Skip to content

SEC-1932: Provide a PBKDF2 PasswordEncoder implementation #2158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
spring-projects-issues opened this issue Mar 5, 2012 · 4 comments
Closed

SEC-1932: Provide a PBKDF2 PasswordEncoder implementation #2158

spring-projects-issues opened this issue Mar 5, 2012 · 4 comments
Assignees
@rwinch
Labels
in: crypto An issue in spring-security-crypto type: jira An issue that was migrated from JIRA
Milestone
4.1.0 RC2

Comments

@spring-projects-issues
Copy link

Tom Fitzhenry (Migrated from SEC-1932) said:

StandardPasswordEncoder is an implementation of PBKDF1. PBKDF1 has been superceded by PBKDF2[0].

If StandardPasswordEncoder became an implementation of PBKDF2, applications that currently use StandardPasswordEncoder would break, so I propose creating a new class: PBKDF2PasswordEncoder, or some such.

  1. "PBKDF2 is recommended for new applications; PBKDF1 is included only for compatibility with existing applications, and is not recommended for new applications." -- http://tools.ietf.org/html/rfc2898
@spring-projects-issues
Copy link
Author

Tom Fitzhenry said:

RFC specification: http://tools.ietf.org/html/rfc2898
Example Java implementation: http://www.rtner.de/software/PBKDF2.html

@spring-projects-issues
Copy link
Author

Clemens Fuchslocher said:

PBKDF2 support was also added to the SecretKeyFactory of Java 6: Java 6 Security Enhancements.

char[] password = "12345678".toCharArray();
byte[] salt = BinTools.hex2bin("5149C23A6263BAA1");
int iterations = 1000;

try {
    PBEKeySpec spec = new PBEKeySpec(password, salt, iterations, 160);
    SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
    SecretKey key = factory.generateSecret(spec);
    spec.clearPassword();
    String hash = BinTools.bin2hex(key.getEncoded());

    System.out.println(hash);
} catch (Throwable t) {
    ...
}

@spring-projects-issues
Copy link
Author

Pavel Shchegolevatykh said:

We surely need this feature. By the way here is another implementation of PBKDF2 in Java at the bottom of the article. http://crackstation.net/hashing-security.htm

@spring-projects-issues
Copy link
Author

Rob Worsnop said:

I have submitted a pull request for this: #51

@spring-projects-issues spring-projects-issues added in: crypto An issue in spring-security-crypto Open type: jira An issue that was migrated from JIRA labels Feb 5, 2016
@spring-projects-issues spring-projects-issues added this to the 4.0 Backlog milestone Feb 5, 2016
@rworsnop rworsnop mentioned this issue Apr 12, 2016
Closed
@rwinch rwinch modified the milestones: 4.1.0 RC2, 4.0 Backlog Apr 12, 2016
@rwinch rwinch self-assigned this Apr 12, 2016
rwinch pushed a commit that referenced this issue Apr 12, 2016
@rworsnop
Added PBKDF2PasswordEncoder.
0ab7126 
 - Also moved some logic into a new class, AbstractPasswordEncoder.
Both PBKDF2PasswordEncoder and the now-simplified
StandardPasswordEncoder extend AbstractPasswordEncoder.
 - Added tests for PBKDF2PasswordEncoder

Issue gh-2158
@rwinch rwinch closed this as completed in 95a3e30 Apr 12, 2016
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: crypto An issue in spring-security-crypto type: jira An issue that was migrated from JIRA
Projects
None yet
Milestone
4.1.0 RC2
Development

Successfully merging a pull request may close this issue.

SEC-1932 Add Pbkdf2PasswordEncoder rworsnop/spring-security
2 participants
@rwinch @spring-projects-issues