secure password storing with saltedpasswords in typo3

Download Secure password storing with saltedpasswords in TYPO3

Post on 19-May-2015

9.421 views

Category:

Technology

4 download

Embed Size (px)

DESCRIPTION

German version available here: http://www.slideshare.net/StephenKing/passwrter-in-typo3-sicher-speichern-mit

TRANSCRIPT

  • 1. Image: Carlos Porto / FreeDigitalPhotos.net TYPO3camp Munich - 11./12. September 2010Inspiring people to Secure password storing with saltedpasswords share

2. Secure password storing with TYPO3s system extension saltedpasswords Steffen Gebert Translated slides, original title: TYPO3-Passwrter sicher speichern mit saltedpasswordshttp://www.slideshare.net/StephenKing/passwrter-in-typo3-sicher-speichern-mitTYPO3camp Munich- 11./12. September 2010 Inspiring people toSecure password storing with saltedpasswords share 3. Introduction Your SpeakerSteffen Gebert Student, Freelancer TYPO3 Core Team MemberInspiring people to Secure password storing with saltedpasswords share 4. Introduction Ouch! TYPO3 Assicciation, 3rd Quarterly Report 2008 What happened? An unauthorized person gainedadministrative access to the typo3.org website. Asfar as we can tell, an admin password was stolenand used to nd out more passwords on typo3.org. Inspiring people to Secure password storing with saltedpasswordsshare 5. Introduction Saving passwords Denite no-go: Storing cleartext passwordInstead Saving of a hash (check sum) Comparing with hash during login Inspiring people to Secure password storing with saltedpasswordsshare 6. Introduction Fundamental knowledge: Hashing One-way function identical input => identical outputmd5(joh316) = bacb98acf97e0b6112b1d1b650b84971 opposite direction not argorithmically computableMost frequently used algorithm: MD5 not considered secure since ages (clashes easy to compute,huge rainbow tables available) Alternatives (SHA) only provide bigger result set=> just new rainbow tables needed Inspiring people to Secure password storing with saltedpasswordsshare 7. Introduction Saving a salted password User input: joh316Generate salt, e.g. 7deb882cfCompute Hash md5(7deb882cf . joh316) = bacedc598493cb316044207d95f7ad54Save salt and hash Inspiring people to Secure password storing with saltedpasswordsshare 8. Introduction Validating a salted password User intut: joh316Read used salt from database: 7deb882cfCompute hash md5(7deb882cf . joh316) = bacedc598493cb316044207d95f7ad54Compare with saved hash Inspiring people to Secure password storing with saltedpasswordsshare 9. The Extension System extension saltedpasswords Formerly t3sec_saltedpasswords by Marcus Krause, Member of the TYPO3 security teamIntegration into TYPO3 Core version 4.3 after rework by Steffen RitterInspiring people to Secure password storing with saltedpasswords share 10. The Extension Implemented salting methods Salted MD5Portable PHP password hashing framework Available for various PHP applications (Drupal etc.) Repetetive exectution of MD5 (slow)Blowsh Availability dependent of environment Starting with PHP 5.3 implementation shipped with PHPInspiring people to Secure password storing with saltedpasswordsshare 11. The Extension Crux of the matter... Password must be available in plaintext TYPO3 by default transfers MD5 hash Plaintext transfer unsecurePrerequisite (at least one)SSL secured connectionSystem extension rsaauth Encrypts passwords prior transfer using RSA algorithmInspiring people to Secure password storing with saltedpasswordsshare 12. Installation & Conguration rsaauth Prerequisite OpenSSL: PHP extension recommended, binary as fallback JavaScriptActivation Frontend$TYPO3_CONF_VARS[FE][loginSecurityLevel] = rsa Backend$TYPO3_CONF_VARS[BE][loginSecurityLevel] = rsa; Inspiring people to Secure password storing with saltedpasswordsshare 13. Installation & Conguration saltedpasswords with SSL encryption Frontend $TYPO3_CONF_VARS[FE][loginSecurityLevel] = normalBackend $TYPO3_CONF_VARS[BE][lockSSL] > 0Inspiring people to Secure password storing with saltedpasswords share 14. Installation & Conguration Installation of saltedpasswords Checks availability of rsaauth or lockSSL Separate activation for Frontend and BackendChoice of hashing method Inspiring people to Secure password storing with saltedpasswords share 15. Compatibility Backwards compatibility Existing passwords? (unsalted MD5)immediate conversion not possible, as cleartext not availableonly possible moment: during Login Inspiring people to Secure password storing with saltedpasswords share 16. Compatibility Extensions Frontendfelogin compatibelsrfeuserregister_t3secsaltedpwAlternative FE-User registrations?Adjustions for own extensions might be needed Inspiring people to Secure password storing with saltedpasswordsshare 17. Background knowledge Password formatsMD5 without saltbacb98acf97e0b6112b1d1b650b84971 MD5 with Saltstarts with $1$, 12 characters of salt$1$13NETowd$WFpl6npZF71YKkCCzGds2. Blowshstarts with $2a$, 22 characters of salt$2a$07$DZpLLz7wtIfhSSMwyEXjA.Nbh6rpDlqbgwVKa.IoDLyuLe5C7Jp8W PHPASSstarts with $P$$P$Ccw7UIZ..SkvKBXDWnZlZ.qHcbktrB. Inspiring people to Secure password storing with saltedpasswords share 18. Background knowledge Password formats: Pro & ContraPHPASS Low system requirements (compatible with every PHP version) Requires PHPASS implementation in application MD5 / Blowsh Format of Unix crypt(), compatible with system services (/etc/passwd) The better choice (?) Availability of algorithms system dependent with PHP 5.3.2 also SHA-256/512 possible Inspiring people to Secure password storing with saltedpasswords share 19. Background knowledge Usage of crypt()Password validation:crypt($user_input, $encrypted_password) == $encrypted_password Saved hash (including salt):$1$13NETowd$WFpl6npZF71YKkCCzGds2. Checking against saved password joh316 crypt(joh316, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$WFpl6npZF71YKkCCzGds2. crypt(password, $1$13NETowd$WFpl6npZF71YKkCCzGds2.)= $1$13NETowd$SeAArtswHd8jzc9SQvH691Inspiring people to Secure password storing with saltedpasswords share 20. Web linksFree Rainbow Tableshttp://www.freerainbowtables.com PHPASShttp://www.openwall.com/phpass/ PHP Manual: crypt()http://de2.php.net/manual/en/function.crypt.php Wikipedia: crypt (Unix)http://en.wikipedia.org/wiki/Crypt_(Unix)#Library_FunctionInspiring people to Secure password storing with saltedpasswords share 21. ??????? ? ?? ?? ?Inspiring people to Secure password storing with saltedpasswords share 22. inspiring people to share.