Improving support/documentation for stronger hash algorithms

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Improving support/documentation for stronger hash algorithms

Philip Whitehouse
Hi Shiro Users,

I’ve got a few questions on password hashing and migration.

Looking at the docs:
https://shiro.apache.org/static/1.2.3/apidocs/org/apache/shiro/crypto/hash/SimpleHash.html 
indicates support for a number of hash algorithms.

Of these, MD2 and MD5 are definitely broken and SHA1 is pretty broken. I
think we should probably remove "While most applications are ok with
either of these two,” from the docs at this point.

Has anyone looked at using stronger hash algorithms? (i.e BLAKE2). Is it
simply a case of making use of a library like Bouncy Castle to ?

In terms of key derivation functions (PKBDF, Argon2, crypt, scrypt) is
there any support in Shiro / work on supporting it? Currently it looks
like the only support is for iterations in constructing a hash.

I’m assuming migration between hash functions is something that would
have to be implemented outside Shiro.

If it’s just a Bouncy Castle requirement would it be worth updating the
https://shiro.apache.org/cryptography-features.html page to add
documentation on how to integrate with Bouncy Castle, rather than list
MD5 and SHA-1 as core features.

Thanks in advance,

Best regards,
Philip Whitehouse
Reply | Threaded
Open this post in threaded view
|

Re: Improving support/documentation for stronger hash algorithms

Brian Demers
+1 We should probably mark the older ones deprecated as well

On Tue, Mar 27, 2018 at 9:01 PM, Philip Whitehouse <[hidden email]> wrote:
Hi Shiro Users,

I’ve got a few questions on password hashing and migration.

Looking at the docs: https://shiro.apache.org/static/1.2.3/apidocs/org/apache/shiro/crypto/hash/SimpleHash.html indicates support for a number of hash algorithms.

Of these, MD2 and MD5 are definitely broken and SHA1 is pretty broken. I think we should probably remove "While most applications are ok with either of these two,” from the docs at this point.

Has anyone looked at using stronger hash algorithms? (i.e BLAKE2). Is it simply a case of making use of a library like Bouncy Castle to ?

In terms of key derivation functions (PKBDF, Argon2, crypt, scrypt) is there any support in Shiro / work on supporting it? Currently it looks like the only support is for iterations in constructing a hash.

I’m assuming migration between hash functions is something that would have to be implemented outside Shiro.

If it’s just a Bouncy Castle requirement would it be worth updating the https://shiro.apache.org/cryptography-features.html page to add documentation on how to integrate with Bouncy Castle, rather than list MD5 and SHA-1 as core features.

Thanks in advance,

Best regards,
Philip Whitehouse