You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Philip Whitehouse <ph...@whiuk.com> on 2018/03/28 01:01:10 UTC

Improving support/documentation for stronger hash algorithms

Hi Shiro Users,

I’ve got a few questions on password hashing and migration.

Looking at the docs: 
https://shiro.apache.org/static/1.2.3/apidocs/org/apache/shiro/crypto/hash/SimpleHash.html 
indicates support for a number of hash algorithms.

Of these, MD2 and MD5 are definitely broken and SHA1 is pretty broken. I 
think we should probably remove "While most applications are ok with 
either of these two,” from the docs at this point.

Has anyone looked at using stronger hash algorithms? (i.e BLAKE2). Is it 
simply a case of making use of a library like Bouncy Castle to ?

In terms of key derivation functions (PKBDF, Argon2, crypt, scrypt) is 
there any support in Shiro / work on supporting it? Currently it looks 
like the only support is for iterations in constructing a hash.

I’m assuming migration between hash functions is something that would 
have to be implemented outside Shiro.

If it’s just a Bouncy Castle requirement would it be worth updating the 
https://shiro.apache.org/cryptography-features.html page to add 
documentation on how to integrate with Bouncy Castle, rather than list 
MD5 and SHA-1 as core features.

Thanks in advance,

Best regards,
Philip Whitehouse

Re: Improving support/documentation for stronger hash algorithms

Posted by Brian Demers <br...@gmail.com>.

+1 We should probably mark the older ones deprecated as well

On Tue, Mar 27, 2018 at 9:01 PM, Philip Whitehouse <ph...@whiuk.com> wrote:

> Hi Shiro Users,
>
> I’ve got a few questions on password hashing and migration.
>
> Looking at the docs: https://shiro.apache.org/stati
> c/1.2.3/apidocs/org/apache/shiro/crypto/hash/SimpleHash.html indicates
> support for a number of hash algorithms.
>
> Of these, MD2 and MD5 are definitely broken and SHA1 is pretty broken. I
> think we should probably remove "While most applications are ok with either
> of these two,” from the docs at this point.
>
> Has anyone looked at using stronger hash algorithms? (i.e BLAKE2). Is it
> simply a case of making use of a library like Bouncy Castle to ?
>
> In terms of key derivation functions (PKBDF, Argon2, crypt, scrypt) is
> there any support in Shiro / work on supporting it? Currently it looks like
> the only support is for iterations in constructing a hash.
>
> I’m assuming migration between hash functions is something that would have
> to be implemented outside Shiro.
>
> If it’s just a Bouncy Castle requirement would it be worth updating the
> https://shiro.apache.org/cryptography-features.html page to add
> documentation on how to integrate with Bouncy Castle, rather than list MD5
> and SHA-1 as core features.
>
> Thanks in advance,
>
> Best regards,
> Philip Whitehouse
>