Project

General

Profile

Feature #10298

Use CNSA-compliant algo to hash user password

Added by Viktor Gurov 3 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
02/27/2020
Due date:
% Done:

0%

Estimated time:

Description

function local_user_set_password() from auth.inc,
for now uses password_hash($password, PASSWORD_BCRYPT) function to create user password hash
from https://www.php.net/manual/en/function.password-hash.php:

PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. 
This will produce a standard crypt() compatible hash using the "$2y$" identifier. 
The result will always be a 60 character string, or FALSE on failure.

Is it possible to use CNSA-compatible hashing for this operation?
From https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm:
Use SHA-384 to protect up to TOP SECRET. ( http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf )

Using hash() ?
https://stackoverflow.com/questions/6431918/php-sha256-and-salt-wont-work

Also available in: Atom PDF