Menu
▾
▴
Home
Anonymous
Welcome to your wiki!
This is the default page, edit it as you see fit. To add a new page simply reference it within brackets, e.g.: [SamplePage].
The wiki uses Markdown syntax.
Project Admins:
Discussion
[Generating Crypto Random Salt]
PWDTK provides a default Salt length of 64 bytes, it is recommended that you use the default salt size as a salt of this size has a very large address space of possible values.
To use the default salt size as defined in PWDTK as cDefaultSaltLength, we simply need to call the method:
PWDTK.GetRandomSalt();
A Byte[] is returned containing all the randomly generated bytes which form the salt.
If you wish to specify a salt size of your own, simply call the method:
PWDTK.GetRandomSalt(SaltLength);
Where SaltLength is an Int32 value matching the size in bytes you require for your salt. I personally recommend a salt size at least that of cDefaultSaltLength however I understand the need may arrise to be compatible with existing databases which may have salt set as a varchar(8) or something.
Last edit: Anonymous 2012-10-16
[Generating a Hash from User Password]
PWDTK provides two methods to Hash user passwords. The first method:
PWDTK.PasswordToHash(Salt, Password);
Simply takes your Byte[] salt and decodes your user input string using UTF8 and then uses the default iterations specified by cDefaultIterationCount and is currently set to 5000 iterations to perform the PBKDF2 Key Derivation function to generate a Byte[] Hash value which matches the HMACSHA512 output.
The second method:
PWDTK.PasswordToHash(Salt, Password, IterationCount);
Simply performs the exact same tasks as the method above but you supply the iteration count for the PBKDF2 function rather than let PWDTK use cDefaultIterationCount.
Note: I recommend setting the iteration count such that generating a hash value takes around 500ms on your hardware. This will obviously change if you have a high volume of user authentication as you will need to be able to process all the authentication requests within a reasonable time frame.
Last edit: Anonymous 2012-10-16
[Comparing stored Hash value to supplied User Password]
PWDTK provides two methods to compare Hash values. The first method:
PWDTK.ComparePasswordToHash(Salt, Password, Hash)
Simply takes your Byte[] Salt and your User Input Password String and lastly your Byte[] Hash value that you store in your database or config file etc.
This method converts the User Input Password String into a decoded UTF8 Byte[] and then Hashes that Byte[] using the PBKDF2 function over cDefaultIterationCount. The output is compared to the Hash parameter and if there is a match it returns the boolean true else it returns false;
Note: You will only use this method if you used the method PasswordToHash(Salt, Password).
The second method:
PWDTK.ComparePasswordToHash(Salt, Password, Hash, IterationCount)
Simply performs exactly as per the method above, however rather than using cDefaultIterationCount for the PBKDF2 function you are supplying the exact iteration count that has been tuned for your hardware.