Navigation

passlib.hash.grub_pbkdf2_sha512 - Grub’s PBKDF2 Hash

This class provides an implementation of Grub’s PBKDF2-HMAC-SHA512 password hash [1], as generated by the grub-mkpasswd-pbkdf2 command, and may be found in Grub2 configuration files. PBKDF2 is a key derivation function [2] that is ideally suited as the basis for a password hash, as it provides variable length salts, variable number of rounds.

See also

Interface

class passlib.hash.grub_pbkdf2_sha512

This class implements Grub’s pbkdf2-hmac-sha512 hash, and follows the Password Hash Interface.

It supports a variable-length salt, and a variable number of rounds.

The encrypt() and genconfig() methods accept the following optional keywords:

Parameters:
  • salt (bytes) – Optional salt bytes. If specified, the length must be between 0-1024 bytes. If not specified, a 64 byte salt will be autogenerated (this is recommended).
  • salt_size (int) – Optional number of bytes to use when autogenerating new salts. Defaults to 64 bytes, but can be any value between 0 and 1024.
  • rounds (int) – Optional number of rounds to use. Defaults to 12000, but must be within range(1,1<<32).
  • relaxed (bool) –

    By default, providing an invalid value for one of the other keywords will result in a ValueError. If relaxed=True, and the error can be corrected, a PasslibHashWarning will be issued instead. Correctable errors include rounds that are too small or too large, and salt strings that are too long.

    New in version 1.6.

Format & Algorithm

A example hash (of password) is

grub.pbkdf2.sha512.10000.4483972AD2C52E1F590B3E2260795FDA9CA0B07B
96FF492814CA9775F08C4B59CD1707F10B269E09B61B1E2D11729BCA8D62B7827
B25B093EC58C4C1EAC23137.DF4FCB5DD91340D6D31E33423E4210AD47C7A4DF9
FA16F401663BF288C20BF973530866178FE6D134256E4DBEFBD984B652332EED3
ACAED834FEA7B73CAE851D

All of this scheme’s hashes have the format grub.pbkdf2.sha512.rounds.salt.checksum, where rounds is the number of iteration stored in decimal, salt is the salt string encoded using upper-case hexdecimal, and checksum is the resulting 64-byte derived key, also encoded in upper-case hexidecimal. It can be identified by the prefix grub.pdkdf2.sha512..

The algorithm used is the same as pbkdf2_sha1: the password is encoded into UTF-8 if not already encoded, and passed through pbkdf2() along with the decoded salt, and the number of rounds. The result is then encoded into hexidecimal.

Footnotes

[1]Information about Grub’s password hashes - http://grub.enbug.org/Authentication.
[2]The specification for the PBKDF2 algorithm - http://tools.ietf.org/html/rfc2898#section-5.2.

Table Of Contents

Previous topic

passlib.hash.django_digest - Django-specific Hashes

Next topic

passlib.hash.hex_digest - Generic Hexdecimal Digests

This Page

Navigation

© Copyright 2008-2013, Assurance Technologies, LLC. Created using Sphinx 1.1.3+/2edd437ef8c9.