Secure password storing with saltedpasswords in TYPO3

Inspiring people toshare

TYPO3camp Munich - 11./12. September 2010

Secure password storing with saltedpasswords

Image: Carlos Porto / FreeDigitalPhotos.net

Inspiring people toshareSecure password storing with saltedpasswords

Secure password storing with TYPO3’ssystem extension “saltedpasswords”

Steffen Gebert <steffen@steffen-gebert.de>

TYPO3camp Munich- 11./12. September 2010

Translated slides, original title:“TYPO3-Passwörter sicher speichern mit saltedpasswords”

http://www.slideshare.net/StephenKing/passwrter-in-typo3-sicher-speichern-mit

Introduction

Your Speaker

Steffen Gebert

Student, Freelancer

TYPO3 Core Team Member

Introduction

Ouch!TYPO3 Assicciation, 3rd Quarterly Report 2008

“What happened? An unauthorized person gained administrative access to the typo3.org website. As far as we can tell, an admin password was stolen and used to find out more passwords on typo3.org.”

Introduction

Saving passwordsDefinite no-go: Storing cleartext password

Instead

Saving of a hash (“check sum”)

Comparing with hash during login

Introduction

Fundamental knowledge: HashingOne-way function

identical input => identical outputmd5(‘joh316’) = ‘bacb98acf97e0b6112b1d1b650b84971’

opposite direction not argorithmically computable

Most frequently used algorithm: MD5

not considered secure since ages (clashes easy to compute, huge rainbow tables available)

Alternatives (SHA) only provide bigger result set=> just new rainbow tables needed

Introduction

Saving a salted passwordUser input: ‘joh316’

Generate salt, e.g. ‘7deb882cf’

Compute Hashmd5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’

Save salt and hash

Introduction

Validating a salted passwordUser intut: ‘joh316’

Read used salt from database: ‘7deb882cf’

Compute hashmd5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’

Compare with saved hash

The Extension

System extension saltedpasswordsFormerly t3sec_saltedpasswords by Marcus Krause, Member of the TYPO3 security team

Integration into TYPO3 Core version 4.3 after rework by Steffen Ritter

The Extension

Implemented salting methodsSalted MD5

Portable PHP password hashing framework

Available for various PHP applications (Drupal etc.)

Repetetive exectution of MD5 (slow)

Blowfish

Availability dependent of environment

Starting with PHP 5.3 implementation shipped with PHP

The Extension

Crux of the matter...Password must be available in plaintext

TYPO3 by default transfers MD5 hash

Plaintext transfer unsecure

Prerequisite (at least one)

SSL secured connection

System extension rsaauthEncrypts passwords prior transfer using RSA algorithm

Installation & Configuration

rsaauthPrerequisite

OpenSSL: PHP extension recommended, binary as fallback

JavaScript

Activation

Frontend$TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘rsa’

Backend$TYPO3_CONF_VARS[BE][loginSecurityLevel] = ‘rsa’;

saltedpasswords with SSL encryptionFrontend

$TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘normal’

Backend

$TYPO3_CONF_VARS[BE][lockSSL] > 0

Installation of saltedpasswordsChecks availability of rsaauth or lockSSL

Separate activation for Frontend and Backend

Choice of hashing method

Compatibility

Backwards compatibilityExisting passwords? (unsalted MD5)

immediate conversion not possible, as cleartext not available

only possible moment: during Login

Compatibility

ExtensionsFrontend

felogin compatibel

srfeuserregister_t3secsaltedpw

Alternative FE-User registrations?

Adjustions for own extensions might be needed

Background knowledge

Password formatsMD5 without saltbacb98acf97e0b6112b1d1b650b84971

MD5 with Saltstarts with $1$, 12 characters of salt$1$13NETowd$WFpl6npZF71YKkCCzGds2.

Blowfishstarts with $2a$, 22 characters of salt$2a$07$DZpLLz7wtIfhSSMwyEXjA.Nbh6rpDlqbgwVKa.IoDLyuLe5C7Jp8W

PHPASSstarts with $P$$P$Ccw7UIZ..SkvKBXDWnZlZ.qHcbktrB.

Password formats: Pro & ContraPHPASS

Low system requirements (compatible with every PHP version)

Requires PHPASS implementation in application

MD5 / Blowfish

Format of Unix’ crypt(), compatible with system services (/etc/passwd)

The better choice (?)

Availability of algorithms system dependent

with PHP 5.3.2 also SHA-256/512 possible

Usage of crypt()Password validation:crypt($user_input, $encrypted_password) == $encrypted_password

Saved hash (including salt):$1$13NETowd$WFpl6npZF71YKkCCzGds2.

Checking against saved password ‘joh316’

crypt(joh316, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$WFpl6npZF71YKkCCzGds2.

crypt(password, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$SeAArtswHd8jzc9SQvH691

Web linksFree Rainbow Tableshttp://www.freerainbowtables.com

PHPASShttp://www.openwall.com/phpass/

PHP Manual: crypt()http://de2.php.net/manual/en/function.crypt.php

Wikipedia: crypt (Unix)http://en.wikipedia.org/wiki/Crypt_(Unix)#Library_Function

?????????????

inspiring people to share.

Secure password storing with saltedpasswords in TYPO3

Technology

Transcript of Secure password storing with saltedpasswords in TYPO3

Typo3 Tutorial

TYPO3 & Composer

WKE14 - TYPO3 Neos - Next Generation CMS - Patrick ......TYPO3 Neos - Next Generation CMS LOBACHER. 10 Die Geschichte von TYPO3 Neos: TYPO3 Phoenix ! • Auf den ersten T3DD (TYPO3

TYPO3 47 release

TYPO3 Infrastructure

Semantic TYPO3

TYPO3 4.6 & TYPO3 4.7

Typo3 API Handbuch

TYPO3 Congres 2012 - Keynote: A day with TYPO3

T3UNI12 - Université TYPO3 2012 : mariage TYPO3+ALFRESCO

T3CON14EU: Migrating from TYPO3 CMS to TYPO3 Flow

TYPO3 Translations

TYPO3 Security Guide - FREYLER · TYPO3 Security Guide - doc_guide_security The TYPO3 Security Team The TYPO3 Security Team Contact information If you find a security issue in the

TYPO3 Government Package

Apache Solr for TYPO3 at TYPO3 Usergroup Day Netherlands

TYPO3 security updates

TYPO3 Training I

TYPO3 Surf Introduction

ECE 4112 - Internetwork Security 1 Password Cracking, Sniffing and Man-in-the Middle Agenda Storing Passwords on the system Password Cracking on Windows.

Newsletter using TYPO3