From: "Stefan Sterz" <s.sterz@proxmox.com>
To: "Proxmox Backup Server development discussion"
<pbs-devel@lists.proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox 07/12] sys: crypt: add helper to allow upgrading hashes
Date: Fri, 23 Feb 2024 10:26:25 +0100 [thread overview]
Message-ID: <CZCCN8J920IB.2KWANULYT8RME@proxmox.com> (raw)
In-Reply-To: <667ea9d3-4d72-4012-bcd5-c4a283e4bed9@proxmox.com>
On Mon Feb 19, 2024 at 7:50 PM CET, Max Carrara wrote:
> On 2/15/24 16:19, Stefan Sterz wrote:
> > `upgrade_hash` function allows us to transparently upgrade a password
> > hash to a newer hash function. thus, we can get rid of insecure hashes
> > even without the user needing to log in or reset their password.
> >
> > it works by retaining only the settings of the previous hash and not the
> > hash itself. the new hash is a salted hash of the previous hash,
> > including the settings.
> >
> > the `verify_crypt_pw` function is also adapted to deal with the new
> > string format. it verifies hashes whether they've been upgraded or not.
> >
> > Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
> > ---
> > this is a far from ideal method of upgrading hashes. as the input to the
> > new hash function has several well-known parts, it may break the
> > security assumptions of a newer password hashing function. it could be
> > possible that finding collisions is made easier compared with re-hashing
> > the original password. hence, only do this as a stop-gap meassure.
> >
> > also, my choice of `HASH_SEPARATOR` is possibly not ideal. i welcome
> > some bike-shedding there if we want to consider this approach at all.
>
> I know you've meticulously tested this, you gave me a demonstration of this
> as well, but it still makes me feel uneasy nevertheless - IMHO it is long
> overdue that we upgrade our hashes, but there must be a cleaner way to do
> this that doesn't involve keeping those amalgams of crypt hashes around.
>
> There are quite a few comments inline, but I do want to mention that I
> realize that this took you a lot of work, so I highly commend your efforts
> on this.
>
just wanted to say, after off-list discussions, i'll retract the
hash-upgrading mechanism. it would only be useful if there is a
pre-image attack on sha2 while exposing our users to potential
known-prefix attacks. if a sha2 pre-image attack becomes publicly known
we can reconsider this.
thanks for the suggestions, though! i do think that they would make all
of this a bit cleaner!
(i'll trim the rest of this message, though, as imo it's not relevant to
further discussions until the attack mentioned above does become known)
-- >8 snip 8< --
next prev parent reply other threads:[~2024-02-23 9:26 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-15 15:19 [pbs-devel] [PATCH proxmox{, -backup} 00/12] authentication cleanup and Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 01/12] auth-api: move signing into the private key Stefan Sterz
2024-02-26 20:22 ` Esi Y
2024-02-27 9:12 ` Stefan Sterz
2024-02-27 18:13 ` Esi Y
2024-02-29 16:07 ` Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 02/12] auth-api: move to Ed25519 signatures Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 03/12] auth-api: add ability to use hmac singing in keyring Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 04/12] auth-api: move to hmac signing for csrf tokens Stefan Sterz
2024-02-19 16:02 ` Max Carrara
2024-02-20 12:54 ` Max Carrara
2024-02-23 9:26 ` Stefan Sterz
2024-02-23 10:48 ` Thomas Lamprecht
2024-02-23 10:52 ` Stefan Sterz
2024-02-23 13:06 ` Wolfgang Bumiller
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 05/12] sys: crypt: move to yescrypt for password hashing Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 06/12] sys: crypt: use constant time comparison for password verification Stefan Sterz
2024-02-19 16:11 ` Max Carrara
2024-02-23 9:26 ` Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 07/12] sys: crypt: add helper to allow upgrading hashes Stefan Sterz
2024-02-19 18:50 ` Max Carrara
2024-02-23 9:26 ` Stefan Sterz [this message]
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 08/12] auth-api: fix types `compilefail` test Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox-backup 09/12] auth: move to hmac keys for csrf tokens Stefan Sterz
2024-02-19 18:55 ` Max Carrara
2024-02-23 9:26 ` Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox-backup 10/12] auth: upgrade hashes on user log in Stefan Sterz
2024-02-19 18:58 ` Max Carrara
2024-02-23 9:26 ` Stefan Sterz
2024-02-15 15:20 ` [pbs-devel] [PATCH proxmox-backup 11/12] auth/manager: add manager command to upgrade hashes Stefan Sterz
2024-02-19 19:06 ` Max Carrara
2024-02-23 9:26 ` Stefan Sterz
2024-02-15 15:20 ` [pbs-devel] [PATCH proxmox-backup 12/12] auth: us ec keys as auth keys Stefan Sterz
2024-02-19 19:10 ` Max Carrara
2024-02-23 9:26 ` Stefan Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CZCCN8J920IB.2KWANULYT8RME@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox