Currently pbkdf2 relies on the sha2 crate to support both PHC and MCF password hashes. @newpavlov has suggested this could be implemented as generic composition instead. I'm opening this issue to spell out the specific requirements for this and why I don't think that makese sense.
pbkdf2 is really the only crate impacted by this problem: other constructions don't allow you to plug in your own hash function (sha-crypt is perhaps the closest with letting you choose between SHA-256 and SHA-512). If we wanted a truly generic solution though, e.g. in the password-hash crate, it really needs to be the combination of three things: a password hashing algorithm, a hash function, and a password hash serialization format.
The core trickiest part is the hash function-specific identifiers: for PBKDF2, these happen to be the same for PHC and MCF: pbkdf2-sha256 for SHA-256, and pbkdf2-sha512 for SHA-512. They aren't for other algorithms though, e.g. scrypt is $7$ for MCF and $scrypt$ for PHC.
At the very least, the password hashing implementation needs to be able to include this label in serialized hashes, and verify the correct algorithm-specific identifier label is in place when verifying. The current implementation in pbkdf2 is also able to do runtime dispatch to select between SHA-256 and SHA-512 when verifying based on these identifier labels.
To support generic composition, something needs to be able to define these identifiers as the combination of a password hashing algorithm, a hash function, and a password hash serialization format.
If we were to put these concerns in e.g sha2 instead of pbkdf2, how would we establish the linkage between a hash function and a particular password hash algorithm? That looks a little something like:
| identifier |
password hash algorithm |
password hash serialization |
hash function |
$5$ |
SHA-crypt |
MCF |
SHA-256 |
$6$ |
SHA-crypt |
MCF |
SHA-512 |
$pbkdf2-sha256$ |
PBKDF2-HMAC |
MCF or PHC |
SHA-256 |
$pbkdf2-sha512$ |
PBKDF2-HMAC |
MCF or PHC |
SHA-512 |
I don't think it makes sense to try to put all of this in sha2. Instead I think each password hash algorithm needs its own registry, i.e. how it works today. Really one of the two crates needs the other crate in scope so it can do things with type-level combinations of the two algorithms, and for defining details that are specific to a password hashing algorithm, I think it makes sense to put those details in the crate that contains the algorithm implementation for a given password hashing algorithm, rather than in the crate for the hash functions.
The only alternatives I can think of are for sha2 to just define a big bag of string identifiers for that algorithm with no type-specific linkage and the individual password hash algorithms can heuristically attempt to find which is appropriate, but that sounds like quite a hack.
Otherwise, the user could be responsible for providing the identifier when initializing a password hasher with a given concrete hash algorithm, but that sounds like punting a problem off to the user which is otherwise solvable.
Currently
pbkdf2relies on thesha2crate to support both PHC and MCF password hashes. @newpavlov has suggested this could be implemented as generic composition instead. I'm opening this issue to spell out the specific requirements for this and why I don't think that makese sense.pbkdf2is really the only crate impacted by this problem: other constructions don't allow you to plug in your own hash function (sha-cryptis perhaps the closest with letting you choose between SHA-256 and SHA-512). If we wanted a truly generic solution though, e.g. in thepassword-hashcrate, it really needs to be the combination of three things: a password hashing algorithm, a hash function, and a password hash serialization format.The core trickiest part is the hash function-specific identifiers: for PBKDF2, these happen to be the same for PHC and MCF:
pbkdf2-sha256for SHA-256, andpbkdf2-sha512for SHA-512. They aren't for other algorithms though, e.g. scrypt is$7$for MCF and$scrypt$for PHC.At the very least, the password hashing implementation needs to be able to include this label in serialized hashes, and verify the correct algorithm-specific identifier label is in place when verifying. The current implementation in
pbkdf2is also able to do runtime dispatch to select between SHA-256 and SHA-512 when verifying based on these identifier labels.To support generic composition, something needs to be able to define these identifiers as the combination of a password hashing algorithm, a hash function, and a password hash serialization format.
If we were to put these concerns in e.g
sha2instead ofpbkdf2, how would we establish the linkage between a hash function and a particular password hash algorithm? That looks a little something like:$5$$6$$pbkdf2-sha256$$pbkdf2-sha512$I don't think it makes sense to try to put all of this in
sha2. Instead I think each password hash algorithm needs its own registry, i.e. how it works today. Really one of the two crates needs the other crate in scope so it can do things with type-level combinations of the two algorithms, and for defining details that are specific to a password hashing algorithm, I think it makes sense to put those details in the crate that contains the algorithm implementation for a given password hashing algorithm, rather than in the crate for the hash functions.The only alternatives I can think of are for
sha2to just define a big bag of string identifiers for that algorithm with no type-specific linkage and the individual password hash algorithms can heuristically attempt to find which is appropriate, but that sounds like quite a hack.Otherwise, the user could be responsible for providing the identifier when initializing a password hasher with a given concrete hash algorithm, but that sounds like punting a problem off to the user which is otherwise solvable.