Password hashing has come a long way.
The task is straightforward. You'll be given a password, some salt (watch out, it comes base64 encoded, because in this case salt - for extra high entropy - is basically just
/dev/urandom bytes), and some algorithms-specific parameters.
Your job is to calculate the required
PBKDF-SHA256 and finally
There's a secret step here, though you won't get points for it and the reward is englightenment itself: realize how each step uses the previous one on the way to the final result.
Problem JSON structure is:
password: the password you'll operate on
salt: the salt we'll use - also user as a
secretwhere necessary; keep in mind it comes base64 encoded - decode for the raw bytes
hash: the digest to use
rounds: the number of rounds to use
N: the N parameter for scrypt's
p: the parallelization parameter
r: the blocksize parameter
buflen: intended output length in octets
_control: example scrypt calculated for
Your solution should be a JSON with the following keys:
sha256: the calculated
hmac: the calculated
pbkdf2: the calculated
scrypt: finally, the calculated
Send all values in
md5('foo') -> 7ddd5f60c97d589b0becc3c55d6afd25.
Password hashing really has come a long way. There were times when a salt would be appended to the password, the result treated with MD5 and everything was fine. Times have changed, but some things remain confusing until you take a deeper look.
This challenge proposes a path - first, understand what a SHA256 is. It's a hash in the purest meaning of the word. Even better, it's a cryptographic hash, meaning it has a few useful properties.
Then, look into what an
HMAC is. The inner workings are so simple you can even grasp the idea by looking at the pseudocode.