Basci HTTP Auth with with the salted SHA512 algorithm rather than MD5???

Question

I read this article on the new  salted SHA512 algorithm for hashing passwords. I assume this is local but what about using it in a HTTP Basic Auth irule instead of using MD5. Is this possbile? If so, can a sample irule be posted?
Aforementioned article: https://devcentral.f5.com/articles/sha512-passwords&nbsp;
Thank you,&nbsp;

kevin_stewart · Answer

I believe Jeff is specifically talking about Linux local users, but generally speaking:&nbsp;

Basic auth uses base64 - not a hashing algorithm - and is browser-dependent.&nbsp;

SHA512 is an option should you need to hash something:&nbsp;

https://devcentral.f5.com/wiki/iRules.sha512.ashx&nbsp;

jrahm · Answer

That could be problematic as you need the salt and hash to verify the correct password. Storing it in table space is an option, but that isn't a permanent filestore and you risk forcing password resets for everyone. If you wanted to go down that route, you'd need to generate a CSPRNG for the salt (for SHA512 it should be at least 64 bytes) and prepend that to your password before hashing with the built-in SHA512 iRules command. rand is not cryptographically secure, but perhaps now with proc support, someone wants to take on building a CSPRNG proc for iRules?

Forum Discussion

Basci HTTP Auth with with the salted SHA512 algorithm rather than MD5???

Recent Discussions

MAC address of deleted VS IP address still responsive

Different common name ssl acces 403 forbiddent

dynamic signature detection

DNS HM Probe issue

F5 looses the token for the first call

Related Content

Pegasus, Salt Typhoon, Turla Covert Campaign, Windows 11 TPM2.0, and Chrome's 'Store Review'

SHA512 passwords

What is the "Ring Hash" Load-Balancing Algorithm?

SaltStack Salt SSH Command Injection Vulnerability (CVE-2020-16846)

TCP Nagle Algorithm

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS