Re: [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted passwor

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted password generation

From: Shan D <sdes.softdev@xxxxxxxxx>
Date: Sat, 15 Oct 2022 19:53:52 +0200
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev/>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

Hi Mikkel and Roger,

Sorry for the late response. I finally got the logic behind how to generate the passwords for SHA512 and PBKDF2 SHA512 variants in Python and Go. It turns out in Python one can generate the password in 15 lines or less. As well as in Go. Thanks for the vital information. I don't know if it is useful for the community, if need be I can contribute the code snippets (might be useful for testing)

Thanks for the help.

Regards,

Shan

On Sat, Jun 18, 2022 at 1:01 PM Mikkel Kirkgaard Nielsen <miki@xxxxxxxxx> wrote:

Hello list,

On 17/06/2022 14.17, Roger Light wrote:
> On Fri, 17 Jun 2022 at 12:52, Shan D <sdes.softdev@xxxxxxxxx> wrote:
>> Can I find some documentation on how to encrypted password is created?
> It uses a PKCS#5 PBKDF2 hash function, with a sha512 digest and
> (currently) a 12 byte salt.

Maybe some help can be found from my older experiments generating
password entries compatible with mosquitto_passwd using PHP. The pre-v2
passwords, however, are only based on SHA512, post-v2 adds support for
an additional type with an added PBKDF2 step. It seems like the format
used in the JSON file is similar to the latter.

More details in my [blog post][1] and the [derived script][2].

PHP's [mappings to OpenSSL][3] should make the added PBKDF2 step
somewhat straightforward.

Another difference is that the [JSON file format stores the salt, hash
and iteration count separately][4] where mosquitto_passwd uses a
concatenated colon separated string (similar to [shadow][5]).

--
Regards,
Mikkel

[1]:
https://mikini.dk/2017/01/generating-passwords-for-mosquitto-mqtt-broker-using-php
[2]:
https://git.sr.ht/~mikini/hometools/tree/master/item/mosquitto_passwd.php

[3]: https://www.php.net/manual/en/function.openssl-pbkdf2.php
[4]:
https://github.com/eclipse/mosquitto/blob/4ac8c0bcc34c8640e8c6a931e8e63ea4f250c6c7/plugins/dynamic-security/clients.c#L151-L191
[5]: https://linux.die.net/man/5/shadow
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

References:
- [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted password generation
  - From: Shan D
- Re: [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted password generation
  - From: Roger Light
- Re: [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted password generation
  - From: Mikkel Kirkgaard Nielsen

Prev by Date: [mosquitto-dev] build issue with threads
Next by Date: [mosquitto-dev] TLS with 8266 sensor problem.
Previous by thread: Re: [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted password generation
Next by thread: [mosquitto-dev] Not receiving any data from $SYS/broker/...
Index(es):
- Date
- Thread

Breadcrumbs