PBKDF2 polyfill vulnerable to "long password DoS" #230
Comments
|
Wouldn't this then not actually implement PBKDF2? An alternative is to throw an exception if the password is longer than 1000 characters (or some small factor of |
|
Thanks for looking, by the way! |
|
Related:
Let's see what Django (and other things) did, and if it's pre-hashing, I'm fine with deviating from PBKDF2 spec as long as we rename the function to indicate we did. |
|
Django just fails if it's longer than 4096 bytes: https://www.djangoproject.com/weblog/2013/sep/15/security/ |
|
Proposed fix:
What do you think of that @timoh6? |
|
I wonder what PHP's implementation of |
|
If you put the pre-hash logic here: https://github.com/defuse/php-encryption/blob/v2.0/src/Core.php#L398 ...then it won't break anything. |
|
@paragonie-scott: Yeah, I mean, is PHP already doing something like this, in which case the polyfill is already broken because it's not doing the exact same thing? Or is PHP computing the DoS-vulnerable but standards-compliant version of PBKDF2? |
|
@paragonie-scott: That's just standard HMAC isn't it? |
|
@paragonie-scott: Oh, I see. |
|
@defuse I'd go with the option 2 (pre-hash). But on the other hand, I don't think there will be any downsides if we just modify the PBKDF2 function to pre-hash if the input is longer than allowed in HMAC. It is a simple fix that "just works". In addition to that, some sort of "upper bound" to the allowed password length sounds indeed a good idea. Maybe that 4096 bytes will do? |
|
I'd like to not make it conditional. Otherwise you end up with situations like this: http://www.openwall.com/presentations/PHDays2014-Yescrypt/mgp00009.html Or this: https://3v4l.org/39uX2 It's ugly. But deviating from the standards is probably the "wrong" solution. |
|
Yeah, a function called |
|
@paragonie-scott @defuse Good points. Pre-hashing in KeyOrPassword sounds reasonable to me. |
|
@defuse That sounds great to me. |
|
I've decided on prehashing the password in |
|
Needs review over in #234. |
|
Done. |
The PBKDF2 polyfill in Core.php (which should run only for PHP 5.4 users) doesn't pre-hash the password before PBKDF2 inner loop if the password's length is greater than the underlying hash algorithm's output length.
This could lead to DoS situation if a malicious user is able to input long passwords to the PBKDF2 function. I.e. on my machine, 100000 byte password and 25000 iterations (with SHA256 and 32 byte output) took ~16 seconds.
I suggest we add a conditional pre-hash step before the outer PBKDF2 loop to mitigate this issue: check the password lenght, and if it is greater than $hash_length, do a pre-hash.
Roughly something like:
The text was updated successfully, but these errors were encountered: