password storage and bcrypt

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

password storage and bcrypt

French, Shelane
I'm being asked that for our external applications, we use bcrypt
algorithm to encrypt our passwords. The Blowfish cipher is mentioned in
articles I'm reading. Is there a way to use Lasso 8.5 to do bcrypt
encryption?

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: password storage and bcrypt

Brad Lindsay
On 3/21/14, 1:04 PM, French, Shelane wrote:
> I'm being asked that for our external applications, we use bcrypt
> algorithm to encrypt our passwords. The Blowfish cipher is mentioned in
> articles I'm reading. Is there a way to use Lasso 8.5 to do bcrypt
> encryption?

Lasso uses the encryption algorithms found in your installation of
OpenSSL libraries. I don't know if bcrypt is known as a specific version
of blowfish, but regardless, you'd have to have it supported in your
OpenSSL libraries. (You can get the list of available digest ciphers by
running [cipher_list(-digest)])

I didn't find anything helpful on OpenSSL's website regarding bcrypt,
but here's their page on blowfish:
        https://www.openssl.org/docs/crypto/blowfish.html

I do, however, see various installation options for bcrypt by itself:
Ubuntu and CentOS each have packages and you can use homebrew on OS X to
install it. Alternatively, you can get the source and compile it for
yourself:
        http://bcrypt.sourceforge.net
Once you have the binary, you should be able to use [OS_Process] to
create digests.

One final option, since you have the source code available above, you
could use LCAPI to create a Lasso Module with a custom [bcrypt] method.


HTH
Brad



#lasso8 #encryption
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: password storage and bcrypt

Brad Lindsay
Oops!

It looks like the source code I linked to
(http://bcrypt.sourceforge.net) is not actually for bcrypt. It is just a
utility to use blowfish to encrypt files and has a confusing name.

This seems to be the best C implementation:
        http://openwall.com/crypt/

Sorry,
Brad


On 3/21/14, 2:21 PM, Brad Lindsay wrote:

> On 3/21/14, 1:04 PM, French, Shelane wrote:
>> I'm being asked that for our external applications, we use bcrypt
>> algorithm to encrypt our passwords. The Blowfish cipher is mentioned in
>> articles I'm reading. Is there a way to use Lasso 8.5 to do bcrypt
>> encryption?
>
> Lasso uses the encryption algorithms found in your installation of
> OpenSSL libraries. I don't know if bcrypt is known as a specific version
> of blowfish, but regardless, you'd have to have it supported in your
> OpenSSL libraries. (You can get the list of available digest ciphers by
> running [cipher_list(-digest)])
>
> I didn't find anything helpful on OpenSSL's website regarding bcrypt,
> but here's their page on blowfish:
> https://www.openssl.org/docs/crypto/blowfish.html
>
> I do, however, see various installation options for bcrypt by itself:
> Ubuntu and CentOS each have packages and you can use homebrew on OS X to
> install it. Alternatively, you can get the source and compile it for
> yourself:
> http://bcrypt.sourceforge.net
> Once you have the binary, you should be able to use [OS_Process] to
> create digests.
>
> One final option, since you have the source code available above, you
> could use LCAPI to create a Lasso Module with a custom [bcrypt] method.
>
>
> HTH
> Brad
>
>
>
> #lasso8 #encryption
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: password storage and bcrypt

French, Shelane
Looks like Apache 2.4 has it built into htpasswd, but unfortunately we're
stuck on 2.2 for the foreseeable future.

On 3/21/14, 11:47 AM, "Brad Lindsay" <[hidden email]> wrote:

Oops!

It looks like the source code I linked to
(http://bcrypt.sourceforge.net) is not actually for bcrypt. It is just a
utility to use blowfish to encrypt files and has a confusing name.

This seems to be the best C implementation:
        http://openwall.com/crypt/

Sorry,
Brad


On 3/21/14, 2:21 PM, Brad Lindsay wrote:

> On 3/21/14, 1:04 PM, French, Shelane wrote:
>> I'm being asked that for our external applications, we use bcrypt
>> algorithm to encrypt our passwords. The Blowfish cipher is mentioned in
>> articles I'm reading. Is there a way to use Lasso 8.5 to do bcrypt
>> encryption?
>
> Lasso uses the encryption algorithms found in your installation of
> OpenSSL libraries. I don't know if bcrypt is known as a specific version
> of blowfish, but regardless, you'd have to have it supported in your
> OpenSSL libraries. (You can get the list of available digest ciphers by
> running [cipher_list(-digest)])
>
> I didn't find anything helpful on OpenSSL's website regarding bcrypt,
> but here's their page on blowfish:
> https://www.openssl.org/docs/crypto/blowfish.html
>
> I do, however, see various installation options for bcrypt by itself:
> Ubuntu and CentOS each have packages and you can use homebrew on OS X to
> install it. Alternatively, you can get the source and compile it for
> yourself:
> http://bcrypt.sourceforge.net
> Once you have the binary, you should be able to use [OS_Process] to
> create digests.
>
> One final option, since you have the source code available above, you
> could use LCAPI to create a Lasso Module with a custom [bcrypt] method.
>
>
> HTH
> Brad
>
>
>
> #lasso8 #encryption
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: password storage and bcrypt

Jonathan Guthrie-3
Is that policy or lack of compiled lasso connector?

Sent from my iPhone

> On Mar 21, 2014, at 5:50 PM, "French, Shelane" <[hidden email]> wrote:
>
> Looks like Apache 2.4 has it built into htpasswd, but unfortunately we're
> stuck on 2.2 for the foreseeable future.
>
> On 3/21/14, 11:47 AM, "Brad Lindsay" <[hidden email]> wrote:
>
> Oops!
>
> It looks like the source code I linked to
> (http://bcrypt.sourceforge.net) is not actually for bcrypt. It is just a
> utility to use blowfish to encrypt files and has a confusing name.
>
> This seems to be the best C implementation:
>    http://openwall.com/crypt/
>
> Sorry,
> Brad
>
>
>> On 3/21/14, 2:21 PM, Brad Lindsay wrote:
>>> On 3/21/14, 1:04 PM, French, Shelane wrote:
>>> I'm being asked that for our external applications, we use bcrypt
>>> algorithm to encrypt our passwords. The Blowfish cipher is mentioned in
>>> articles I'm reading. Is there a way to use Lasso 8.5 to do bcrypt
>>> encryption?
>>
>> Lasso uses the encryption algorithms found in your installation of
>> OpenSSL libraries. I don't know if bcrypt is known as a specific version
>> of blowfish, but regardless, you'd have to have it supported in your
>> OpenSSL libraries. (You can get the list of available digest ciphers by
>> running [cipher_list(-digest)])
>>
>> I didn't find anything helpful on OpenSSL's website regarding bcrypt,
>> but here's their page on blowfish:
>> https://www.openssl.org/docs/crypto/blowfish.html
>>
>> I do, however, see various installation options for bcrypt by itself:
>> Ubuntu and CentOS each have packages and you can use homebrew on OS X to
>> install it. Alternatively, you can get the source and compile it for
>> yourself:
>> http://bcrypt.sourceforge.net
>> Once you have the binary, you should be able to use [OS_Process] to
>> create digests.
>>
>> One final option, since you have the source code available above, you
>> could use LCAPI to create a Lasso Module with a custom [bcrypt] method.
>>
>>
>> HTH
>> Brad
>>
>>
>>
>> #lasso8 #encryption
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: password storage and bcrypt

French, Shelane
This is on a Mac OS 10.6 Server.

I'm looking at any way I can get bcrypt capabilities. I am not a C
programmer though.


On 3/21/14, 4:40 PM, "Jonathan Guthrie" <[hidden email]> wrote:

Is that policy or lack of compiled lasso connector?

Sent from my iPhone

> On Mar 21, 2014, at 5:50 PM, "French, Shelane" <[hidden email]> wrote:
>
> Looks like Apache 2.4 has it built into htpasswd, but unfortunately we're
> stuck on 2.2 for the foreseeable future.
>
> On 3/21/14, 11:47 AM, "Brad Lindsay" <[hidden email]> wrote:
>
> Oops!
>
> It looks like the source code I linked to
> (http://bcrypt.sourceforge.net) is not actually for bcrypt. It is just a
> utility to use blowfish to encrypt files and has a confusing name.
>
> This seems to be the best C implementation:
>    http://openwall.com/crypt/
>
> Sorry,
> Brad
>
>
>> On 3/21/14, 2:21 PM, Brad Lindsay wrote:
>>> On 3/21/14, 1:04 PM, French, Shelane wrote:
>>> I'm being asked that for our external applications, we use bcrypt
>>> algorithm to encrypt our passwords. The Blowfish cipher is mentioned in
>>> articles I'm reading. Is there a way to use Lasso 8.5 to do bcrypt
>>> encryption?
>>
>> Lasso uses the encryption algorithms found in your installation of
>> OpenSSL libraries. I don't know if bcrypt is known as a specific version
>> of blowfish, but regardless, you'd have to have it supported in your
>> OpenSSL libraries. (You can get the list of available digest ciphers by
>> running [cipher_list(-digest)])
>>
>> I didn't find anything helpful on OpenSSL's website regarding bcrypt,
>> but here's their page on blowfish:
>> https://www.openssl.org/docs/crypto/blowfish.html
>>
>> I do, however, see various installation options for bcrypt by itself:
>> Ubuntu and CentOS each have packages and you can use homebrew on OS X to
>> install it. Alternatively, you can get the source and compile it for
>> yourself:
>> http://bcrypt.sourceforge.net
>> Once you have the binary, you should be able to use [OS_Process] to
>> create digests.
>>
>> One final option, since you have the source code available above, you
>> could use LCAPI to create a Lasso Module with a custom [bcrypt] method.
>>
>>
>> HTH
>> Brad
>>
>>
>>
>> #lasso8 #encryption
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: password storage and bcrypt

Bil Corry-3
Maybe you can hire LassoSoft to build you a bcrypt LCAPI tag, the OpenBSD
source for bcrypt is here:

http://ftp.usa.openbsd.org/pub/OpenBSD/src/lib/libc/crypt/bcrypt.c


- Bil


On Sat, Mar 22, 2014 at 12:46 AM, French, Shelane <[hidden email]> wrote:

> This is on a Mac OS 10.6 Server.
>
> I'm looking at any way I can get bcrypt capabilities. I am not a C
> programmer though.
>
>
> On 3/21/14, 4:40 PM, "Jonathan Guthrie" <[hidden email]> wrote:
>
> Is that policy or lack of compiled lasso connector?
>
> Sent from my iPhone
>
> > On Mar 21, 2014, at 5:50 PM, "French, Shelane" <[hidden email]> wrote:
> >
> > Looks like Apache 2.4 has it built into htpasswd, but unfortunately we're
> > stuck on 2.2 for the foreseeable future.
> >
> > On 3/21/14, 11:47 AM, "Brad Lindsay" <[hidden email]> wrote:
> >
> > Oops!
> >
> > It looks like the source code I linked to
> > (http://bcrypt.sourceforge.net) is not actually for bcrypt. It is just a
> > utility to use blowfish to encrypt files and has a confusing name.
> >
> > This seems to be the best C implementation:
> >    http://openwall.com/crypt/
> >
> > Sorry,
> > Brad
> >
> >
> >> On 3/21/14, 2:21 PM, Brad Lindsay wrote:
> >>> On 3/21/14, 1:04 PM, French, Shelane wrote:
> >>> I'm being asked that for our external applications, we use bcrypt
> >>> algorithm to encrypt our passwords. The Blowfish cipher is mentioned in
> >>> articles I'm reading. Is there a way to use Lasso 8.5 to do bcrypt
> >>> encryption?
> >>
> >> Lasso uses the encryption algorithms found in your installation of
> >> OpenSSL libraries. I don't know if bcrypt is known as a specific version
> >> of blowfish, but regardless, you'd have to have it supported in your
> >> OpenSSL libraries. (You can get the list of available digest ciphers by
> >> running [cipher_list(-digest)])
> >>
> >> I didn't find anything helpful on OpenSSL's website regarding bcrypt,
> >> but here's their page on blowfish:
> >> https://www.openssl.org/docs/crypto/blowfish.html
> >>
> >> I do, however, see various installation options for bcrypt by itself:
> >> Ubuntu and CentOS each have packages and you can use homebrew on OS X to
> >> install it. Alternatively, you can get the source and compile it for
> >> yourself:
> >> http://bcrypt.sourceforge.net
> >> Once you have the binary, you should be able to use [OS_Process] to
> >> create digests.
> >>
> >> One final option, since you have the source code available above, you
> >> could use LCAPI to create a Lasso Module with a custom [bcrypt] method.
> >>
> >>
> >> HTH
> >> Brad
> >>
> >>
> >>
> >> #lasso8 #encryption
> > #############################################################
> > This message is sent to you because you are subscribed to
> >  the mailing list Lasso [hidden email]
> > Official list archives available at http://www.lassotalk.com
> > To unsubscribe, E-mail to: <[hidden email]>
> > Send administrative queries to  <[hidden email]>
> >
> > #############################################################
> > This message is sent to you because you are subscribed to
> >  the mailing list Lasso [hidden email]
> > Official list archives available at http://www.lassotalk.com
> > To unsubscribe, E-mail to: <[hidden email]>
> > Send administrative queries to  <[hidden email]>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>