[cryptography] Oddity in common bcrypt implementation

Marsh Ray marsh at extendedsubset.com
Wed Jun 29 19:06:35 EDT 2011


fOn 06/29/2011 05:41 PM, Jeffrey Walton wrote:
>  From my interop-ing experience with Windows, Linux, and Apple (plus
> their mobile devices), I found the best choice for password
> interoperability was UTF8, not UTF16.

I use UTF-8 whenever possible, too.

Just to be clear here, the native OS Win32 API that must be used in some 
configurations accepts UTF-16LE passwords for authentication. That's not 
my choice.

Neither is it my choice what encoding the remote endpoint happens to be 
using. It doesn't even tell me.

My code simply has to convert between them in the least-broken manner 
possible.

The realities of crypto authentication protocol implementation mean I 
can't log the decrypted password for debugging or ask the user about it 
either. I actually added a heuristic that counts the number of "typical" 
characters and logs a message to the effect of "hmm, looks like this 
thing may not have decoded properly, maybe the shared secret isn't 
correct". That little diagnostic has proven quite helpful at times.

- Marsh



More information about the cryptography mailing list