SlideShare a Scribd company logo
Image: Carlos Porto / FreeDigitalPhotos.net


                        TYPO3camp Munich - 11./12. September 2010      Inspiring people to
                        Secure password storing with saltedpasswords   share
Secure password storing with TYPO3’s
        system extension “saltedpasswords”

                     Steffen Gebert <steffen@steffen-gebert.de>


          Translated slides, original title:
“TYPO3-Passwörter sicher speichern mit saltedpasswords”
 http://www.slideshare.net/StephenKing/passwrter-in-typo3-sicher-speichern-mit


                     TYPO3camp Munich- 11./12. September 2010


                                                                  Inspiring people to
   Secure password storing with saltedpasswords                 share
Introduction


Your Speaker


         Steffen Gebert
          Student, Freelancer

       TYPO3 Core Team Member




                                               Inspiring people to
Secure password storing with saltedpasswords   share
Introduction


Ouch!
      TYPO3 Assicciation, 3rd Quarterly Report 2008

         “What happened? An unauthorized person gained
         administrative access to the typo3.org website. As
         far as we can tell, an admin password was stolen
         and used to find out more passwords on typo3.org.”




                                                      Inspiring people to
Secure password storing with saltedpasswords          share
Introduction


Saving passwords
      Definite no-go: Storing cleartext password

      Instead

         Saving of a hash (“check sum”)

         Comparing with hash during login




                                                  Inspiring people to
Secure password storing with saltedpasswords      share
Introduction


Fundamental knowledge: Hashing
      One-way function

         identical input => identical output
         md5(‘joh316’) = ‘bacb98acf97e0b6112b1d1b650b84971’

         opposite direction not argorithmically computable

      Most frequently used algorithm: MD5

         not considered secure since ages (clashes easy to compute,
         huge rainbow tables available)

         Alternatives (SHA) only provide bigger result set
         => just new rainbow tables needed


                                                        Inspiring people to
Secure password storing with saltedpasswords            share
Introduction


Saving a salted password
      User input: ‘joh316’

      Generate salt, e.g. ‘7deb882cf’

      Compute Hash
      md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’

      Save salt and hash




                                                Inspiring people to
Secure password storing with saltedpasswords    share
Introduction


Validating a salted password
      User intut: ‘joh316’

      Read used salt from database: ‘7deb882cf’

      Compute hash
      md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’

      Compare with saved hash




                                                  Inspiring people to
Secure password storing with saltedpasswords      share
The Extension


System extension saltedpasswords
      Formerly t3sec_saltedpasswords by Marcus Krause,
      Member of the TYPO3 security team

      Integration into TYPO3 Core version 4.3 after rework by
      Steffen Ritter




                                                       Inspiring people to
Secure password storing with saltedpasswords           share
The Extension


Implemented salting methods
      Salted MD5

      Portable PHP password hashing framework

         Available for various PHP applications (Drupal etc.)

         Repetetive exectution of MD5 (slow)

      Blowfish

         Availability dependent of environment

         Starting with PHP 5.3 implementation shipped with PHP



                                                        Inspiring people to
Secure password storing with saltedpasswords            share
The Extension


Crux of the matter...
      Password must be available in plaintext

         TYPO3 by default transfers MD5 hash

         Plaintext transfer unsecure

      Prerequisite (at least one)

            SSL secured connection

            System extension rsaauth
            Encrypts passwords prior transfer using
            RSA algorithm



                                                      Inspiring people to
Secure password storing with saltedpasswords          share
Installation & Configuration


rsaauth
      Prerequisite

         OpenSSL: PHP extension recommended, binary as fallback

         JavaScript

      Activation

         Frontend
         $TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘rsa’

         Backend
         $TYPO3_CONF_VARS[BE][loginSecurityLevel] = ‘rsa’;




                                                    Inspiring people to
Secure password storing with saltedpasswords        share
Installation & Configuration


saltedpasswords with SSL encryption
      Frontend

         $TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘normal’

      Backend

         $TYPO3_CONF_VARS[BE][lockSSL] > 0




                                                 Inspiring people to
Secure password storing with saltedpasswords     share
Installation & Configuration


Installation of saltedpasswords
      Checks availability of rsaauth or lockSSL




      Separate activation for Frontend and Backend

      Choice of hashing method

                                                     Inspiring people to
Secure password storing with saltedpasswords         share
Compatibility


Backwards compatibility
      Existing passwords? (unsalted MD5)

          immediate conversion not possible, as cleartext not
          available

          only possible moment: during Login




                                                        Inspiring people to
Secure password storing with saltedpasswords           share
Compatibility


Extensions
      Frontend

          felogin compatibel

          srfeuserregister_t3secsaltedpw

          Alternative FE-User registrations?

      Adjustions for own extensions might be needed




                                                      Inspiring people to
Secure password storing with saltedpasswords          share
Background knowledge


Password formats
     MD5 without salt
     bacb98acf97e0b6112b1d1b650b84971

     MD5 with Salt
     starts with $1$, 12 characters of salt
     $1$13NETowd$WFpl6npZF71YKkCCzGds2.

     Blowfish
     starts with $2a$, 22 characters of salt
     $2a$07$DZpLLz7wtIfhSSMwyEXjA.Nbh6rpDlqbgwVKa.IoDLyuLe5C7Jp8W

     PHPASS
     starts with $P$
     $P$Ccw7UIZ..SkvKBXDWnZlZ.qHcbktrB.



                                               Inspiring people to
Secure password storing with saltedpasswords   share
Background knowledge


Password formats: Pro & Contra
     PHPASS

         Low system requirements (compatible with every PHP version)

         Requires PHPASS implementation in application

     MD5 / Blowfish

         Format of Unix’ crypt(), compatible with system services (/etc/passwd)

         The better choice (?)

         Availability of algorithms system dependent

         with PHP 5.3.2 also SHA-256/512 possible

                                                       Inspiring people to
Secure password storing with saltedpasswords           share
Background knowledge


Usage of crypt()
     Password validation:
     crypt($user_input, $encrypted_password) == $encrypted_password

     Saved hash (including salt):
     $1$13NETowd$WFpl6npZF71YKkCCzGds2.

     Checking against saved password ‘joh316’

         crypt(joh316, $1$13NETowd$WFpl6npZF71YKkCCzGds2.)
              = $1$13NETowd$WFpl6npZF71YKkCCzGds2.

         crypt(password, $1$13NETowd$WFpl6npZF71YKkCCzGds2.)
             = $1$13NETowd$SeAArtswHd8jzc9SQvH691




                                                     Inspiring people to
Secure password storing with saltedpasswords         share
Web links
     Free Rainbow Tables
     http://www.freerainbowtables.com

     PHPASS
     http://www.openwall.com/phpass/

     PHP Manual: crypt()
     http://de2.php.net/manual/en/function.crypt.php

     Wikipedia: crypt (Unix)
     http://en.wikipedia.org/wiki/Crypt_(Unix)#Library_Function




                                                       Inspiring people to
Secure password storing with saltedpasswords           share
?????
                                   ??
                                  ?
                                  ??
                                ??
                                ?


                                               Inspiring people to
Secure password storing with saltedpasswords   share
inspiring people to share.

More Related Content

Similar to Secure password storing with saltedpasswords in TYPO3

Django cryptography
Django cryptographyDjango cryptography
Django cryptography
Erik LaBianca
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011
Kieon
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rds
Will Alexander
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network Identity
Antiy Labs
 
Passwords & security
Passwords & securityPasswords & security
Passwords & security
Per Thorsheim
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
Enrico Zimuel
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authentication
Frank Denis
 
Hashing Considerations In Web Applications
Hashing Considerations In Web ApplicationsHashing Considerations In Web Applications
Hashing Considerations In Web Applications
Islam Heggo
 
Encryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsEncryption: It's For More Than Just Passwords
Encryption: It's For More Than Just Passwords
John Congdon
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
Fwdays
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
Priyanka Aash
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia -  Running a secure pulsar clusterPulsar Summit Asia -  Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
Shivji Kumar Jha
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 
Cracking Salted Hashes
Cracking Salted HashesCracking Salted Hashes
Cracking Salted Hashes
n|u - The Open Security Community
 
Globally Distributed RESTful Object Storage
Globally Distributed RESTful Object Storage Globally Distributed RESTful Object Storage
Globally Distributed RESTful Object Storage
MongoDB
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
Patrycja Wegrzynowicz
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
Gökhan Şengün
 
HARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERHARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVER
Utah Networxs Consultoria e Treinamento
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy Tales
OVHcloud
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managment
Thierry Gayet
 

Similar to Secure password storing with saltedpasswords in TYPO3 (20)

Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rds
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network Identity
 
Passwords & security
Passwords & securityPasswords & security
Passwords & security
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authentication
 
Hashing Considerations In Web Applications
Hashing Considerations In Web ApplicationsHashing Considerations In Web Applications
Hashing Considerations In Web Applications
 
Encryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsEncryption: It's For More Than Just Passwords
Encryption: It's For More Than Just Passwords
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia -  Running a secure pulsar clusterPulsar Summit Asia -  Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Cracking Salted Hashes
Cracking Salted HashesCracking Salted Hashes
Cracking Salted Hashes
 
Globally Distributed RESTful Object Storage
Globally Distributed RESTful Object Storage Globally Distributed RESTful Object Storage
Globally Distributed RESTful Object Storage
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
 
HARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERHARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVER
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy Tales
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managment
 

More from Steffen Gebert

Building an IoT SuperNetwork on top of the AWS Global Infrastructure
Building an IoT SuperNetwork on top of the AWS Global InfrastructureBuilding an IoT SuperNetwork on top of the AWS Global Infrastructure
Building an IoT SuperNetwork on top of the AWS Global Infrastructure
Steffen Gebert
 
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
Steffen Gebert
 
Feature Management Platforms
Feature Management PlatformsFeature Management Platforms
Feature Management Platforms
Steffen Gebert
 
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT Devices
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT DevicesServerless Networking - How We Provide Cloud-Native Connectivity for IoT Devices
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT Devices
Steffen Gebert
 
How our Cloudy Mindsets Approached Physical Routers
How our Cloudy Mindsets Approached Physical RoutersHow our Cloudy Mindsets Approached Physical Routers
How our Cloudy Mindsets Approached Physical Routers
Steffen Gebert
 
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)Jenkins vs. AWS CodePipeline (AWS User Group Berlin)
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)
Steffen Gebert
 
Jenkins vs. AWS CodePipeline
Jenkins vs. AWS CodePipelineJenkins vs. AWS CodePipeline
Jenkins vs. AWS CodePipeline
Steffen Gebert
 
Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0
Steffen Gebert
 
(Declarative) Jenkins Pipelines
(Declarative) Jenkins Pipelines(Declarative) Jenkins Pipelines
(Declarative) Jenkins Pipelines
Steffen Gebert
 
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins PipelinesAn Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
Steffen Gebert
 
Continuous Delivery
Continuous DeliveryContinuous Delivery
Continuous Delivery
Steffen Gebert
 
Jenkins Pipelines
Jenkins PipelinesJenkins Pipelines
Jenkins Pipelines
Steffen Gebert
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a Certificate
Steffen Gebert
 
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the Web
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the WebCleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the Web
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the Web
Steffen Gebert
 
Investigating the Impact of Network Topology on the Processing Times of SDN C...
Investigating the Impact of Network Topology on the Processing Times of SDN C...Investigating the Impact of Network Topology on the Processing Times of SDN C...
Investigating the Impact of Network Topology on the Processing Times of SDN C...
Steffen Gebert
 
SDN interfaces and performance analysis of SDN components
SDN interfaces and performance analysis of SDN componentsSDN interfaces and performance analysis of SDN components
SDN interfaces and performance analysis of SDN components
Steffen Gebert
 
Git Power-Workshop
Git Power-WorkshopGit Power-Workshop
Git Power-Workshop
Steffen Gebert
 
The Development Infrastructure of the TYPO3 Project
The Development Infrastructure of the TYPO3 ProjectThe Development Infrastructure of the TYPO3 Project
The Development Infrastructure of the TYPO3 Project
Steffen Gebert
 
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-Entwicklung
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-EntwicklungDer Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-Entwicklung
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-Entwicklung
Steffen Gebert
 
Official typo3.org infrastructure &
the TYPO3 Server Admin Team
Official typo3.org infrastructure &
the TYPO3 Server Admin TeamOfficial typo3.org infrastructure &
the TYPO3 Server Admin Team
Official typo3.org infrastructure &
the TYPO3 Server Admin Team
Steffen Gebert
 

More from Steffen Gebert (20)

Building an IoT SuperNetwork on top of the AWS Global Infrastructure
Building an IoT SuperNetwork on top of the AWS Global InfrastructureBuilding an IoT SuperNetwork on top of the AWS Global Infrastructure
Building an IoT SuperNetwork on top of the AWS Global Infrastructure
 
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
 
Feature Management Platforms
Feature Management PlatformsFeature Management Platforms
Feature Management Platforms
 
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT Devices
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT DevicesServerless Networking - How We Provide Cloud-Native Connectivity for IoT Devices
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT Devices
 
How our Cloudy Mindsets Approached Physical Routers
How our Cloudy Mindsets Approached Physical RoutersHow our Cloudy Mindsets Approached Physical Routers
How our Cloudy Mindsets Approached Physical Routers
 
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)Jenkins vs. AWS CodePipeline (AWS User Group Berlin)
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)
 
Jenkins vs. AWS CodePipeline
Jenkins vs. AWS CodePipelineJenkins vs. AWS CodePipeline
Jenkins vs. AWS CodePipeline
 
Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0
 
(Declarative) Jenkins Pipelines
(Declarative) Jenkins Pipelines(Declarative) Jenkins Pipelines
(Declarative) Jenkins Pipelines
 
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins PipelinesAn Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
 
Continuous Delivery
Continuous DeliveryContinuous Delivery
Continuous Delivery
 
Jenkins Pipelines
Jenkins PipelinesJenkins Pipelines
Jenkins Pipelines
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a Certificate
 
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the Web
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the WebCleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the Web
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the Web
 
Investigating the Impact of Network Topology on the Processing Times of SDN C...
Investigating the Impact of Network Topology on the Processing Times of SDN C...Investigating the Impact of Network Topology on the Processing Times of SDN C...
Investigating the Impact of Network Topology on the Processing Times of SDN C...
 
SDN interfaces and performance analysis of SDN components
SDN interfaces and performance analysis of SDN componentsSDN interfaces and performance analysis of SDN components
SDN interfaces and performance analysis of SDN components
 
Git Power-Workshop
Git Power-WorkshopGit Power-Workshop
Git Power-Workshop
 
The Development Infrastructure of the TYPO3 Project
The Development Infrastructure of the TYPO3 ProjectThe Development Infrastructure of the TYPO3 Project
The Development Infrastructure of the TYPO3 Project
 
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-Entwicklung
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-EntwicklungDer Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-Entwicklung
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-Entwicklung
 
Official typo3.org infrastructure &
the TYPO3 Server Admin Team
Official typo3.org infrastructure &
the TYPO3 Server Admin TeamOfficial typo3.org infrastructure &
the TYPO3 Server Admin Team
Official typo3.org infrastructure &
the TYPO3 Server Admin Team
 

Recently uploaded

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 

Recently uploaded (20)

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 

Secure password storing with saltedpasswords in TYPO3

  • 1. Image: Carlos Porto / FreeDigitalPhotos.net TYPO3camp Munich - 11./12. September 2010 Inspiring people to Secure password storing with saltedpasswords share
  • 2. Secure password storing with TYPO3’s system extension “saltedpasswords” Steffen Gebert <steffen@steffen-gebert.de> Translated slides, original title: “TYPO3-Passwörter sicher speichern mit saltedpasswords” http://www.slideshare.net/StephenKing/passwrter-in-typo3-sicher-speichern-mit TYPO3camp Munich- 11./12. September 2010 Inspiring people to Secure password storing with saltedpasswords share
  • 3. Introduction Your Speaker Steffen Gebert Student, Freelancer TYPO3 Core Team Member Inspiring people to Secure password storing with saltedpasswords share
  • 4. Introduction Ouch! TYPO3 Assicciation, 3rd Quarterly Report 2008 “What happened? An unauthorized person gained administrative access to the typo3.org website. As far as we can tell, an admin password was stolen and used to find out more passwords on typo3.org.” Inspiring people to Secure password storing with saltedpasswords share
  • 5. Introduction Saving passwords Definite no-go: Storing cleartext password Instead Saving of a hash (“check sum”) Comparing with hash during login Inspiring people to Secure password storing with saltedpasswords share
  • 6. Introduction Fundamental knowledge: Hashing One-way function identical input => identical output md5(‘joh316’) = ‘bacb98acf97e0b6112b1d1b650b84971’ opposite direction not argorithmically computable Most frequently used algorithm: MD5 not considered secure since ages (clashes easy to compute, huge rainbow tables available) Alternatives (SHA) only provide bigger result set => just new rainbow tables needed Inspiring people to Secure password storing with saltedpasswords share
  • 7. Introduction Saving a salted password User input: ‘joh316’ Generate salt, e.g. ‘7deb882cf’ Compute Hash md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’ Save salt and hash Inspiring people to Secure password storing with saltedpasswords share
  • 8. Introduction Validating a salted password User intut: ‘joh316’ Read used salt from database: ‘7deb882cf’ Compute hash md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’ Compare with saved hash Inspiring people to Secure password storing with saltedpasswords share
  • 9. The Extension System extension saltedpasswords Formerly t3sec_saltedpasswords by Marcus Krause, Member of the TYPO3 security team Integration into TYPO3 Core version 4.3 after rework by Steffen Ritter Inspiring people to Secure password storing with saltedpasswords share
  • 10. The Extension Implemented salting methods Salted MD5 Portable PHP password hashing framework Available for various PHP applications (Drupal etc.) Repetetive exectution of MD5 (slow) Blowfish Availability dependent of environment Starting with PHP 5.3 implementation shipped with PHP Inspiring people to Secure password storing with saltedpasswords share
  • 11. The Extension Crux of the matter... Password must be available in plaintext TYPO3 by default transfers MD5 hash Plaintext transfer unsecure Prerequisite (at least one) SSL secured connection System extension rsaauth Encrypts passwords prior transfer using RSA algorithm Inspiring people to Secure password storing with saltedpasswords share
  • 12. Installation & Configuration rsaauth Prerequisite OpenSSL: PHP extension recommended, binary as fallback JavaScript Activation Frontend $TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘rsa’ Backend $TYPO3_CONF_VARS[BE][loginSecurityLevel] = ‘rsa’; Inspiring people to Secure password storing with saltedpasswords share
  • 13. Installation & Configuration saltedpasswords with SSL encryption Frontend $TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘normal’ Backend $TYPO3_CONF_VARS[BE][lockSSL] > 0 Inspiring people to Secure password storing with saltedpasswords share
  • 14. Installation & Configuration Installation of saltedpasswords Checks availability of rsaauth or lockSSL Separate activation for Frontend and Backend Choice of hashing method Inspiring people to Secure password storing with saltedpasswords share
  • 15. Compatibility Backwards compatibility Existing passwords? (unsalted MD5) immediate conversion not possible, as cleartext not available only possible moment: during Login Inspiring people to Secure password storing with saltedpasswords share
  • 16. Compatibility Extensions Frontend felogin compatibel srfeuserregister_t3secsaltedpw Alternative FE-User registrations? Adjustions for own extensions might be needed Inspiring people to Secure password storing with saltedpasswords share
  • 17. Background knowledge Password formats MD5 without salt bacb98acf97e0b6112b1d1b650b84971 MD5 with Salt starts with $1$, 12 characters of salt $1$13NETowd$WFpl6npZF71YKkCCzGds2. Blowfish starts with $2a$, 22 characters of salt $2a$07$DZpLLz7wtIfhSSMwyEXjA.Nbh6rpDlqbgwVKa.IoDLyuLe5C7Jp8W PHPASS starts with $P$ $P$Ccw7UIZ..SkvKBXDWnZlZ.qHcbktrB. Inspiring people to Secure password storing with saltedpasswords share
  • 18. Background knowledge Password formats: Pro & Contra PHPASS Low system requirements (compatible with every PHP version) Requires PHPASS implementation in application MD5 / Blowfish Format of Unix’ crypt(), compatible with system services (/etc/passwd) The better choice (?) Availability of algorithms system dependent with PHP 5.3.2 also SHA-256/512 possible Inspiring people to Secure password storing with saltedpasswords share
  • 19. Background knowledge Usage of crypt() Password validation: crypt($user_input, $encrypted_password) == $encrypted_password Saved hash (including salt): $1$13NETowd$WFpl6npZF71YKkCCzGds2. Checking against saved password ‘joh316’ crypt(joh316, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$WFpl6npZF71YKkCCzGds2. crypt(password, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$SeAArtswHd8jzc9SQvH691 Inspiring people to Secure password storing with saltedpasswords share
  • 20. Web links Free Rainbow Tables http://www.freerainbowtables.com PHPASS http://www.openwall.com/phpass/ PHP Manual: crypt() http://de2.php.net/manual/en/function.crypt.php Wikipedia: crypt (Unix) http://en.wikipedia.org/wiki/Crypt_(Unix)#Library_Function Inspiring people to Secure password storing with saltedpasswords share
  • 21. ????? ?? ? ?? ?? ? Inspiring people to Secure password storing with saltedpasswords share