Increase pbkdf2 parameter strengths
Closed, ResolvedPublic

Description

From https://lists.wikimedia.org/mailman/private/mediawiki-security/2015-October/000035.html

Set,

'algo' => 'sha512',
'cost' => '128000',
'length' => '64',

For the pbkdf2 parameters at the WMF. This will reduce the amount of work mediawiki does for password hashing by 40%, while increasing the amount of work an attacker has to do by 2.5x.

For our tarball, we should probably adjust the default params to,

'algo' => 'sha512',
'cost' => '40000',
'length' => '64',
csteipp created this task.Oct 20 2015, 4:10 PM
csteipp updated the task description. (Show Details)
csteipp raised the priority of this task from to Needs Triage.
csteipp added a project: Security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added subscribers: csteipp, Security-Team.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 20 2015, 4:10 PM
csteipp triaged this task as Low priority.Oct 20 2015, 9:40 PM
Luke081515 removed a subscriber: Security-Team.

Don't add Security-Team here, otherwise all member of a public joinable project can see this task! This is not willed, I guess.

@Luke081515: Nope that's not how the access permissions in Phabricator are implemented. :) Readded.

@Aklapper: Normaly, but this projects was not added as project:

Luke081515 removed a subscriber: Security-Team.

This projects was added as CC, and this was why I can see the task before: Normaly I'm not a member in Security, and should only see the security bugs I created, but I added me as a member of Security-Team, and so I could see the task.

Krenair added a subscriber: Krenair.EditedDec 26 2015, 1:52 AM

Interesting. I wrote and am running a script to track down other instances of that across tickets marked security, and have fixed T101341 and T115333 so far.

Also T100803 in WMF-NDA. Going to remove the project restriction soon and let it check everything I can see in Phab.

Edit: After it gets to something like offset 42k, my script starts getting "Maximum execution time of 10 seconds exceeded" HTTP 500s unfortunately. Still:

1# By Alex Monk. As of writing, dies around offset 42k due to a server-side timeout.
2import json, subprocess
3
4def getAll(arcArgs, params = {}, limit = 1000, offset = 0):
5print("Offset " + str(offset))
6proc = subprocess.Popen(arcArgs, stdin = subprocess.PIPE, stdout = subprocess.PIPE)
7resultOut, resultErr = proc.communicate(input = json.dumps(dict(params, limit = limit, offset = offset)))
8dataOut = json.loads(resultOut.strip())['response']
9if 'data' in dataOut:
10items = dataOut['data'].values()
11elif isinstance(dataOut, dict):
12items = dataOut.values()
13elif isinstance(dataOut, list):
14items = dataOut
15for item in items:
16yield item
17if len(items) == limit:
18for item in getAll(arcArgs, params = params, limit = limit, offset = offset + limit):
19yield item
20
21arcCommand = ['arc', 'call-conduit', '--conduit-uri', 'https://phabricator.wikimedia.org/']
22
23# Security: PHID-PROJ-koo4qqdng27q7r65x3cw
24# WMF-NDA: PHID-PROJ-ibxm3v6ithf3jpqpqhl7
25# {'projectPHIDs': ['PHID-PROJ-somethingsomethingsomething']}
26for task in getAll(arcCommand + ['maniphest.query'], {}, limit = 1000):
27for ccPHID in task['ccPHIDs']:
28if 'PROJ' in ccPHID:
29print('https://phabricator.wikimedia.org/T' + task['id'] + ' - ' + ccPHID + ' - ' + task['title'])
30break

Not pasting the output here due to the obvious issues involving what my account can access.

@Aklapper: Normaly, but this projects was not added as project:
This projects was added as CC

Oh....! Thanks a lot, @Luke081515! I missed that. :(

csteipp moved this task from Backlog to Ready on the Security-Team board.Jan 5 2016, 3:44 PM

csteipp moved this task from Ready to In Progress on the Security-Team board.Jan 6 2016, 12:14 AM

Since this is really a hardening issue (someone would have to get our password hashes to crack them), and since the original 64k strength still holds (the WMF is just doing 4x that when checking passwords), I'm going to push this as a public patch to be swatted tomorrow (28 Jan).

csteipp claimed this task.Feb 26 2016, 8:17 PM
csteipp added a parent task: Restricted Task.Mar 1 2016, 6:02 PM
Luke081515 updated the task description. (Show Details)Mar 1 2016, 6:07 PM

This was deployed with https://gerrit.wikimedia.org/r/#/c/274795/.

This has been live on all wikis for about 2 hours, and 4k hashes have been converted so far. Authentications (https://grafana.wikimedia.org/dashboard/db/authentications) seem to be progressing at the normal pace.

Stats from CountPasswordTypes2.php
md5:12034721
type-a:84656
type-b:24063500
pbkdf2 (256):9552526
pbkdf2 (512):4485
zero-length:103908
'nologin':257

csteipp closed this task as Resolved.Mar 8 2016, 6:08 PM

Public patch for DefaultSettings.php is https://gerrit.wikimedia.org/r/275868 (since T127445 was opened publicly).

I think we can just cherry pick that back to all the release branches, unless that throws off creating the security patch?

demon added a subscriber: demon.May 10 2016, 10:17 PM

Public patch for DefaultSettings.php is https://gerrit.wikimedia.org/r/275868 (since T127445 was opened publicly).

I think we can just cherry pick that back to all the release branches, unless that throws off creating the security patch?

They'll need manual porting anyway because of the array() syntax change.

demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:26 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:26 PM