren’t any delimiters between the salt, iterations, etc.
>
> Is there some additional encoding happening on the userPassword attribute?
The server stores the password as follows:

dn: uid=mark,dc=example,dc=com
userpassword::
e1BCS0RGMl9TSEEyNTZ9QUFBSUFFb3A0VVVUUFRjL2E2NStDS3U5cmdFa0RML0V
 2NmhIamZaRDlQRXFLSFNraStrYXZYTWx6ZTZzOGsrNnFYT3I3amtjZXFpMUlZR0dndlpyK2hMczVn
 cjhSRXNSSVRzSUxZVzlJTnU5RUNWOVQ2ZzhvTUphQTErbDkxZGxNR20yUjVYR0h2UmlqczlmQlk3T
 zg0NGYvYk1OR0tqaXJKUHlVKzJwVVhoMzBGaS9GV0I0VW1ia2JOVmg0RGd5c0ZFOHZLOXI4RVN3RV
 JJUXdHUkJOVXpuZXBJUVNmNEhUYTBQQU1HaEZjelhjekdTeUY1a3pDWGo2LzBpVWRDRDVydWJGMzc
 0TWl3VXVrQmlKaklsRkhheUMwV0N2dWtZNkVmQ1BESFNrRjNGaThlVHNjZGxGSitDcFRSME1pVStP
 T1R3Qkt4MGRsMGpUYU8yVzQyVFFCcnY2MUtsUUovV05NQkpMVmRreWRhT3J1L0xJcVhha3hrblZMe
 G9kTS96d1dzVmZYempSQjhQRGxZalpyR3lhSjZ1YWlYSStEWXUzYzVvWlcrSUx3YjdEazB3

base64 decoding the password gives us:

{PBKDF2_SHA256}AAAIAEop4UUTPTc/a65+CKu9rgEkDL/Ev6hHjfZD9PEqKHSki+kavXMlze6s8k+6qXOr7jkceqi1IYGGgvZr+hLs5gr8REsRITsILYW9INu9ECV9T6g8oMJaA1+l91dlMGm2R5XGHvRijs9fBY7O844f/bMNGKjirJPyU+2pUXh30Fi/FWB4UmbkbNVh4DgysFE8vK9r8ESwERIQwGRBNUznepIQSf4HTa0PAMGhFczXczGSyF5kzCXj6/0iUdCD5rubF374MiwUukBiJjIlFHayC0WCvukY6EfCPDHSkF3Fi8eTscdlFJ+CpTR0MiU+OOTwBKx0dl0jTaO2W42TQBrv61KlQJ/WNMBJLVdkydaOru/LIqXakxknVLxodM/zwWsVfXzjRB8PDlYjZrGyaJ6uaiXI+DYu3c5oZW+ILwb7Dk0w

In 389 Directory Server it looks at the password encoding prefix: 
{ALGO}  -->  {PBKDF2_SHA256}  the rest is the complete password hash

The salt length is 64 and iterations length is 4:

#define PBKDF2_SALT_LENGTH 64
#define PBKDF2_ITERATIONS_LENGTH 4

In pbkdf2_sha256_pw_enc_rounds() in
ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c

we write the hash like so:

pbkdf2_sha256_hash(hash + PBKDF2_ITERATIONS_LENGTH + PBKDF2_SALT_LENGTH,
...);

So the password hash itself should be everything after an offset of 68
(PBKDF2_ITERATIONS_LENGTH + PBKDF2_SALT_LENGTH).

HTH,
Mark
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux