[SOLVED] DCPcrypt - PBKDF2 - Storing passwords in DB

[Zoran]

I have a Java application which stores passwords in database encrypted with PBKDF2 and SHA-1. Actually, I used the function "getEncryptedPassword" shown on this page: http://blog.jerryorr.com/2012/05/secure-password-storage-lots-of-donts.html#example
The encrypted password and salt are stored in database.

Now I need FPC application to log in to same database using same usernames and passwords. Therefore, I need to read Salt stored in DB, encrypt the password provided by the user the same way and then compare the encrypted password with the one stored in db.

The DCPcrypt wiki page links to PBKDF2 implementation based on DCPcrypt: http://keit.co/p/dcpcrypt-hmac-rfc2104/
Even PBKDF2 Wikipedia page links to same page as "Delphi/Free Pascal implementation".

I downloaded DCPcrypt package and copied the code from the mentioned page. Now I don't know how to properly use the PBKDF2 function from that page - it is declared this way:

Code: [Select]

function PBKDF2(pass, salt: ansistring; count, kLen: Integer; hash: TDCP_hashclass): ansistring;
I believe I should call it this way:

Code: [Select]

uses
  ..., DCPsha1;
 
...
var
  Pass, Salt, DKey: String;
...
  DKey = PBKDF2(Pass, Salt, 20000, 160, TDCP_sha1);
Where Pass is variable of type String which has the password provided by the user, count of 20000 and key length of 160 are what is used in Java function mentioned above and TDCP_sha1 is the class from DCPcrypt package (unit DCPsha1), which represents SHA-1 algorithm used in Java function.

Now, I do not know how to use Salt, which is in Java function getEncryptedPassword declared as byte[] (that would be array of ShortInt in FPC, as Java type byte is signed, unlike Pacal type Byte, so Java byte maps to Pascal ShortInt.

I read the salt from DB and I have array of ShortInt. How should I make the String to use with PBKDF2 Pascal funtion?

[jc99]

Could you try an example:
Enter a password in your java app and then look into the DB.
Often the salt-value is a string, which consists of the username and/or a random number. 

[Zoran]

Could you try an example:
Enter a password in your java app and then look into the DB.
Often the salt-value is a string, which consists of the username and/or a random number.

In Java salt value is byte array, (which means Array of ShortInt in Pascal) of length 8.
In Java I saved this array in DB. Now I read it in FPC from the same DB and I have this array in my Pascal code. I do not know how to use it with Pascal function PBKDF2 which expects a String. I tried to cast each value to Char and make a String of it, but it does not work. Now I have no idea.

[Zoran]

Thanks to Maciej Kaczkowski, from Keit I finally managed to do it.

I tried to cast each value to Char and make a String of it, but it does not work.

This is actually correct way to do it.

My problem was key value, which in Java function was in bits, and the Pascal implementation expects bytes, so the value used in Java example has to be divided by 8 to be used in PBKDF2 function from keit.

[Thaddy]

Actually it's not correct to cast to char. You should cast to AnsiChar or WideChar explicitly. In this case it's byte-based, so AnsiChar.

[Zoran]

Actually it's not correct to cast to char. You should cast to AnsiChar or WideChar explicitly. In this case it's byte-based, so AnsiChar.

It should be one-byte AnsiChar, but Char is alias for AnsiChar, isn't it?

[Maciej Kaczkowski]

http://www.freepascal.org/docs-html/ref/refsu7.html

"A Char is exactly 1 byte in size, and contains one ASCII character (...) In future versions of FPC, the Char type may become an alias for either WideChar or AnsiChar."

AnsiChar is better choice.

[taazz]

http://www.freepascal.org/docs-html/ref/refsu7.html

"A Char is exactly 1 byte in size, and contains one ASCII character (...) In future versions of FPC, the Char type may become an alias for either WideChar or AnsiChar."

AnsiChar is better choice.

from the page you posted last line.

To distinguish Char from WideChar, the system unit also defines the AnsiChar type, which is the same as the char type. In future versions of FPC, the Char type may become an alias for either WideChar or AnsiChar.

[marcov]

With a 3.x version, run:

Code: [Select]

{$mode delphiunicode}

begin
  writeln(sizeof(char));
end.