From 421dd538b2d34e7c24a5b72cc64dc2b9167db40a Mon Sep 17 00:00:00 2001 From: evanvosberg Date: Tue, 24 Oct 2023 23:52:46 +0200 Subject: [PATCH] Change default hash algorithm and iteration's for PBKDF2 to prevent weak security by using the default configuration. --- grunt/config/modularize.js | 2 +- src/pbkdf2.js | 10 +++++----- test/pbkdf2-test.js | 28 ++++++++++++++-------------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/grunt/config/modularize.js b/grunt/config/modularize.js index 15b8ecb..33218ee 100644 --- a/grunt/config/modularize.js +++ b/grunt/config/modularize.js @@ -91,7 +91,7 @@ module.exports = { }, "pbkdf2": { "exports": "CryptoJS.PBKDF2", - "components": ["core", "sha1", "hmac", "pbkdf2"] + "components": ["core", "sha256", "hmac", "pbkdf2"] }, "evpkdf": { "exports": "CryptoJS.EvpKDF", diff --git a/src/pbkdf2.js b/src/pbkdf2.js index 15a1cfd..92ecf6b 100644 --- a/src/pbkdf2.js +++ b/src/pbkdf2.js @@ -5,7 +5,7 @@ var Base = C_lib.Base; var WordArray = C_lib.WordArray; var C_algo = C.algo; - var SHA1 = C_algo.SHA1; + var SHA256 = C_algo.SHA256; var HMAC = C_algo.HMAC; /** @@ -16,13 +16,13 @@ * Configuration options. * * @property {number} keySize The key size in words to generate. Default: 4 (128 bits) - * @property {Hasher} hasher The hasher to use. Default: SHA1 - * @property {number} iterations The number of iterations to perform. Default: 1 + * @property {Hasher} hasher The hasher to use. Default: SHA256 + * @property {number} iterations The number of iterations to perform. Default: 250000 */ cfg: Base.extend({ keySize: 128/32, - hasher: SHA1, - iterations: 1 + hasher: SHA256, + iterations: 250000 }), /** diff --git a/test/pbkdf2-test.js b/test/pbkdf2-test.js index e187008..c15f569 100644 --- a/test/pbkdf2-test.js +++ b/test/pbkdf2-test.js @@ -5,59 +5,59 @@ YUI.add('algo-pbkdf2-test', function (Y) { name: 'PBKDF2', testKeySize128: function () { - Y.Assert.areEqual('cdedb5281bb2f801565a1122b2563515', C.PBKDF2('password', 'ATHENA.MIT.EDUraeburn', { keySize: 128/32 }).toString()); + Y.Assert.areEqual('62929ab995a1111c75c37bc562261ea3', C.PBKDF2('password', 'ATHENA.MIT.EDUraeburn', { keySize: 128/32 }).toString()); }, testKeySize256: function () { - Y.Assert.areEqual('cdedb5281bb2f801565a1122b25635150ad1f7a04bb9f3a333ecc0e2e1f70837', C.PBKDF2('password', 'ATHENA.MIT.EDUraeburn', { keySize: 256/32 }).toString()); + Y.Assert.areEqual('62929ab995a1111c75c37bc562261ea3fb3cdc7e725c4ca87c03cec5bb7663e1', C.PBKDF2('password', 'ATHENA.MIT.EDUraeburn', { keySize: 256/32 }).toString()); }, testKeySize128Iterations2: function () { - Y.Assert.areEqual('01dbee7f4a9e243e988b62c73cda935d', C.PBKDF2('password', 'ATHENA.MIT.EDUraeburn', { keySize: 128/32, iterations: 2 }).toString()); + Y.Assert.areEqual('262fb72ea65b44ab5ceba7f8c8bfa781', C.PBKDF2('password', 'ATHENA.MIT.EDUraeburn', { keySize: 128/32, iterations: 2 }).toString()); }, testKeySize256Iterations2: function () { - Y.Assert.areEqual('01dbee7f4a9e243e988b62c73cda935da05378b93244ec8f48a99e61ad799d86', C.PBKDF2('password', 'ATHENA.MIT.EDUraeburn', { keySize: 256/32, iterations: 2 }).toString()); + Y.Assert.areEqual('262fb72ea65b44ab5ceba7f8c8bfa7815ff9939204eb7357a59a75877d745777', C.PBKDF2('password', 'ATHENA.MIT.EDUraeburn', { keySize: 256/32, iterations: 2 }).toString()); }, testKeySize128Iterations1200: function () { - Y.Assert.areEqual('5c08eb61fdf71e4e4ec3cf6ba1f5512b', C.PBKDF2('password', 'ATHENA.MIT.EDUraeburn', { keySize: 128/32, iterations: 1200 }).toString()); + Y.Assert.areEqual('c76a982415f1acc71dc197273c5b6ada', C.PBKDF2('password', 'ATHENA.MIT.EDUraeburn', { keySize: 128/32, iterations: 1200 }).toString()); }, testKeySize256Iterations1200: function () { - Y.Assert.areEqual('5c08eb61fdf71e4e4ec3cf6ba1f5512ba7e52ddbc5e5142f708a31e2e62b1e13', C.PBKDF2('password', 'ATHENA.MIT.EDUraeburn', { keySize: 256/32, iterations: 1200 }).toString()); + Y.Assert.areEqual('c76a982415f1acc71dc197273c5b6ada32f62915ed461718aad32843762433fa', C.PBKDF2('password', 'ATHENA.MIT.EDUraeburn', { keySize: 256/32, iterations: 1200 }).toString()); }, testKeySize128Iterations5: function () { - Y.Assert.areEqual('d1daa78615f287e6a1c8b120d7062a49', C.PBKDF2('password', C.enc.Hex.parse('1234567878563412'), { keySize: 128/32, iterations: 5 }).toString()); + Y.Assert.areEqual('74e98b2e9eeddaab3113c1efc6d82b07', C.PBKDF2('password', C.enc.Hex.parse('1234567878563412'), { keySize: 128/32, iterations: 5 }).toString()); }, testKeySize256Iterations5: function () { - Y.Assert.areEqual('d1daa78615f287e6a1c8b120d7062a493f98d203e6be49a6adf4fa574b6e64ee', C.PBKDF2('password', C.enc.Hex.parse('1234567878563412'), { keySize: 256/32, iterations: 5 }).toString()); + Y.Assert.areEqual('74e98b2e9eeddaab3113c1efc6d82b073c4860195b3e0737fa21a4778f376321', C.PBKDF2('password', C.enc.Hex.parse('1234567878563412'), { keySize: 256/32, iterations: 5 }).toString()); }, testKeySize128Iterations1200PassPhraseEqualsBlockSize: function () { - Y.Assert.areEqual('139c30c0966bc32ba55fdbf212530ac9', C.PBKDF2('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'pass phrase equals block size', { keySize: 128/32, iterations: 1200 }).toString()); + Y.Assert.areEqual('c1dfb29a4d2f2fb67c6f78d074d66367', C.PBKDF2('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'pass phrase equals block size', { keySize: 128/32, iterations: 1200 }).toString()); }, testKeySize256Iterations1200PassPhraseEqualsBlockSize: function () { - Y.Assert.areEqual('139c30c0966bc32ba55fdbf212530ac9c5ec59f1a452f5cc9ad940fea0598ed1', C.PBKDF2('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'pass phrase equals block size', { keySize: 256/32, iterations: 1200 }).toString()); + Y.Assert.areEqual('c1dfb29a4d2f2fb67c6f78d074d663671e6fd4da1e598572b1fecf256cb7cf61', C.PBKDF2('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'pass phrase equals block size', { keySize: 256/32, iterations: 1200 }).toString()); }, testKeySize128Iterations1200PassPhraseExceedsBlockSize: function () { - Y.Assert.areEqual('9ccad6d468770cd51b10e6a68721be61', C.PBKDF2('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'pass phrase exceeds block size', { keySize: 128/32, iterations: 1200 }).toString()); + Y.Assert.areEqual('22344bc4b6e32675a8090f3ea80be01d', C.PBKDF2('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'pass phrase exceeds block size', { keySize: 128/32, iterations: 1200 }).toString()); }, testKeySize256Iterations1200PassPhraseExceedsBlockSize: function () { - Y.Assert.areEqual('9ccad6d468770cd51b10e6a68721be611a8b4d282601db3b36be9246915ec82a', C.PBKDF2('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'pass phrase exceeds block size', { keySize: 256/32, iterations: 1200 }).toString()); + Y.Assert.areEqual('22344bc4b6e32675a8090f3ea80be01d5f95126a2cddc3facc4a5e6dca04ec58', C.PBKDF2('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'pass phrase exceeds block size', { keySize: 256/32, iterations: 1200 }).toString()); }, testKeySize128Iterations50: function () { - Y.Assert.areEqual('6b9cf26d45455a43a5b8bb276a403b39', C.PBKDF2(C.enc.Hex.parse('f09d849e'), 'EXAMPLE.COMpianist', { keySize: 128/32, iterations: 50 }).toString()); + Y.Assert.areEqual('44b0781253db3141ac4174af29325818', C.PBKDF2(C.enc.Hex.parse('f09d849e'), 'EXAMPLE.COMpianist', { keySize: 128/32, iterations: 50 }).toString()); }, testKeySize256Iterations50: function () { - Y.Assert.areEqual('6b9cf26d45455a43a5b8bb276a403b39e7fe37a0c41e02c281ff3069e1e94f52', C.PBKDF2(C.enc.Hex.parse('f09d849e'), 'EXAMPLE.COMpianist', { keySize: 256/32, iterations: 50 }).toString()); + Y.Assert.areEqual('44b0781253db3141ac4174af29325818584698d507a79f9879033dec308a2b77', C.PBKDF2(C.enc.Hex.parse('f09d849e'), 'EXAMPLE.COMpianist', { keySize: 256/32, iterations: 50 }).toString()); }, testInputIntegrity: function () {