Password Hashing and Verification

[DavesCodeMusings]

Password Hashing and Verification

I've created a MicroPython class to handle password hashing and verification for another project and I thought I'd share if anyone else is interested. I welcome any feedback to improve it.

I'll start by saying I'm not a cryptography expert, but I think what I came up with is usable and relatively secure on MycroPython-based systems.

I'm using Unix-style salted hashing as a template. My understanding of it is this:

1. Add a salt to the cleartext password.
2. Hash the salted password.
3. Record the cleartext salt and the hashed password in /etc/passwd

Unix uses crypt and SHA-512. MicroPython has neither of these, so I'm using cryptolib's AES256 and hashlib's SHA256. Here's a high-level view of the steps:

1. The salt value is generated using 16 random, base64 compatible characters.
2. The salt is used as the AES256 key to encrypt the password. This encryption is simply to randomize the application of the salt. It will never need to be unencrypted.
3. The AES256 encrypted value is hashed with SHA256 and base64 encoded for text-based storage.
4. The cleartext salt and the hashed password are stored in a format similar to what's used in Linux /etc/shadow or FreeBSD /etc/master.passwd.

The format is $type$salt$hashvalue, where $ separates the fields. For type, I made up a value of '5a', because in Linux and BSD '5' represents SHA-256 crypt. There is no designation for SHA-256 AES256, so I took the liberty of appending an 'a' similar to the way '2a' is used to indicate blowfish on some Linux systems.

I'm hoping this will provide a way to protect password data in flash storage. It's not as secure as a Unix system, but it's much better than cleartext. Thoughts from the cryptographically inclined are welcome.

Here's the class along with a sample you can run:

# Password hashing class that works with MicroPython v1.21
# There's no SHA512 or bcrypt in MicroPython, so use SHA256 and AES.
# Close to a Unix-like system password, but not compatible.

from random import choice, seed
from cryptolib import aes
from hashlib import sha256
from binascii import b2a_base64

# Change this to suit your needs before running.
user_name = "felicia"
user_pw = "Friday"


class SHA256AES:
    """
    Password hashing for MicroPython.
    """
    _method_token = "5a" # This is made up. Not a standard.

    @staticmethod
    def generate_salt(length):
        """
        Generate a random-character salt suitable for password hashing.
        """
        valid_chars = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
        seed()
        salt = ""
        for i in range(length):
            salt += choice(valid_chars)
        return salt

    @staticmethod
    def create_salted_hash(salt, cleartext):
        """
        Given a salt value and password in cleartext, return a hashed password.
        """
        assert(len(salt) % 16 == 0)
        cleartext = bytes(cleartext, "utf8")
        cleartext += bytearray(16 - (len(cleartext) % 16))  # Pad out to 16-byte boundry
        cipher = aes(salt, 1)  # 1 is MODE_ECB, the only one supported by MicroPython
        salted_pw = cipher.encrypt(cleartext)
        return b2a_base64(sha256(salted_pw).digest()).decode('utf8').rstrip('\n')

    @staticmethod
    def create_passwd_entry(cleartext):
        salt = SHA256AES.generate_salt(16) # Must be evenly divisible by 16 for AES
        hashed_pw = SHA256AES.create_salted_hash(salt, cleartext)
        return f"${SHA256AES._method_token}${salt}${hashed_pw}"

    @staticmethod
    def verify_passwd_entry(hashed, cleartext):
        """
        Given a hashed password, verify the cleartext password is valid.
        """
        if hashed.count("$") != 3:
            print("Invalid hashed password format.")
            return False
        else:
            _, hash_alg, salt, hashed_pw = hashed.split("$")
            if hash_alg != SHA256AES._method_token:
                print("Unsupported hash algorithm.")
            else:
                rehashed_pw = SHA256AES.create_salted_hash(salt, cleartext)
                if hashed_pw != rehashed_pw:
                    return False
                else:
                    return True


# Hash the password for the user.
passwd_entry = SHA256AES.create_passwd_entry(user_pw)
print(f"Credential entry is...\n{user_name}:{passwd_entry}")

# Test verification.
print(f"Verify correct password (shoud return True): {SHA256AES.verify_passwd_entry(passwd_entry, user_pw)}")
print(f"Verify wrong password (shoud return False): {SHA256AES.verify_passwd_entry(passwd_entry, 'WrongPW')}")

For a more robust example, see FTPdLite where this is used to store user credentials.

[sophiedegran]

Thanks Daves there is also pyJWT which can do the job and is very improve .. It can work with simple secret_key with the algo your want (sha256 or +). There is example of jwt in Microdot web server to control web user access.
It's very powerfull under rp2, esp32c3, esp32s3

[DavesCodeMusings]

Thank you. I will take a look.