viathinksoft-std-0004-mcf1.txt

 



VIATHINKSOFT/WEBFAN                                         D. Marschall
SPECIFICATION No. 4                                         ViaThinkSoft
First Draft: 2023                                       3 September 2024


          === ViaThinkSoft Modular Crypt Format 1.0 (MCF1) ===

Abstract

   This document describes how the standards for ViaThinkSoft and Webfan
   are defined, written, and published.

Identification of this Document

   Revision:  2024-09-03
   State:     In Force
   Filename:  viathinksoft-std-0004-mcf1.txt
   URN:       urn:x-viathinksoft:std:0004:2024-09-03
   OID:       1.3.6.1.4.1.37476.3.0.1.1
              { iso(1) identified-organization(3) dod(6) internet(1)
                private(4) enterprise(1) 37476 specifications(3)
                misc(0) modular-crypt-format(1) vts-crypt-v1(1) }
   WEID:      weid:pen:SX0-3-0-1-1-5
   IETF/RFC:  (None)

Attachments

   Reference implementation in PHP:
   https://github.com/danielmarschall/php_utils/blob/master/
   vts_crypt.inc.php

Copyright Notice

   Copyright (c) 2023-2024 ViaThinkSoft and the persons identified as
   the document authors.  All rights reserved.

   Licensed under the terms of the Apache 2.0 License.











 


Marschall                                                       [Page 1]

VTS/WF STD. 4              ViaThinkSoft MCF1            3 September 2024


Table of Contents

   1  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1  Terminology . . . . . . . . . . . . . . . . . . . . . . . .  3
   2  MCF Structure . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3  Test Vectors  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   4  Security Considerations . . . . . . . . . . . . . . . . . . . .  4
   5  RA Considerations . . . . . . . . . . . . . . . . . . . . . . .  5
   6  References  . . . . . . . . . . . . . . . . . . . . . . . . . .  5
     6.1  Normative References  . . . . . . . . . . . . . . . . . . .  5
     6.2  Informative References  . . . . . . . . . . . . . . . . . .  5
   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . .  5
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . .  5



































 


Marschall                                                       [Page 2]

VTS/WF STD. 4              ViaThinkSoft MCF1            3 September 2024


1  Introduction

   ViaThinkSoft Modular Crypt Format 1.0 performs a simple hash or HMAC
   operation and stores the result in a Modular Crypt Format compatible
   string.  No key derivation function or iterations are performed.

   ViaThinkSoft MCF was invented to allow old passwords (e.g. MD5 with
   salt) to be easily converted to a MCF notation ($...$...$) so that
   these old passwords can be stored in the same data structure as newer
   crypt passwords, until they get upgraded to a newer hash.  But it can
   also be used to encapsulate modern hash algorithms like SHA3/512 into
   a MCF format, so that they can be stored together with other MCF
   passwords such as bcrypt.

   Another innovation is to use Object Identifiers (OIDs) as MCF
   algorithm identifier. Algorithm identifiers such as $1$, $2$, ... are
   nice to remember and short, but can quickly lead to conflicts, and
   soon you run out of short identifiers.

1.1  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2  MCF Structure

   Format of VTS MCF1:

   $<id>$<params>$<salt>$<hash>

   <id> is 1.3.6.1.4.1.37476.3.0.1.1

   <params> is a=<algo>,m=<mode>[,i=<iterations>]

   where <algo> is any valid hash algorithm (name scheme of PHP
   hash_algos() preferred), e.g.
   - sha3-512
   - sha3-384
   - sha3-256
   - sha3-224
   - sha512
   - sha512/256
   - sha512/224
   - sha384
   - sha256
 


Marschall                                                       [Page 3]

VTS/WF STD. 4              ViaThinkSoft MCF1            3 September 2024


   - sha224
   - sha1
   - md5

   Not possible with MCF1 are these hashes (because they have a special
   salt-handling and output their own crypt format):
   - bcrypt [Standardized crypt identifier 2, 2a, 2x, 2y]
   - argon2i [Crypt identifier argon2i, not standardized]
   - argon2id [Crypt identifier argon2i, not standardized]

   Valid <mode> parameters:
   - sp = salt + password
   - ps = password + salt
   - sps = salt + password + salt
   - shp = salt + Hash(password)
   - hps = Hash(password) + salt
   - shps = salt + Hash(password) + salt
   - hmac = HMAC (salt is the key)
   - pbkdf2 = PBKDF2-HMAC

   <iterations> can be omitted if 0.  It is required for mode m=pbkdf2. 
   For sp/ps/sps/shp/hps/shps/hmac, it is optional.

   Like most Crypt-hashes, <salt> and <hash> are Radix64 coded without
   padding and with alphabet
   './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'.

3  Test Vectors

   Input:      Hello World
   Hash:       $1.3.6.1.4.1.37476.3.0.1.1$a=sha3-
   256,m=sp$$2Ud0hUTh//swVxoilAltWQ/9LQ189eZcdJ/hA5HkV/C
   Algorithm:  SHA3-256
   Mode:       sp (Salt || Password)
   Salt:       None

   Input:      Hello World
   Hash:       $1.3.6.1.4.1.37476.3.0.1.1$a=sha3-
   256,m=sp$CAT/9cvgCuS$dqNf5hJf0p09lYx.9rvI/c96swTz58tGhipuhobl8Ke
   Algorithm:  SHA3-256
   Mode:       sp (Salt || Password)
   Salt:       8 Bytes

4  Security Considerations

   Hash values play a crucial role in various security contexts, such as
   password verification.  For detailed guidance on securely managing
   hashes, please consult the relevant literature or documentation.
 


Marschall                                                       [Page 4]

VTS/WF STD. 4              ViaThinkSoft MCF1            3 September 2024


5  RA Considerations

   OID:  1.3.6.1.4.1.37476.3.0.1.1
   ASN1: { iso(1) identified-organization(3) dod(6) internet(1)
   private(4) enterprise(1) 37476 specifications(3)
   misc(0) modular-crypt-format(1) vts-crypt-v1(1) }
   IRI:  /.../Specifications/Misc/ModularCryptFormat/VtsCryptV1
   WEID: weid:pen:SX0-3-0-1-1-5


6  References

6.1  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

6.2  Informative References

   None

Acknowledgements

   I would like to thank Melanie Wehowski for her long time support in
   OIDplus and WEID projects.

   This document was written in Nroff Internet Draft Editor by 3xA
   Security.
   https://aaa-sec.com/nroffedit/
   https://misc.daniel-marschall.de/patches/nroffedit/ ("year 2020"
   patch)

Authors' Addresses

   Daniel Marschall
   Postfach 11 53
   69243 Bammental
   Germany

   Email: daniel-marschall@viathinksoft.de
   URI:   https://www.viathinksoft.com/








Marschall                                                       [Page 5]