[Gambas-bugtracker] Bug #1733: gb.openssl Expose Key Derivation Functions

bugtracker at gambaswiki.org bugtracker at gambaswiki.org
Wed Feb 12 19:40:50 CET 2020


REALITYRIPPLE reported a new bug.


gb.openssl Expose Key Derivation Functions

Type             : Request
Priority         : Medium
Gambas version   : Master
Product          : Unknown


If possible, please include the PBKDF2 and other key derivation algorithms in the OpenSSL component. A "Derive" Class would probably be the best place to collect them. Also, hash function selection is a must; many implementations force SHA-1, but quite a few existing standards out there require SHA-256 or even SHA-512 to get a matching key from the provided password.

Key Derivation functions are only as secure as the number of rounds they do on an input password, and writing one natively (which I have done) results in a much slower rounds-per-second ratio than a compiled and optimized version, limiting the usefulness and overall security of any system that relies on it. Recent versions of OpenSSL have provided fully exposed API access to key derivation functions (including providing a hash type), but there's still no command line equivalent to fall back on, and sending a plain-text password as a command-line parameter to an application that may run for a decent chunk of time sounds like a really bad idea anyway.

Additionally, this would pave the way for facilitation of using a custom KDF for the existing EncryptSalted and DecryptSalted functions. It may also be prudent to provide some kind of padding type selection method for both the [En|De]crypt and [En|De]cryptSalted functions in the future, just to round out the functionality.

System information

Not Applicable

More information about the Bugtracker mailing list