Skip to content

Home

Jump to bottom Edit New page
loki5100 edited this page Jan 19, 2018 · 2 revisions

could be good to have the tab issue to post problem we found in the code.

for my part i think this is fundamentally false because the bath string are really different even if visually the same :

class function TBCrypt.SelfTestJ: Boolean; var password1: UnicodeString; password2: UnicodeString; hash: string; passwordRehashNeeded: Boolean; begin { There are four Unicode normalization schemes:

		NFC	Composition
		NFD	Decomposition
		NFKC	Compatible Composition   <--- the one we use
		NFKD	Compatible Decomposition

	NIST Special Publication 800-63-3B (Digital Authentication Guideline - Authentication and Lifecycle Management)
		says that passwords should have unicode normalization KC or KD applied.

	RFC7613 (SASLprep) specifies the use of NFKC
		https://tools.ietf.org/html/rfc7613
		 Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords

	Original
			A:  U+0041
			¨:  U+0308 Combining Diaeresis
			fi: U+FB01 Latin Small Ligature Fi
			n:  U+006E

	Normalized:  Ä + f + i + n
			Ä:  U+00C4  Latin Capital Letter A with Diaeresis
			f:  U+0066
			i:  U+0069
			n:  U+006E
}
password1 := 'A' + #$0308 + #$FB01 + 'n';
password2 := #$00C4 + 'f' + 'i' + 'n';

hash := TBCrypt.HashPassword(password1, 4);

Result := TBCrypt.CheckPassword(password2, hash, {out}passwordRehashNeeded);

end;

Add a custom footer
Add a custom sidebar
Clone this wiki locally