PasswordHash - salted hash request

Question

PasswordHash - salted hash request

globeport opened this issue 8 years ago · 21 comments

globeport commented 8 years ago

Thanks so much for putting this library together.

My own implementation of the PasswordHash allows generation of an Scrypt hash with the following signature:

byte[] PasswordHash.Hash(byte[] password, byte[] salt)

Would you be able to add an overload to accept a similar signature?

Answer 1 · 2016-11-07T16:34:56.000Z

Sodium.KDF.Scrypt is probably what you're looking for: https://github.com/charlesportwoodii/libsodium-uwp/blob/master/docs/KDF.md#scrypt-key-derivation. It implements crypto_pwhash_scryptsalsa208sha256.

public static byte[] Sodium.KDF.Scrypt(string password, byte[] salt, PasswordHashOptions options)

libsodium classifies is as a kdf within PasswordHash, hence the namespace difference.

Answer 2 · 2016-11-07T16:40:54.000Z

Ah yes it is, perfect thanks :)

Answer 3 · 2016-11-07T16:43:56.000Z

No problem. Let me know if you have any issues. The unit tests offer some good examples too: https://github.com/charlesportwoodii/libsodium-uwp/blob/master/Test/KDFTest.cs#L359

Answer 4 · 2016-11-07T16:48:06.000Z

Will do, thanks again

Answer 5 · 2016-11-07T22:08:33.000Z

I'm getting System.AccessViolationException exceptions thrown calling the PasswordHash and Kdf functions for Scrypt and Argon2i. Havent investigated yet. Am I missing something obvious?

Thanks,
Stuart

Answer 6 · 2016-11-07T22:11:08.000Z

@globeport

Did you install from Nuget or source? If you installed from Nuget, have you added the ActivatableClass stuff to your Package.appxmanifest as outlined in the README?

Can you provide the full error message and the code you're using?

Answer 7 · 2016-11-07T22:19:20.000Z

Installed from Nuget
Yes, Ive included the config in Package.appxmanifest
Ive also referenced the VC++ 2015 runtime

For example:

function Hash(string source, byte[] salt)
{
    var options = new Sodium.PasswordHashOptions
            {
                time_cost = 3,
                memory_cost = 1 << 14
            };
            return Sodium.KDF.Argon2i(source, salt, options);
}

Exception:

An exception of type 'System.AccessViolationException' occurred ...
Message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
Source: Sodium

Answer 8 · 2016-11-07T22:35:05.000Z

System.String, not string.

See the following example which I just confirmed works with rc1 from Nuget.

public MainPage()
{
    this.InitializeComponent();
    var password = "correct horse battery staple";
    var salt = Sodium.Core.GetRandomBytes(32);
    var hash = this.hash(password, salt);
    // This works => System.Byte[] // 32 length
    System.Diagnostics.Debug.WriteLine(hash);
}

/// <summary>
/// Hashes a password with Argon2i
/// </summary>
/// <param name="source">The password to hash</param>
/// <param name="salt">32 byte salt</param>
/// <returns>32 byte Argon2i hash of password</returns>
public byte[] hash(String source, byte[] salt)
{
    var options = new Sodium.PasswordHashOptions
    {
        time_cost = 3,
        memory_cost = 1 << 14
    };

    return Sodium.KDF.Argon2i(source, salt, options);
}

The underlying type that gets interpreted in C is Platform.String, which corresponds to the C# System.String type, not the native string type.

Well, actually, it shouldn't matter whether you use System.String or string. The code above though works for UWP 10.

Answer 9 · 2016-11-07T22:42:46.000Z

Created a fresh project with the above.

Same problem :(

Answer 10 · 2016-11-07T22:44:56.000Z

Can you try including from source rather than from Nuget? What build of W10 are you targeting?

Answer 11 · 2016-11-07T22:47:16.000Z

Target version: Windows 10 Anniversary Edition (10.0; Build 14393)
Min Version: Windows 10 (10.0; Build 10586)

Answer 12 · 2016-11-07T22:50:43.000Z

Honestly, it sounds like the Package.appxmanifest file doesn't have the extension information. Can you try referencing libsodium-uwp from source? If you clone libsodium-uwp from source, do the unit tests run/pass?

Any chance you could upload your fresh project to Github? Bit easier to debug if I can see the entire picture.

Answer 13 · 2016-11-07T22:50:51.000Z

I downloaded the solution and tried a build from source but the build fails on the pre build event command. Its missing the libsodium source by the look of it.

Answer 14 · 2016-11-07T22:52:08.000Z

libsodium proper is included as a submodule, you have to recursively clone the project to fetch it too.

git clone --recursive https://github.com/charlesportwoodii/libsodium-uwp.

Answer 15 · 2016-11-07T22:52:45.000Z

Ah ok, sorry I just downloaded as zip.

Answer 16 · 2016-11-07T22:59:09.000Z

Build from source.
All tests pass except 1 - Argon2iTest - ArgumentException - Salt must be 16bytes in length.

Answer 17 · 2016-11-07T23:05:51.000Z

Replaced libsodium-uwp project reference with Nuget package reference.
Added the extension info to Package.appxmanifest.
Rerun tests.

5 tests failing and process ends with 'The active Test Run was aborted because the execution process exited unexpectedly'

Answer 18 · 2016-11-07T23:12:18.000Z

Pretty sure the Argon2i test has a typo, it should use a 16 instead of 32 for the salt generation. I've updated that in the Git repo. If you git pull then rebuild it should pass.

It sounds like the Nuget package might be bugged (or for some reason you're getting an older version). If you pull the tests should all pass, then you can include the project in your main project as a source reference rather than a Nuget reference.

Answer 19 · 2016-11-07T23:14:42.000Z

No worries I'll do that. Thanks for your help.

Answer 20 · 2016-11-08T00:34:44.000Z

@globeport Including from source work for you?

Answer 21 · 2016-11-08T09:20:34.000Z

So far so good...