Is there a SQL implementation of PBKDF2?
PBKDF2 is built into the .NET framework as System.Security.Cryptography.Rfc2898DeriveBytes. It's straightforward to create a SQL CLR function that wraps a call to this class' GetBytes
method.
I realize you were looking for a solution that doesn't require an external library but at least this limits the dependency an assembly that simply wraps framework code.
why is my pbkdf2 implementation so slow (vs. SQLCipher)?
Ok I figured out what the problem was.
If I disconnect the device from my PC it works instant. Also if I reconnect it after that.
Now even with an iteration amount of 5000 and above, the deriving function only needs less than a second!! This is great, since my Xoom isn't the newest of all devices!
May be it is because of the debug mode or something, I don't really know actually!
Anyways, thanks to mr.spuratic. Hope this helps someone in the future :-)
Salting and Hashing with PBKDF2
You're basically going in the right direction, but I'll point out some things to think about:
The default number of iterations of the PBKDF2 method may not be sufficient, and you may not want to leave things to the default. I would recommend specifying an iteration count of at least 10K.
On the other hand, the key size and salt size are counted by this implementation in bytes. 64 bytes is a bit too much. Keeping both to 16 bytes each should be ample. It's not recommended to go over 20 bytes as that's the maximum size of the underlying hash function / HMAC. Going over that will only give an advantage to the attacker (this, according to many, is a design mistake in PBKDF2). You may of course set the size of varbinary to a higher value to allow for future upgrades.
It's recommended that you keep a protocol number with your salt and hashed password. Doing so makes it possible for you to upgrade the scheme at a later date and per entry, when the user is available to reset his/her password.
Minor point; MSDN does not specify when the salt is generated. I would check the randomness of the salt (check if it is different each time) and only ask the salt after calling
getBytes
to make sure that the salt is indeed random, even if the implementation changes. Otherwise generate it yourself using a cryptographically secure random number generator.
basic php pbkdf2 hashing
Thomas Ptacek wrote a great article a while back explaining - in some detail - what salt is, why it's useful, and gave the #1 rule you need to memorize regarding password hashing systems:
Use someone else’s password system. Don’t build your own.
If you are going to be using PHP 5.5 in your application, use the new password_hash API; if you're not, make sure you're using at least PHP 5.3 and use the password_hash userland compatability library. They are designed to take all the pain out of this for you.
Related Topics
How to Specify Date Literal When Writing SQL Query from SQL Server That Is Linked to Oracle
Postgres Function Returning Table Not Returning Data in Columns
Mysql: "The Select Would Examine More Than Max_Join_Size Rows"
Access 2010: Syntax Error (Missing Operator) in Query Expression
SQL Group By, Top N Items for Each Group
How to Sort a 'Version Number' Column Generically Using a SQL Server Query
Delete Parent If It's Not Referenced by Any Other Child
SQL Error "Ora-01722: Invalid Number"
SQL Error: Ora-00933: SQL Command Not Properly Ended
Inner Join in Update SQL for Db2
Passing SQL "In" Parameter List in Jasperreport
Ora 00904 Error:Invalid Identifier
Why Postgres Returns Unordered Data in Select Query, After Updation of Row
How to Convert a "Legacy" Left Outer Join Statement in Oracle
SQL Not a Single-Group Group Function