15 points
Password hashing has come a long way.
The task is straightforward. You'll be given a password, some salt (watch out, it comes base64 encoded, because in this case salt - for extra high entropy - is basically just /dev/urandom
bytes), and some algorithms-specific parameters.
Your job is to calculate the required SHA256
, HMAC-SHA256
, PBKDF-SHA256
and finally scrypt
.
There's a secret step here, though you won't get points for it and the reward is englightenment itself: realize how each step uses the previous one on the way to the final result.
GET /challenges/password_hashing/problem?access_token=...
Problem JSON structure is:
password
: the password you'll operate onsalt
: the salt we'll use - also user as a secret
where necessary; keep in mind it comes base64 encoded - decode for the raw bytespbkdf2
:
hash
: the digest to userounds
: the number of rounds to usescrypt
:
N
: the N parameter for scrypt's KDF
p
: the parallelization parameterr
: the blocksize parameterbuflen
: intended output length in octets_control
: example scrypt calculated for password="rosebud"
, salt="pepper"
, N=128
, p=8
, n=4
POST /challenges/password_hashing/solve?access_token=...
Your solution should be a JSON with the following keys:
sha256
: the calculated SHA256
hmac
: the calculated HMAC-SHA256
pbkdf2
: the calculated PBKDF2
digestscrypt
: finally, the calculated scrypt
valueSend all values in
hexlified
form, e.g.md5('foo') -> 7ddd5f60c97d589b0becc3c55d6afd25
.
Password hashing really has come a long way. There were times when a salt would be appended to the password, the result treated with MD5 and everything was fine. Times have changed, but some things remain confusing until you take a deeper look.
This challenge proposes a path - first, understand what a SHA256 is. It's a hash in the purest meaning of the word. Even better, it's a cryptographic hash, meaning it has a few useful properties.
Then, look into what an HMAC
is. The inner workings are so simple you can even grasp the idea by looking at the pseudocode.
Once you've got that down, it's time to discover the concept of a key deriviation function. From there on, into the beautiful world of trying to make those algorithms unfeasible to brute force.
h^
by buying me a coffee. Cheers!h^
profile is here.