A stab at implementing better password hashing, with mixed results - Mailing list pgsql-hackers

From Peter Bex
Subject A stab at implementing better password hashing, with mixed results
Date
Msg-id 20121227144638.GC610@frohike.homeunix.org
Whole thread Raw
Responses Re: A stab at implementing better password hashing, with mixed results  (Claudio Freire <klaussfreire@gmail.com>)
List pgsql-hackers
Hello all,

A while ago, on pgsql-general, I raised the issue that the password
storage employed by postgres is a little weak and promised I'd look
into this during the holidays, so here are my findings.

Implementing bcrypt instead of md5 is indeed rather straightforward;
just move the pgcrypto blowfish code into Postgres and tweak a few
things.  However, there seems to be no way to get the md5-based
authentication working with any different kind of storage than
plaintext or the existing md5 storage because it requires access
to the salted MD5 password hash.  Backwards compatibility can
only be guaranteed for passwords using this storage.  Adding bcrypt
means (oddly enough) that the authentication system will become *less*
secure, requiring plaintext password logins, making SSL mandatory.
However, since the existing authentication is not terribly secure
anyway that may not be considered a big loss (except maybe for
passwords popping up in accidental local network data dumps..).

Implementing a more secure challenge-response based algorithm means
a change in the client-server protocol.  Perhaps something like SCRAM
(maybe through SASL) really is the way forward for this, but that
seems like quite a project and it seems to dictate how the passwords are
stored; it requires a hash of the PBKDF2 algorithm to be stored.

One problem with a better algorithm is that for CGI-like web scripts,
connection speed is important.  The CGI model (which is also employed
by Perl and PHP, AFAIK) is in direct opposition to the security
requirement that password hashes should take long to create or verify;
if it takes long, this is a constant extra factor for all web requests
(unless advanced connection pooling is used, perhaps).  The
authentication method may also have an impact if it needs expensive
calculations.

I'm unsure how useful this bcrypt patch is, since it won't be acceptable
as-is, but I've attached it just in case.  If it is decided that this
should be integrated after all, it needs more work:

- There's no way to specify which hashing system to use for new
   passwords; I've ripped out the md5 hashing.  I think this requires
   a change in the user management statements.
- There's no way to specify (the log 2 of) the number of rounds to
   run the blowfish algorithm.  This is extremely important as it
   directly impacts the time it takes to set up a connection, like
   I said above, and some admins might like to increase the work
   factor for increased password protection.
   I think this might be a run-time server variable and/or possibly
   an option in the user management statement.
- Ideally, pgcrypto could re-use this, so that there is no duplicate
   copy of the bcrypt code.  The salt generation is less strong than
   pgcrypto's, which uses openssl AFAICT, so that might need some extra
   hooks.  The crypt code could also be exposed as an SQL function.
- Currently, if a client uses md5 auth to connect as a user who has
   a bcrypted password it simply means the correct password will be
   rejected.  There's no clean way to handle this, as far as I can see;
   giving more feedback will probably require a change in the protocol
   and will give away more information than we want: you'll know a user
   exists and even that the password isn't stored in plaintext or md5.

The conclusion is that switching to bcrypt requires a handful of extra
changes that I don't know how to make, and has the consequence of
*requiring* plaintext password authentication or a change in the
protocol.  If it's decided to go forward with this anyway, I'm willing
to help out, but implementing a completely new authentication system
goes a little over my head, I'm afraid.

Cheers,
Peter
--
http://sjamaan.ath.cx
--
"The process of preparing programs for a digital computer
 is especially attractive, not only because it can be economically
 and scientifically rewarding, but also because it can be an aesthetic
 experience much like composing poetry or music."
                            -- Donald Knuth

Attachment

pgsql-hackers by date:

Previous
From: Greg Stark
Date:
Subject: Re: buffer assertion tripping under repeat pgbench load
Next
From: Marko Kreen
Date:
Subject: Re: pgcrypto seeding problem when ssl=on