Strictly speaking it would be best to implement PBKDF2 to accept any hash algorithm it's configured with – like I did in my password-hashing branch – rather than using just whirlpool.
I thought I even used whirlpool myself as the default in my branch, but it looks like I actually played it safe and used sha256 as the default hash algorithm with 64 bits of salt and 10000 PBKDF2 HMAC iterations.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]
On 2014-02-05 8:26 PM, C. Scott Ananian wrote:
Password hashing algorithms are not the same as general hash algorithms. I would prefer we didn't use whirlpool; it is "recommended by NESSIE and ISO" as a hash function, but as a password hash. CWE916 recommends "bcrypt, scrypt, and PBKDF2" specifically for password hashing.
To be clear, I have nothing against the Whirlpool hash algorithm itself: it's got a long pedigree with a decent amount of cryptoanalysis. It's just the extension to password hashing which is nonstandard. If you wanted to use Whirlpool as a password hash, you should apply it as part of PBKDF2, which is parameterizable. That would be a reasonable way to distinguish the WMF hash to avoid general attacks without inventing new cryptography. The default PRF for PBKDF2 is HMAC-SHA-1; you would be replacing this with HMAC-Whirpool. This would be much preferable to using str_repeat+Whirlpool. --scott