Skip to content

CompressedPBKDF2

Jump to bottom
David Bertoldi edited this page Feb 18, 2021 · 3 revisions

The compressed version of PBKDF2 does not add any security to the original PBKDF2, but the resulting hash has encoded the parameters and the salt in the following form:

$ {algorithm identifier} $ {salt in base64} $ {hash in base64}

📑 Define Compressed PBKDF2 parameters

See how to define PBKDF2 parameters first.

You can define a singleton custom PBKDF2 function by calling PBKDF2Function.getInstance(Hmac, int, int)

PBKDF2Function pbkdf2 = CompressedPBKDF2Function.getInstance(Hmac.SHA256, 100000, 1024);

In this case you have created a singleton instance which uses HMAC SHA-256 as pesudo-random function, performs 100000 iterations and produces an hash of 1024 bytes.

Alternatively if you have defined the parameters in the psw4j.properties file

PBKDF2Function pbkdf2 = AlgorithmFinder.getCompressedPBKDF2Instance();

Additionally to the original PBKDF2, you can create a CompressedPBKDF2Function singleton instance from the hash, since all the parameters required are stored into it.

String hashed = "$3$42949672960256$YWJj$/WTQfTTc8Hg8GlplP0LthpgdElUG+I3MyuvK8MI4MnQ=";

CompressedPBKDF2Function pbkdf2 = CompressedPBKDF2Function.getInstanceFromHash(hashed);

#️⃣ How to hash passwords

See how to hash passwords with PBKDF2 first.

This section is very similar, but uses withCompressedPBKDF2() instead of withPBKDF2()

Hash hash = Password.hash(plainTextPassword).withCompressedPBKDF2();

hash.getResult(); // $3$42949672960256$YWJj$/WTQfTTc8Hg8GlplP0LthpgdElUG+I3MyuvK8MI4MnQ=

✔️ How to check the hash

See how to check the hash with PBKDF2 first.

This section is very similar, but uses withCompressedPBKDF2() instead of withPBKDF2()

String hashFromDB = getHashFromDatabase(user);
String saltFromDB = getSaltFromDatabase(user);

boolean verified = Password.check(userProvidedPassword, hashFromDB).addSalt(saltFromDB).withCompressedPBKDF2();

🔄 How to update the hash

See how to update the hash with PBKDF2 first.

This section is very similar, but uses withCompressedPBKDF2() instead of withPBKDF2()

String hashFromDB = getHashFromDatabase(user);
String saltFromDB = getSaltFromDatabase(user);

CompressedPBKDF2Function myPbkdf2 = PBKDF2Function.getInstanceFromHash(hashFromDB);

HashUpdate update = Password.check(userProvidedPassword, hashFromDB).addSalt(saltFromDB)
                            .andUpdate()
                            .addNewRandomSalt().with(myPbkdf2);

if(update.isVerified()) 
{
    Hash newHash = update.getHash();
    storeNewHash(user, newHash.getHash());
    storeNewSalt(user, newHash.getSalt());
}

Supports Java 8+ Maven Central License

Password4j © 2024

Created by David Bertoldi with 🗿

Password4j documentation

Clone this wiki locally