StandardStringDigester with SHA1 equivalent in Objective C

StackOverflow https://stackoverflow.com/questions/20806011

Question

I have a Java-written server that executes this code to digest the password before inserting it into the database:

private static StandardStringDigester getDigester()
{
    StandardStringDigester v_Digester = new StandardStringDigester();
    v_Digester.setAlgorithm("SHA-1");
    v_Digester.setIterations(50000);
    return v_Digester;
}

public static String digest(String p_InputPassword)
{
    return getDigester().digest(p_InputPassword);
}

I have also a iOS application written in Objective C that communicates with this server and in some part of my code I need to check if the password entered matches the password stored. Given that this is not a login functionality, I'm not willing to send the password to the server and let it make this verification, so I need an equivalent method to digest the password in Objective C. I did some research and came up with this code, that is not generating an equivalent string for me to compare with the one provided by the server:

    static const int m_Iterations = 50000;
    +(NSString *) digest:(NSString *)p_InputPassword
    {
    unsigned char v_Digest[CC_SHA1_DIGEST_LENGTH];
    NSData *v_Data = [p_InputPassword dataUsingEncoding:NSUnicodeStringEncoding];
    v_Data = [NSData dataWithBytes:[v_Data bytes] + 2 length:[v_Data length] - 2];
    for (int v_Iteration = 0; v_Iteration < m_Iterations; v_Iteration++)
    {
        if (CC_SHA1([v_Data bytes], [v_Data length], v_Digest))
        {
            v_Data = [NSData dataWithBytes:v_Digest length:CC_SHA1_DIGEST_LENGTH];
        }
        else
            NSLog(@"treta %i", v_Iteration);
    }
    NSMutableString *v_Result = [[NSMutableString alloc] init];
    for (int v_Index = 0 ; v_Index < CC_SHA1_DIGEST_LENGTH ; v_Index++)
    {
        [v_Result appendFormat: @"%02x", v_Digest[v_Index]];
    }
    return v_Result;
}
Was it helpful?

Solution

The standard password derivation method these days is: PBKDF2 (Password-Based Key Derivation Function 2)

NSMutableData *derivedKey = [NSMutableData dataWithLength:keySize];
int result = CCKeyDerivationPBKDF(
    kCCPBKDF2,               // algorithm
    password.UTF8String,     // password
    password.length,         // passwordLength
    salt.bytes,              // salt
    salt.length,             // saltLen
    kCCPRFHmacAlgSHA1,       // PRF
    rounds,                  // rounds
    derivedKey.mutableBytes, // derivedKey
    derivedKey.length);      // derivedKeyLen

Now the big question is exactly what is the Java StandardStringDigester doing?
I would not be comfortable just assuming it iterates the hash function (SHA1). There also seems to be a salt.
Best practice is to use PBKDF2 which Java does seem to support.

Here is a take on your code with an #if for utf8 or utf16

static const int iterations = 50000;
+ (NSString *) digestPassword:(NSString *)inputPassword {
    NSMutableData *dataOut = [NSMutableData dataWithLength:CC_SHA1_DIGEST_LENGTH];

#if 1 // UTF16
NSData *data = [inputPassword dataUsingEncoding:NSUTF16StringEncoding];
data = [data subdataWithRange:NSMakeRange(2, data.length-2)];
#else // UTF8
    NSData *data = [inputPassword dataUsingEncoding:NSUTF8StringEncoding];
#endif

    for (int iteration = 0; iteration < iterations; iteration++) {
        if (CC_SHA1([data bytes], [data length], dataOut.mutableBytes)) {
            data = dataOut;
        }
        else {
            NSLog(@"treta %i", iteration);
        }
    }

    unsigned char *digest = (unsigned char *)data.bytes;
    NSMutableString *result = [NSMutableString new];
    for (int index = 0 ; index < CC_SHA1_DIGEST_LENGTH ; index++) {
        [result appendFormat: @"%02x", digest[index]];
    }
    return result;
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top