You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Philip Whitehouse <ph...@whiuk.com> on 2018/03/28 01:01:10 UTC
Improving support/documentation for stronger hash algorithms
Hi Shiro Users,
I’ve got a few questions on password hashing and migration.
Looking at the docs:
https://shiro.apache.org/static/1.2.3/apidocs/org/apache/shiro/crypto/hash/SimpleHash.html
indicates support for a number of hash algorithms.
Of these, MD2 and MD5 are definitely broken and SHA1 is pretty broken. I
think we should probably remove "While most applications are ok with
either of these two,” from the docs at this point.
Has anyone looked at using stronger hash algorithms? (i.e BLAKE2). Is it
simply a case of making use of a library like Bouncy Castle to ?
In terms of key derivation functions (PKBDF, Argon2, crypt, scrypt) is
there any support in Shiro / work on supporting it? Currently it looks
like the only support is for iterations in constructing a hash.
I’m assuming migration between hash functions is something that would
have to be implemented outside Shiro.
If it’s just a Bouncy Castle requirement would it be worth updating the
https://shiro.apache.org/cryptography-features.html page to add
documentation on how to integrate with Bouncy Castle, rather than list
MD5 and SHA-1 as core features.
Thanks in advance,
Best regards,
Philip Whitehouse
Re: Improving support/documentation for stronger hash algorithms
Posted by Brian Demers <br...@gmail.com>.
+1 We should probably mark the older ones deprecated as well
On Tue, Mar 27, 2018 at 9:01 PM, Philip Whitehouse <ph...@whiuk.com> wrote:
> Hi Shiro Users,
>
> I’ve got a few questions on password hashing and migration.
>
> Looking at the docs: https://shiro.apache.org/stati
> c/1.2.3/apidocs/org/apache/shiro/crypto/hash/SimpleHash.html indicates
> support for a number of hash algorithms.
>
> Of these, MD2 and MD5 are definitely broken and SHA1 is pretty broken. I
> think we should probably remove "While most applications are ok with either
> of these two,” from the docs at this point.
>
> Has anyone looked at using stronger hash algorithms? (i.e BLAKE2). Is it
> simply a case of making use of a library like Bouncy Castle to ?
>
> In terms of key derivation functions (PKBDF, Argon2, crypt, scrypt) is
> there any support in Shiro / work on supporting it? Currently it looks like
> the only support is for iterations in constructing a hash.
>
> I’m assuming migration between hash functions is something that would have
> to be implemented outside Shiro.
>
> If it’s just a Bouncy Castle requirement would it be worth updating the
> https://shiro.apache.org/cryptography-features.html page to add
> documentation on how to integrate with Bouncy Castle, rather than list MD5
> and SHA-1 as core features.
>
> Thanks in advance,
>
> Best regards,
> Philip Whitehouse
>