Secure password storing with saltedpasswords in TYPO3

Image: Carlos Porto / FreeDigitalPhotos.net TYPO3camp Munich - 11./12. September 2010 Inspiring people to Secure password storing with saltedpasswords share

Secure password storing with TYPO3’s system extension “saltedpasswords” Steffen Gebert <steffen@steffen-gebert.de> Translated slides, original title: “TYPO3-Passwörter sicher speichern mit saltedpasswords” http://www.slideshare.net/StephenKing/passwrter-in-typo3-sicher-speichern-mit TYPO3camp Munich- 11./12. September 2010 Inspiring people to Secure password storing with saltedpasswords share

Introduction Your Speaker Steffen Gebert Student, Freelancer TYPO3 Core Team Member Inspiring people to Secure password storing with saltedpasswords share

Introduction Ouch! TYPO3 Assicciation, 3rd Quarterly Report 2008 “What happened? An unauthorized person gained administrative access to the typo3.org website. As far as we can tell, an admin password was stolen and used to ﬁnd out more passwords on typo3.org.” Inspiring people to Secure password storing with saltedpasswords share

Introduction Saving passwords Deﬁnite no-go: Storing cleartext password Instead Saving of a hash (“check sum”) Comparing with hash during login Inspiring people to Secure password storing with saltedpasswords share

Introduction Fundamental knowledge: Hashing One-way function identical input => identical output md5(‘joh316’) = ‘bacb98acf97e0b6112b1d1b650b84971’ opposite direction not argorithmically computable Most frequently used algorithm: MD5 not considered secure since ages (clashes easy to compute, huge rainbow tables available) Alternatives (SHA) only provide bigger result set => just new rainbow tables needed Inspiring people to Secure password storing with saltedpasswords share

Introduction Saving a salted password User input: ‘joh316’ Generate salt, e.g. ‘7deb882cf’ Compute Hash md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’ Save salt and hash Inspiring people to Secure password storing with saltedpasswords share

Introduction Validating a salted password User intut: ‘joh316’ Read used salt from database: ‘7deb882cf’ Compute hash md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’ Compare with saved hash Inspiring people to Secure password storing with saltedpasswords share

The Extension System extension saltedpasswords Formerly t3sec_saltedpasswords by Marcus Krause, Member of the TYPO3 security team Integration into TYPO3 Core version 4.3 after rework by Steffen Ritter Inspiring people to Secure password storing with saltedpasswords share

The Extension Implemented salting methods Salted MD5 Portable PHP password hashing framework Available for various PHP applications (Drupal etc.) Repetetive exectution of MD5 (slow) Blowﬁsh Availability dependent of environment Starting with PHP 5.3 implementation shipped with PHP Inspiring people to Secure password storing with saltedpasswords share

The Extension Crux of the matter... Password must be available in plaintext TYPO3 by default transfers MD5 hash Plaintext transfer unsecure Prerequisite (at least one) SSL secured connection System extension rsaauth Encrypts passwords prior transfer using RSA algorithm Inspiring people to Secure password storing with saltedpasswords share

Installation & Conﬁguration rsaauth Prerequisite OpenSSL: PHP extension recommended, binary as fallback JavaScript Activation Frontend $TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘rsa’ Backend $TYPO3_CONF_VARS[BE][loginSecurityLevel] = ‘rsa’; Inspiring people to Secure password storing with saltedpasswords share

Installation & Conﬁguration saltedpasswords with SSL encryption Frontend $TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘normal’ Backend $TYPO3_CONF_VARS[BE][lockSSL] > 0 Inspiring people to Secure password storing with saltedpasswords share

Installation & Conﬁguration Installation of saltedpasswords Checks availability of rsaauth or lockSSL Separate activation for Frontend and Backend Choice of hashing method Inspiring people to Secure password storing with saltedpasswords share

Compatibility Backwards compatibility Existing passwords? (unsalted MD5) immediate conversion not possible, as cleartext not available only possible moment: during Login Inspiring people to Secure password storing with saltedpasswords share

Compatibility Extensions Frontend felogin compatibel srfeuserregister_t3secsaltedpw Alternative FE-User registrations? Adjustions for own extensions might be needed Inspiring people to Secure password storing with saltedpasswords share

Background knowledge Password formats MD5 without salt bacb98acf97e0b6112b1d1b650b84971 MD5 with Salt starts with $1$, 12 characters of salt $1$13NETowd$WFpl6npZF71YKkCCzGds2. Blowﬁsh starts with $2a$, 22 characters of salt $2a$07$DZpLLz7wtIfhSSMwyEXjA.Nbh6rpDlqbgwVKa.IoDLyuLe5C7Jp8W PHPASS starts with $P$ $P$Ccw7UIZ..SkvKBXDWnZlZ.qHcbktrB. Inspiring people to Secure password storing with saltedpasswords share

Background knowledge Password formats: Pro & Contra PHPASS Low system requirements (compatible with every PHP version) Requires PHPASS implementation in application MD5 / Blowﬁsh Format of Unix’ crypt(), compatible with system services (/etc/passwd) The better choice (?) Availability of algorithms system dependent with PHP 5.3.2 also SHA-256/512 possible Inspiring people to Secure password storing with saltedpasswords share

Background knowledge Usage of crypt() Password validation: crypt($user_input, $encrypted_password) == $encrypted_password Saved hash (including salt): $1$13NETowd$WFpl6npZF71YKkCCzGds2. Checking against saved password ‘joh316’ crypt(joh316, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$WFpl6npZF71YKkCCzGds2. crypt(password, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$SeAArtswHd8jzc9SQvH691 Inspiring people to Secure password storing with saltedpasswords share

Web links Free Rainbow Tables http://www.freerainbowtables.com PHPASS http://www.openwall.com/phpass/ PHP Manual: crypt() http://de2.php.net/manual/en/function.crypt.php Wikipedia: crypt (Unix) http://en.wikipedia.org/wiki/Crypt_(Unix)#Library_Function Inspiring people to Secure password storing with saltedpasswords share

????? ?? ? ?? ?? ? Inspiring people to Secure password storing with saltedpasswords share

inspiring people to share.

Secure password storing with saltedpasswords in TYPO3

by Steffen Gebert on Sep 21, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

Secure password storing with saltedpasswords in TYPO3 — Presentation Transcript