NIST SP 800-63B compliance

[jwr]

I am going through requirements outlined in NIST SP 800-63B for AAL1, to make sure that my Clojure application is compliant. When going through section "5.1.1.2  Memorized Secret Verifiers", it seems that :bcrypt+sha512 does fulfill all the requirements, except for:

In addition, verifiers SHOULD perform an additional iteration of a key derivation function using a salt value that is secret and known only to the verifier. This salt value, if used, SHALL be generated by an approved random bit generator [SP 800-90Ar1] and provide at least the minimum security strength specified in the latest revision of SP 800-131A (112 bits as of the date of this publication). The secret salt value SHALL be stored separately from the hashed memorized secrets (e.g., in a specialized device like a hardware security module). With this additional iteration, brute-force attacks on the hashed memorized secrets are impractical as long as the secret salt value remains secret.

As far as I know this is not something that buddy-hashers does at this point?

The NIST guidelines can be found at https://pages.nist.gov/800-63-3/sp800-63b.html and seem not only very reasonable and well-written, but also a rather convenient set of rules that we could all adhere to.

[niwinz]

Hello @jwr
You are correct, right now buddy-hashers only uses public salt. A private salt is somethig like HMAC mechanism, that allows invalidate all passwords just changing this private salt. We can think on integrate this as an optional feature.