Password hashing has come a long way.
The task is straightforward. You'll be given a password, some salt (watch out, it comes base64 encoded, because in this case salt - for extra high entropy - is basically just
/dev/urandom bytes), and some algorithms-specific parameters.
Your job is to calculate the required
PBKDF-SHA256 and finally
There's a secret step here, though you won't get points for it and the reward is englightenment itself: realize how each step uses the previous one on the way to the final result.
Problem JSON structure is:
password: the password you'll operate on
salt: the salt we'll use - also user as a
secretwhere necessary; keep in mind it comes base64 encoded - decode for the raw bytes
hash: the digest to use
rounds: the number of rounds to use
N: the N parameter for scrypt's
p: the parallelization parameter
r: the blocksize parameter
buflen: intended output length in octets
_control: example scrypt calculated for
Your solution should be a JSON with the following keys:
sha256: the calculated
hmac: the calculated
pbkdf2: the calculated
scrypt: finally, the calculated
Send all values in
md5('foo') -> 7ddd5f60c97d589b0becc3c55d6afd25.
Password hashing really has come a long way. There were times when a salt would be appended to the password, the result treated with MD5 and everything was fine. Times have changed, but some things remain confusing until you take a deeper look.
This challenge proposes a path - first, understand what a SHA256 is. It's a hash in the purest meaning of the word. Even better, it's a cryptographic hash, meaning it has a few useful properties.
Then, look into what an
HMAC is. The inner workings are so simple you can even grasp the idea by looking at the pseudocode.
Once you've got that down, it's time to discover the concept of a key deriviation function. From there on, into the beautiful world of trying to make those algorithms unfeasible to brute force.
h^by buying me a coffee. Cheers!
h^profile is here.