• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Secure password storing with saltedpasswords in TYPO3
 

Secure password storing with saltedpasswords in TYPO3

on

  • 8,868 views

German version available here: http://www.slideshare.net/StephenKing/passwrter-in-typo3-sicher-speichern-mit

German version available here: http://www.slideshare.net/StephenKing/passwrter-in-typo3-sicher-speichern-mit

Statistics

Views

Total Views
8,868
Views on SlideShare
8,868
Embed Views
0

Actions

Likes
2
Downloads
15
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Secure password storing with saltedpasswords in TYPO3 Secure password storing with saltedpasswords in TYPO3 Presentation Transcript

    • Image: Carlos Porto / FreeDigitalPhotos.net TYPO3camp Munich - 11./12. September 2010 Inspiring people to Secure password storing with saltedpasswords share
    • Secure password storing with TYPO3’s system extension “saltedpasswords” Steffen Gebert <steffen@steffen-gebert.de> Translated slides, original title: “TYPO3-Passwörter sicher speichern mit saltedpasswords” http://www.slideshare.net/StephenKing/passwrter-in-typo3-sicher-speichern-mit TYPO3camp Munich- 11./12. September 2010 Inspiring people to Secure password storing with saltedpasswords share
    • Introduction Your Speaker Steffen Gebert Student, Freelancer TYPO3 Core Team Member Inspiring people to Secure password storing with saltedpasswords share
    • Introduction Ouch! TYPO3 Assicciation, 3rd Quarterly Report 2008 “What happened? An unauthorized person gained administrative access to the typo3.org website. As far as we can tell, an admin password was stolen and used to find out more passwords on typo3.org.” Inspiring people to Secure password storing with saltedpasswords share
    • Introduction Saving passwords Definite no-go: Storing cleartext password Instead Saving of a hash (“check sum”) Comparing with hash during login Inspiring people to Secure password storing with saltedpasswords share
    • Introduction Fundamental knowledge: Hashing One-way function identical input => identical output md5(‘joh316’) = ‘bacb98acf97e0b6112b1d1b650b84971’ opposite direction not argorithmically computable Most frequently used algorithm: MD5 not considered secure since ages (clashes easy to compute, huge rainbow tables available) Alternatives (SHA) only provide bigger result set => just new rainbow tables needed Inspiring people to Secure password storing with saltedpasswords share
    • Introduction Saving a salted password User input: ‘joh316’ Generate salt, e.g. ‘7deb882cf’ Compute Hash md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’ Save salt and hash Inspiring people to Secure password storing with saltedpasswords share
    • Introduction Validating a salted password User intut: ‘joh316’ Read used salt from database: ‘7deb882cf’ Compute hash md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’ Compare with saved hash Inspiring people to Secure password storing with saltedpasswords share
    • The Extension System extension saltedpasswords Formerly t3sec_saltedpasswords by Marcus Krause, Member of the TYPO3 security team Integration into TYPO3 Core version 4.3 after rework by Steffen Ritter Inspiring people to Secure password storing with saltedpasswords share
    • The Extension Implemented salting methods Salted MD5 Portable PHP password hashing framework Available for various PHP applications (Drupal etc.) Repetetive exectution of MD5 (slow) Blowfish Availability dependent of environment Starting with PHP 5.3 implementation shipped with PHP Inspiring people to Secure password storing with saltedpasswords share
    • The Extension Crux of the matter... Password must be available in plaintext TYPO3 by default transfers MD5 hash Plaintext transfer unsecure Prerequisite (at least one) SSL secured connection System extension rsaauth Encrypts passwords prior transfer using RSA algorithm Inspiring people to Secure password storing with saltedpasswords share
    • Installation & Configuration rsaauth Prerequisite OpenSSL: PHP extension recommended, binary as fallback JavaScript Activation Frontend $TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘rsa’ Backend $TYPO3_CONF_VARS[BE][loginSecurityLevel] = ‘rsa’; Inspiring people to Secure password storing with saltedpasswords share
    • Installation & Configuration saltedpasswords with SSL encryption Frontend $TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘normal’ Backend $TYPO3_CONF_VARS[BE][lockSSL] > 0 Inspiring people to Secure password storing with saltedpasswords share
    • Installation & Configuration Installation of saltedpasswords Checks availability of rsaauth or lockSSL Separate activation for Frontend and Backend Choice of hashing method Inspiring people to Secure password storing with saltedpasswords share
    • Compatibility Backwards compatibility Existing passwords? (unsalted MD5) immediate conversion not possible, as cleartext not available only possible moment: during Login Inspiring people to Secure password storing with saltedpasswords share
    • Compatibility Extensions Frontend felogin compatibel srfeuserregister_t3secsaltedpw Alternative FE-User registrations? Adjustions for own extensions might be needed Inspiring people to Secure password storing with saltedpasswords share
    • Background knowledge Password formats MD5 without salt bacb98acf97e0b6112b1d1b650b84971 MD5 with Salt starts with $1$, 12 characters of salt $1$13NETowd$WFpl6npZF71YKkCCzGds2. Blowfish starts with $2a$, 22 characters of salt $2a$07$DZpLLz7wtIfhSSMwyEXjA.Nbh6rpDlqbgwVKa.IoDLyuLe5C7Jp8W PHPASS starts with $P$ $P$Ccw7UIZ..SkvKBXDWnZlZ.qHcbktrB. Inspiring people to Secure password storing with saltedpasswords share
    • Background knowledge Password formats: Pro & Contra PHPASS Low system requirements (compatible with every PHP version) Requires PHPASS implementation in application MD5 / Blowfish Format of Unix’ crypt(), compatible with system services (/etc/passwd) The better choice (?) Availability of algorithms system dependent with PHP 5.3.2 also SHA-256/512 possible Inspiring people to Secure password storing with saltedpasswords share
    • Background knowledge Usage of crypt() Password validation: crypt($user_input, $encrypted_password) == $encrypted_password Saved hash (including salt): $1$13NETowd$WFpl6npZF71YKkCCzGds2. Checking against saved password ‘joh316’ crypt(joh316, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$WFpl6npZF71YKkCCzGds2. crypt(password, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$SeAArtswHd8jzc9SQvH691 Inspiring people to Secure password storing with saltedpasswords share
    • Web links Free Rainbow Tables http://www.freerainbowtables.com PHPASS http://www.openwall.com/phpass/ PHP Manual: crypt() http://de2.php.net/manual/en/function.crypt.php Wikipedia: crypt (Unix) http://en.wikipedia.org/wiki/Crypt_(Unix)#Library_Function Inspiring people to Secure password storing with saltedpasswords share
    • ????? ?? ? ?? ?? ? Inspiring people to Secure password storing with saltedpasswords share
    • inspiring people to share.