Image: Carlos Porto / FreeDigitalPhotos.net


                        TYPO3camp Munich - 11./12. September 2010      Inspi...
Secure password storing with TYPO3’s
        system extension “saltedpasswords”

                     Steffen Gebert <stef...
Introduction


Your Speaker


         Steffen Gebert
          Student, Freelancer

       TYPO3 Core Team Member




   ...
Introduction


Ouch!
      TYPO3 Assicciation, 3rd Quarterly Report 2008

         “What happened? An unauthorized person ...
Introduction


Saving passwords
      Definite no-go: Storing cleartext password

      Instead

         Saving of a hash ...
Introduction


Fundamental knowledge: Hashing
      One-way function

         identical input => identical output
       ...
Introduction


Saving a salted password
      User input: ‘joh316’

      Generate salt, e.g. ‘7deb882cf’

      Compute H...
Introduction


Validating a salted password
      User intut: ‘joh316’

      Read used salt from database: ‘7deb882cf’

 ...
The Extension


System extension saltedpasswords
      Formerly t3sec_saltedpasswords by Marcus Krause,
      Member of th...
The Extension


Implemented salting methods
      Salted MD5

      Portable PHP password hashing framework

         Avai...
The Extension


Crux of the matter...
      Password must be available in plaintext

         TYPO3 by default transfers M...
Installation & Configuration


rsaauth
      Prerequisite

         OpenSSL: PHP extension recommended, binary as fallback
...
Installation & Configuration


saltedpasswords with SSL encryption
      Frontend

         $TYPO3_CONF_VARS[FE][loginSecur...
Installation & Configuration


Installation of saltedpasswords
      Checks availability of rsaauth or lockSSL




      Se...
Compatibility


Backwards compatibility
      Existing passwords? (unsalted MD5)

          immediate conversion not possi...
Compatibility


Extensions
      Frontend

          felogin compatibel

          srfeuserregister_t3secsaltedpw

       ...
Background knowledge


Password formats
     MD5 without salt
     bacb98acf97e0b6112b1d1b650b84971

     MD5 with Salt
  ...
Background knowledge


Password formats: Pro & Contra
     PHPASS

         Low system requirements (compatible with every...
Background knowledge


Usage of crypt()
     Password validation:
     crypt($user_input, $encrypted_password) == $encrypt...
Web links
     Free Rainbow Tables
     http://www.freerainbowtables.com

     PHPASS
     http://www.openwall.com/phpass/...
?????
                                   ??
                                  ?
                                  ??
     ...
inspiring people to share.
Upcoming SlideShare
Loading in …5
×

Secure password storing with saltedpasswords in TYPO3

10,266
-1

Published on

German version available here: http://www.slideshare.net/StephenKing/passwrter-in-typo3-sicher-speichern-mit

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
10,266
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
20
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Secure password storing with saltedpasswords in TYPO3

  1. 1. Image: Carlos Porto / FreeDigitalPhotos.net TYPO3camp Munich - 11./12. September 2010 Inspiring people to Secure password storing with saltedpasswords share
  2. 2. Secure password storing with TYPO3’s system extension “saltedpasswords” Steffen Gebert <steffen@steffen-gebert.de> Translated slides, original title: “TYPO3-Passwörter sicher speichern mit saltedpasswords” http://www.slideshare.net/StephenKing/passwrter-in-typo3-sicher-speichern-mit TYPO3camp Munich- 11./12. September 2010 Inspiring people to Secure password storing with saltedpasswords share
  3. 3. Introduction Your Speaker Steffen Gebert Student, Freelancer TYPO3 Core Team Member Inspiring people to Secure password storing with saltedpasswords share
  4. 4. Introduction Ouch! TYPO3 Assicciation, 3rd Quarterly Report 2008 “What happened? An unauthorized person gained administrative access to the typo3.org website. As far as we can tell, an admin password was stolen and used to find out more passwords on typo3.org.” Inspiring people to Secure password storing with saltedpasswords share
  5. 5. Introduction Saving passwords Definite no-go: Storing cleartext password Instead Saving of a hash (“check sum”) Comparing with hash during login Inspiring people to Secure password storing with saltedpasswords share
  6. 6. Introduction Fundamental knowledge: Hashing One-way function identical input => identical output md5(‘joh316’) = ‘bacb98acf97e0b6112b1d1b650b84971’ opposite direction not argorithmically computable Most frequently used algorithm: MD5 not considered secure since ages (clashes easy to compute, huge rainbow tables available) Alternatives (SHA) only provide bigger result set => just new rainbow tables needed Inspiring people to Secure password storing with saltedpasswords share
  7. 7. Introduction Saving a salted password User input: ‘joh316’ Generate salt, e.g. ‘7deb882cf’ Compute Hash md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’ Save salt and hash Inspiring people to Secure password storing with saltedpasswords share
  8. 8. Introduction Validating a salted password User intut: ‘joh316’ Read used salt from database: ‘7deb882cf’ Compute hash md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’ Compare with saved hash Inspiring people to Secure password storing with saltedpasswords share
  9. 9. The Extension System extension saltedpasswords Formerly t3sec_saltedpasswords by Marcus Krause, Member of the TYPO3 security team Integration into TYPO3 Core version 4.3 after rework by Steffen Ritter Inspiring people to Secure password storing with saltedpasswords share
  10. 10. The Extension Implemented salting methods Salted MD5 Portable PHP password hashing framework Available for various PHP applications (Drupal etc.) Repetetive exectution of MD5 (slow) Blowfish Availability dependent of environment Starting with PHP 5.3 implementation shipped with PHP Inspiring people to Secure password storing with saltedpasswords share
  11. 11. The Extension Crux of the matter... Password must be available in plaintext TYPO3 by default transfers MD5 hash Plaintext transfer unsecure Prerequisite (at least one) SSL secured connection System extension rsaauth Encrypts passwords prior transfer using RSA algorithm Inspiring people to Secure password storing with saltedpasswords share
  12. 12. Installation & Configuration rsaauth Prerequisite OpenSSL: PHP extension recommended, binary as fallback JavaScript Activation Frontend $TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘rsa’ Backend $TYPO3_CONF_VARS[BE][loginSecurityLevel] = ‘rsa’; Inspiring people to Secure password storing with saltedpasswords share
  13. 13. Installation & Configuration saltedpasswords with SSL encryption Frontend $TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘normal’ Backend $TYPO3_CONF_VARS[BE][lockSSL] > 0 Inspiring people to Secure password storing with saltedpasswords share
  14. 14. Installation & Configuration Installation of saltedpasswords Checks availability of rsaauth or lockSSL Separate activation for Frontend and Backend Choice of hashing method Inspiring people to Secure password storing with saltedpasswords share
  15. 15. Compatibility Backwards compatibility Existing passwords? (unsalted MD5) immediate conversion not possible, as cleartext not available only possible moment: during Login Inspiring people to Secure password storing with saltedpasswords share
  16. 16. Compatibility Extensions Frontend felogin compatibel srfeuserregister_t3secsaltedpw Alternative FE-User registrations? Adjustions for own extensions might be needed Inspiring people to Secure password storing with saltedpasswords share
  17. 17. Background knowledge Password formats MD5 without salt bacb98acf97e0b6112b1d1b650b84971 MD5 with Salt starts with $1$, 12 characters of salt $1$13NETowd$WFpl6npZF71YKkCCzGds2. Blowfish starts with $2a$, 22 characters of salt $2a$07$DZpLLz7wtIfhSSMwyEXjA.Nbh6rpDlqbgwVKa.IoDLyuLe5C7Jp8W PHPASS starts with $P$ $P$Ccw7UIZ..SkvKBXDWnZlZ.qHcbktrB. Inspiring people to Secure password storing with saltedpasswords share
  18. 18. Background knowledge Password formats: Pro & Contra PHPASS Low system requirements (compatible with every PHP version) Requires PHPASS implementation in application MD5 / Blowfish Format of Unix’ crypt(), compatible with system services (/etc/passwd) The better choice (?) Availability of algorithms system dependent with PHP 5.3.2 also SHA-256/512 possible Inspiring people to Secure password storing with saltedpasswords share
  19. 19. Background knowledge Usage of crypt() Password validation: crypt($user_input, $encrypted_password) == $encrypted_password Saved hash (including salt): $1$13NETowd$WFpl6npZF71YKkCCzGds2. Checking against saved password ‘joh316’ crypt(joh316, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$WFpl6npZF71YKkCCzGds2. crypt(password, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$SeAArtswHd8jzc9SQvH691 Inspiring people to Secure password storing with saltedpasswords share
  20. 20. Web links Free Rainbow Tables http://www.freerainbowtables.com PHPASS http://www.openwall.com/phpass/ PHP Manual: crypt() http://de2.php.net/manual/en/function.crypt.php Wikipedia: crypt (Unix) http://en.wikipedia.org/wiki/Crypt_(Unix)#Library_Function Inspiring people to Secure password storing with saltedpasswords share
  21. 21. ????? ?? ? ?? ?? ? Inspiring people to Secure password storing with saltedpasswords share
  22. 22. inspiring people to share.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×