Basci HTTP Auth with with the salted SHA512 algorithm rather than MD5???

Question

I read this article on the new  salted SHA512 algorithm for hashing passwords. I assume this is local but what about using it in a HTTP Basic Auth irule instead of using MD5. Is this possbile? If so, can a sample irule be posted?
Aforementioned article: https://devcentral.f5.com/articles/sha512-passwords&nbsp;
Thank you,&nbsp;

kevin_stewart · Answer

I believe Jeff is specifically talking about Linux local users, but generally speaking:&nbsp;

Basic auth uses base64 - not a hashing algorithm - and is browser-dependent.&nbsp;

SHA512 is an option should you need to hash something:&nbsp;

https://devcentral.f5.com/wiki/iRules.sha512.ashx&nbsp;

jrahm · Answer

That could be problematic as you need the salt and hash to verify the correct password. Storing it in table space is an option, but that isn't a permanent filestore and you risk forcing password resets for everyone. If you wanted to go down that route, you'd need to generate a CSPRNG for the salt (for SHA512 it should be at least 64 bytes) and prepend that to your password before hashing with the built-in SHA512 iRules command. rand is not cryptographically secure, but perhaps now with proc support, someone wants to take on building a CSPRNG proc for iRules?

Forum Discussion

Basci HTTP Auth with with the salted SHA512 algorithm rather than MD5???

2 Replies

Recent Discussions

CWE-20: Improper Input Validation

Errors in setup of BIGIP-NEXT CM VE on KVM

SEEK ADVICE FROM WEB BAILIFF CONTRACTOR ON STOLEN CRYPTO

AS3 Deployments (shared objects)

rSeries and tenant upgrades

Related Content

SHA512 passwords

SaltStack Salt SSH Command Injection Vulnerability (CVE-2020-16846)

TCP Nagle Algorithm

Add ssh-rsa to 17.1.1 host key algorithm

Intro to Load Balancing for Developers – The Algorithms