RE: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions

From:	Jonathan Bond-Caron	Date:	Tue, 31 Jul 2012 16:01:07 +0000
Subject:	RE: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions
References:	1 2 3 4 5 6 7	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On Tue Jul 31 10:54 AM, Anthony Ferrara wrote:
> 
> On Tue, Jul 31, 2012 at 10:28 AM, Jonathan Bond-Caron <HYPERLINK 
> 
> I strongly disagree with this, the 'pepper' IMHO is a best practice 
> for web applications.
> 
> Again, I have not seen this being said by any security or cryptography 
> expert.
> 

Like I said IMHO, I'm not a security expect but I do think there needs to be
modern discussion around 'web password hashing'.

>
> Ok. So I register an account before I get the database. Now the only thing
that I need to crack is the pepper (since I know the salt, hash and original
password for my sentinel account).

Fair enough ;)

It can still be a problem if the pepper is large + the crypt() salt

> 
> With all of that said, if you really want a secret in there, don't 
> hijack the hashing algorithm to do it. There are two somewhat decent
> alternatives:
> 
> HMAC the password with the secret prior to passing it to 
> password_hash()/crypt().  HMAC is secure and is designed for this 
> exact purpose.
> 

Not so great:
password_hash_rfc( hash_hmac('md5', 'password', '1024-bytes secret') )
//
hmac is short (~ 160bits)

I guess you mean:

hash_hmac('md5', password_hash_rfc('password'), '1024-bytes secret')

But then there's no way to know all those crypt() parameters, salt, cost,
etc...

Maybe a new api?
password_hash_hmac($password, $secret, $options = array());

> 
> Encrypt the resulting hash with a secure encryption function
> (RIJNDAEL_128 + CBC) prior to inserting it in the database. That way, 
> each component uses standard algorithms as they were designed to be used.
> 

That's fine, I feel this should be somewhat easier in php core (without the
need for openssl & al.)

It also comes with a cost of decrypting the hashes / not so great

> But I want to stress something else. Properly managing secrets is VERY 
> difficult. It's not even really possible in PHP, due to the way 
> copy-on-write works, and how variables are removed. To implement this 
> sort of a system correctly is not something even highly competent 
> developers can typically do. It really is that difficult to get right.
>

Sure managing keys properly can be hard, simple cases: 
$secret = MY_KEY;
$secret = file_get_contents('/security/key.pem');

Again I'm making the assumption that the attacking *does not* have access to
the file system.




   

Thread (47 messages)

• Anthony FerraraThu, 12 Jul 2012 02:40:08 +0000
  • Alex AulbachThu, 12 Jul 2012 17:24:52 +0000
    • Nikita PopovThu, 12 Jul 2012 17:32:44 +0000
      • Alex AulbachThu, 12 Jul 2012 17:50:19 +0000
    • Anthony FerraraThu, 12 Jul 2012 18:53:16 +0000
      • Alex AulbachThu, 12 Jul 2012 22:10:56 +0000
      • Ryan McCueFri, 13 Jul 2012 10:28:29 +0000
        • Ángel GonzálezFri, 13 Jul 2012 21:54:23 +0000
          • Alex AulbachSat, 14 Jul 2012 00:32:11 +0000
      • Daniel ConvissorSun, 15 Jul 2012 21:09:24 +0000
  • Stas MalyshevThu, 12 Jul 2012 18:32:17 +0000
    • Anthony FerraraThu, 12 Jul 2012 18:34:45 +0000
      • Jonathan Bond-CaronTue, 31 Jul 2012 12:32:56 +0000RE: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions
        • Jonathan Bond-CaronTue, 31 Jul 2012 13:07:58 +0000
        • Anthony FerraraTue, 31 Jul 2012 13:25:19 +0000Re: [PROPOSED] password_hash RFC - Implementing simplified password hashing functions
          • Jonathan Bond-CaronTue, 31 Jul 2012 14:28:11 +0000RE: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions
            • Nikita PopovTue, 31 Jul 2012 14:44:24 +0000Re: [PROPOSED] password_hash RFC - Implementing simplified password hashing functions
            • Anthony FerraraTue, 31 Jul 2012 14:54:48 +0000Re: [PROPOSED] password_hash RFC - Implementing simplified password hashing functions
              • Jonathan Bond-CaronTue, 31 Jul 2012 16:01:07 +0000RE: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions
                • Anthony FerraraTue, 31 Jul 2012 16:21:31 +0000Re: [PROPOSED] password_hash RFC - Implementing simplified password hashing functions
                  • Ángel GonzálezTue, 31 Jul 2012 18:46:42 +0000
                  • Peter LindTue, 31 Jul 2012 19:46:49 +0000
                    • Anthony FerraraTue, 31 Jul 2012 20:02:34 +0000
                      • Peter LindTue, 31 Jul 2012 20:20:13 +0000
                        • Ángel GonzálezWed, 01 Aug 2012 18:11:02 +0000
                          • Alex AulbachWed, 01 Aug 2012 18:55:53 +0000
                  • Jonathan Bond-CaronWed, 01 Aug 2012 19:09:35 +0000RE: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions
                  • Jonathan Bond-CaronWed, 01 Aug 2012 20:36:57 +0000RE: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions
  • Anthony FerraraTue, 28 Aug 2012 15:28:07 +0000Re: [PROPOSED] password_hash RFC - Implementing simplified password hashing functions
    • Alain WilliamsTue, 28 Aug 2012 15:55:36 +0000Re: Re: [PROPOSED] password_hash RFC - Implementing simplified password hashing functions
      • Ferenc KovacsTue, 28 Aug 2012 15:58:57 +0000