Another security question

Frank Millman frank at chagford.com
Sat Dec 24 03:43:32 EST 2016


"Steve D'Aprano"  wrote in message 
news:585d57d5$0$1587$c3e8da3$5496439d at news.astraweb.com...
>
> There is a stdlib PBKDF2. If you want to avoid third-party dependencies, 
> use that.
>
> https://docs.python.org/3.4/library/hashlib.html#hashlib.pbkdf2_hmac
>

Thanks for the pointer.

>From the docs - 15.1.3. Key derivation -
"The number of iterations should be chosen based on the hash algorithm and 
computing power. As of 2013, at least 100,000 iterations of SHA-256 are 
suggested."

So FWIW, this is what I have come up with -

from hashlib import pbkdf2_hmac as kdf
from secrets import token_bytes
from json import loads, dumps

def gen_password(pwd):
    hash_name = 'sha256'
    salt = token_bytes(16)
    iterations = 100000
    dk = kdf(hash_name, pwd.encode('utf-8'), salt, iterations)
    return dumps([hash_name, salt.hex(), iterations, dk.hex()])

def chk_password(pwd_hash, pwd):
    hash_name, salt, iterations, dk = loads(pwd_hash)
    return (kdf(hash_name, pwd.encode('utf-8'), bytes.fromhex(salt), 
iterations)
        == bytes.fromhex(dk))

pwd = 'this is my secret passphrase'

pwd_hash = gen_password(pwd)
print(pwd_hash)
print(chk_password(pwd_hash, pwd))

["sha256", "2cd1150b98dab7219136c8deceda00e3", 100000, 
"6301857d79554c3e2035fc779e4903f098ba2df36536028b72952426a5773f0a"]
True

I know that 'rolling your own' is a no-no when it comes to security. I don't 
know whether this falls into that category or not, but I will run with it 
for now.

Frank




More information about the Python-list mailing list