SEC-1932: Provide a PBKDF2 PasswordEncoder implementation

[spring-projects-issues]

Tom Fitzhenry (Migrated from SEC-1932) said:

StandardPasswordEncoder is an implementation of PBKDF1. PBKDF1 has been superceded by PBKDF2[0].

If StandardPasswordEncoder became an implementation of PBKDF2, applications that currently use StandardPasswordEncoder would break, so I propose creating a new class: PBKDF2PasswordEncoder, or some such.

1. "PBKDF2 is recommended for new applications; PBKDF1 is included only for compatibility with existing applications, and is not recommended for new applications." -- http://tools.ietf.org/html/rfc2898

[spring-projects-issues]

Tom Fitzhenry said:

RFC specification: http://tools.ietf.org/html/rfc2898
Example Java implementation: http://www.rtner.de/software/PBKDF2.html

[spring-projects-issues]

Clemens Fuchslocher said:

PBKDF2 support was also added to the SecretKeyFactory of Java 6: Java 6 Security Enhancements.

char[] password = "12345678".toCharArray();
byte[] salt = BinTools.hex2bin("5149C23A6263BAA1");
int iterations = 1000;

try {
    PBEKeySpec spec = new PBEKeySpec(password, salt, iterations, 160);
    SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
    SecretKey key = factory.generateSecret(spec);
    spec.clearPassword();
    String hash = BinTools.bin2hex(key.getEncoded());

    System.out.println(hash);
} catch (Throwable t) {
    ...
}

[spring-projects-issues]

Pavel Shchegolevatykh said:

We surely need this feature. By the way here is another implementation of PBKDF2 in Java at the bottom of the article. http://crackstation.net/hashing-security.htm

[spring-projects-issues]

Rob Worsnop said:

I have submitted a pull request for this: #51