Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted password generation 
Hello list,

On 17/06/2022 14.17, Roger Light wrote:

On Fri, 17 Jun 2022 at 12:52, Shan D <sdes.softdev@xxxxxxxxx> wrote:

Can I find some documentation on how to encrypted password is created?

It uses a PKCS#5 PBKDF2 hash function, with a sha512 digest and
(currently) a 12 byte salt.
Maybe some help can be found from my older experiments generating password entries compatible with mosquitto_passwd using PHP. The pre-v2 passwords, however, are only based on SHA512, post-v2 adds support for an additional type with an added PBKDF2 step. It seems like the format used in the JSON file is similar to the latter. 

More details in my [blog post][1] and the [derived script][2].
PHP's [mappings to OpenSSL][3] should make the added PBKDF2 step somewhat straightforward.
Another difference is that the [JSON file format stores the salt, hash and iteration count separately][4] where mosquitto_passwd uses a concatenated colon separated string (similar to [shadow][5]). 

--
Regards,
Mikkel
[1]: https://mikini.dk/2017/01/generating-passwords-for-mosquitto-mqtt-broker-using-php [2]: https://git.sr.ht/~mikini/hometools/tree/master/item/mosquitto_passwd.php 

[3]: https://www.php.net/manual/en/function.openssl-pbkdf2.php
[4]: https://github.com/eclipse/mosquitto/blob/4ac8c0bcc34c8640e8c6a931e8e63ea4f250c6c7/plugins/dynamic-security/clients.c#L151-L191 
[5]: https://linux.die.net/man/5/shadow

Back to the top