Menu
▾
▴
firebird-devel
|
From: Alex P. <pe...@in...> - 2004-09-21 09:06:27
|
Hi! During last two weeks I implemented crypt plugins facility for firebird engine. This work was discussed privately with Paul and Dmitry. It was a part of security review, oriented primary to disable interesting firebird 1.5 "feature" - any user could attach to security.fdb file and read all other user's (inc SYSDBA) password's hashes from it. It was enough to: # isql $FBROOT/security.fdb SQL> select * from USERS; In addition for CS security.fdb may be stolen as file by any user, granted local access to firebird - it's required to give such users at least read access to security database. As a minimum counter-measure there is a well known (I think) patch of Ivan Prenosil, which simultaneously disables ability to read other's data from USERS and let user change his own password. But this absolutely doesn't help with stolen file. Therefore I've decided to implement ability to use any crypting algorythm in a form of "crypt plugin" for firebird. Adding of such plugins to engine itself was not a problem. With existing PluginManager it's really easy to invoke required plugins in a really flexible way. I should mention, that for today each password is hashed twice - once at client side, next at server side. In order not to break remote protocol I keep client-side crypting "as is", moreover - for all clients except posix embedded this makes possible not to use loadable libraries (and firebird.conf) at the client. Old ENC_crypt() remains builtin for both client and server. As a quite real sample I've wrote md5 hash calculating plugin, based on openssl. Which crypt plugin(s) to use is defined by Crypt entry in firebird.conf. As default I suggest to use md5, making new installations secure. Use of multiple crypt plugins may be needed at the step of upgrading from 1.x to 2.0 - sysadmin may copy old database and use special keyword "legacy" (means use builtin ENC_crypt) in firebird.conf: Crypt=md5;legacy In this case both md5 and ENC_crypt are used to try for old hashes, but only the first one (md5) is always used to build new ones. Without this feature it becomes impossible to login to the server with md5 crypting using old security.fdb, which appears not good when upgrading existing installations. Users may be given some period to refresh their passwords, after it sysadmin reverts Crypt back to default. All this already works fine if services are used to work with security database. Unfortunately, even if checking of existing passwords always performed by server, creating new ones may happen in 3 ways: 1. Service manager (already works OK). 2. isc_add/modify_user. 3. gsec. Pay attention, that p.2&3 ran both crypting steps on client and sent complete hash directly to security database. In order not to deal with plugins at client side (and certainly to have centralized control upon which crypt plugin to be used!) I reworked both of them to make them use service manager instead of direct modification of security database. Special case - embedded classic server on posix, there that same client gsec is used by services, and therefore must be able to write to security database, but it's not a problem because on that server we already have required plugin to verify passwords. To implement completely -database switch of gsec it was necessary to be able to pass database name to work with to service manager. This feature was already half-done in firebird, therefore I repaired it. To work correctly with SPB new SPB parameter (isc_spb_sec_database) was added. For today only modification of security database is done via services, user listing is printed scanning database directly by gsec. The reason for it is that current services don't include "line-separators" from user to user, therefore it's hard to get security information in traditional for gsec way from service output. The last known to me problem was that old version of gsec might be occasionally used to modify users, and put old hashes in security database, making it unusable. To prevent it, I've added new dpb parameter, isc_dpb_gsec_attach - we already have such for gbak, gfix, gstat. Don't mix it with isc_dpb_sec_attach, it's used internally to mark SecurityDatabase attachment to this database. If security database (detected by name) is opened, dpb is checked for presence of this parameter. Old versions obviously can't substitute it - they know nothing about. Pay attention, that for today this is not an additional security feature - any application can specify isc_dpb_gsec_attach and get direct access to security database. But if we decide to rework services a bit more, it's quite possible to drop isc_dpb_gsec_attach / isc_dpb_sec_attach from remote connections, making impossible to non-local users to attach to security.fdb directly. This may have one more useful side-effect. For today we support anonymous service, which w/o requesting any login information reports location of security.fdb on server (fullpath). It's used by remote gsec to attach to security database, and as soon as we don't need such attachment this service may be dropped too. I don't want to say that reporting path to security.fdb is really big security problem, but don't like it anyway. As a part of this work I've applied Ivan's patch to security.fdb, and faced one bad result. Thereis problem with it in both 1.5 and HEAD. User can't be deleted, because views having COMPUTED fields from underlying tables may be used to insert/update records (certainly, if this fields are not modified), but before delete check is made for ability to modify ALL fields in view. I fixed it deleting records directly from table, not view, but I think this should be treated as a separate firebird bug. Question: should crypt plugins be added to (frozen !) 2.0 or not ? Alex. |
|
From:
<car...@te...> - 2004-09-21 09:33:31
|
Hello: > As default I suggest to use md5, making new installations secure. MD5 isn't secure, read this: http://pages.infinit.net/ctech/20040918-0855.html -- Best regards Carlos Guzmán Álvarez Vigo-Spain |
|
From: Alex P. <pe...@in...> - 2004-09-21 09:47:33
|
Carlos Guzm=E1n =C1lvarez wrote: > >> As default I suggest to use md5, making new installations secure.=20 > > > MD5 isn't secure, read this: > > http://pages.infinit.net/ctech/20040918-0855.html Do we have appropriate (from both licensing and supported OSs)=20 implementation of mentioned there SHA-1 or better SHA-2 ? A. |
|
From:
<car...@te...> - 2004-09-21 10:18:51
|
Hello: > Do we have appropriate (from both licensing and supported OSs) > implementation of mentioned there SHA-1 or better SHA-2 ? You mention in the first post that you the md5 plugin is based on openssl, right ?? if yes, they should have an sha1 implementation as well as it's needed for SSL/TLS implementations -- Best regards Carlos Guzmán ÁLvarez Vigo-Spain |
|
From: Jim S. <ja...@ne...> - 2004-09-21 14:21:05
|
Carlos Guzm=E1n =C1lvarez wrote:
> Hello:
>
>> Do we have appropriate (from both licensing and supported OSs)=20
>> implementation of mentioned there SHA-1 or better SHA-2 ?
>
>
> You mention in the first post that you the md5 plugin is based on
> openssl, right ?? if yes, they should have an sha1 implementation
> as well as it's needed for SSL/TLS implementations
Cryptlib is close to the gold standard:
// cryptlib.h - written and placed in the public domain by Wei Dai
/*! \file
This file contains the declarations for the abstract base
classes that provide a uniform interface to this library.
*/
/*! \mainpage <a href=3D"http://www.cryptopp.com">Crypto++</a>=20
Reference Manual
--=20
Jim Starkey
Netfrastructure, Inc.
978 526-1376
|
|
From: eg <eg...@ju...> - 2004-09-22 15:40:20
|
Jim Starkey wrote: > Cryptlib is close to the gold standard: > > // cryptlib.h - written and placed in the public domain by Wei Dai > /*! \file > This file contains the declarations for the abstract base > classes that provide a uniform interface to this library. > */ > > /*! \mainpage <a href=3D"http://www.cryptopp.com">Crypto++</a>=20 > Reference Manual > Peter Guttman's cryptlib is here: http://www.cs.auckland.ac.nz/~pgut001/cryptlib/index.html |
|
From: Alex P. <pe...@in...> - 2004-09-21 14:32:14
|
Carlos Guzm=E1n =C1lvarez wrote: > Hello: > >> Do we have appropriate (from both licensing and supported OSs)=20 >> implementation of mentioned there SHA-1 or better SHA-2 ? > > > You mention in the first post that you the md5 plugin is based on > openssl, right ?? if yes, they should have an sha1 implementation > as well as it's needed for SSL/TLS implementations > Yes, appears it will not be a problem to use some other digest instead=20 of md5. A. |
|
From: <Car...@Ne...> - 2004-09-21 10:37:41
|
Alex Peshkov wrote: > > MD5 isn't secure, read this: > > > > http://pages.infinit.net/ctech/20040918-0855.html > > Do we have appropriate (from both licensing and supported OSs)=20 > implementation of mentioned there SHA-1 or better SHA-2 ? > A. You can look at http://www.cityinthesky.co.uk/delphi.html the author says it already compiles on Borland Builder C++. For benchmark info look at: http://packetstormsecurity.nl/crypt/LIBS/cryptolib/benchmarks.html Best regards, Carlos Macao |
|
From: Alex P. <pe...@in...> - 2004-09-21 11:59:06
|
Carlos Ma=E7=E3o wrote: >Alex Peshkov wrote: > > =20 > >>>MD5 isn't secure, read this: >>> >>>http://pages.infinit.net/ctech/20040918-0855.html >>> =20 >>> >>Do we have appropriate (from both licensing and supported OSs)=3D20 >>implementation of mentioned there SHA-1 or better SHA-2 ? >>A. >> =20 >> > >You can look at http://www.cityinthesky.co.uk/delphi.html the author >says it already compiles on Borland Builder C++. > =20 > Delphi, Pascal - not ok. It is not OS-portable. >For benchmark info look at: >http://packetstormsecurity.nl/crypt/LIBS/cryptolib/benchmarks.html > > =20 > A. |
|
From: carlos g.a. <car...@te...> - 2004-09-21 12:24:50
|
Hello: > Delphi, Pascal - not ok. It is not OS-portable. I have done a little search at sourceforge: http://www.eskimo.com/~weidai/cryptlib.html (but maybe the best will be to use openssl) -- Best regards Carlos Guzm=C3=A1n =C3=A1lvarez Vigo-Spain |
|
From: Carlos M. <Car...@Ne...> - 2004-09-21 12:35:53
|
Alex Peshkov wrote: > Carlos Ma=E7=E3o wrote: > > > Alex Peshkov wrote: > > > > =20 > > > > > > MD5 isn't secure, read this: > > > > > > > > http://pages.infinit.net/ctech/20040918-0855.html > >>> =20 > > > > > > > Do we have appropriate (from both licensing and supported > > > OSs)=3D20 implementation of mentioned there SHA-1 or better SHA-2 > > > ? A. > >> =20 > > > > > > > You can look at http://www.cityinthesky.co.uk/delphi.html the author > > says it already compiles on Borland Builder C++. > > =20 > > > Delphi, Pascal - not ok. It is not OS-portable. > Of course I am not proposing to use the direct implementation, but based on the already mentioned compatibility with Borland Builder C++ and because we are talking about math algorithms it should not be difficult to port it to standard C++. Best regards, Carlos Macao |
|
From: Thomas M. <tm...@bs...> - 2004-09-21 14:10:36
|
> > > >Of course I am not proposing to use the direct implementation, but >based on the already mentioned compatibility with Borland Builder C++ >and because we are talking about math algorithms it should not be >difficult to port it to standard C++. > >Best regards, >Carlos Macao > > I have to agree with Carlos, converting it to C++ should be real easy. But Pascal is available on lots of OS platforms with FreePascal (not that I am advicating mixing Object Pascal and C++. I am not). -- Thomas Miller Delphi Client/Server Certified Developer BSS Accounting & Distribution Software BSS Enterprise Accounting FrameWork http://www.bss-software.com http://sourceforge.net/projects/dbexpressplus |
|
From: Mark O'D. <mar...@fi...> - 2004-09-24 04:27:34
|
Carlos Guzmán Álvarez wrote: > Hello: > >> As default I suggest to use md5, making new installations secure. > > > MD5 isn't secure, read this: > Thats a bit dramatic - and wrong! > http://pages.infinit.net/ctech/20040918-0855.html Well he does say: > There is a lot of techno-talk (and FUD) about this. Actually this > isn't big news as MD5 had been known to be weak for quite some time > "weak" is a fairly judgemental term, he then points to: > For those interested to understand more in a single page I suggest > the recent article from Bruce Schneier. So what Does Bruce actually say: > Cryptanalysis of the MD4 family of hash functions has proceeded in > fits and starts over the last decade or so, with results against > simplified versions of the algorithms and partial results against the > whole algorithms. This year, Eli Biham and Rafi Chen, and separately > Antoine Joux, announced some pretty impressive cryptographic results > against MD5 and SHA. Collisions have been demonstrated in SHA. And > there are rumors, unconfirmed at this writing, of results against > SHA-1. Actually the real news was, that SHA-1 may be as unsafe as MD5. In the same article Bruce also says: > To a user of cryptographic systems -- as I assume most readers are -- > this news is important, but not particularly worrisome. MD5 and SHA > aren't suddenly insecure. No one is going to be breaking digital > signatures or reading encrypted messages anytime soon with these > techniques. The electronic world is no less secure after these > announcements than it was before. > Basically, MD5 and SHA1 are both currently secure - despite the techno-talk FUD. Cheers Mark |
|
From: Edward F. <ed...@cd...> - 2004-09-24 14:13:51
|
Mark O'Donohue wrote: >> Cryptanalysis of the MD4 family of hash functions has proceeded in >> fits and starts over the last decade or so, with results against >> simplified versions of the algorithms and partial results against the >> whole algorithms. This year, Eli Biham and Rafi Chen, and separately >> Antoine Joux, announced some pretty impressive cryptographic results >> against MD5 and SHA. Collisions have been demonstrated in SHA. And >> there are rumors, unconfirmed at this writing, of results against SHA-1. > > Actually the real news was, that SHA-1 may be as unsafe as MD5. Just so everyone knows: any function (hash or otherwise) which outputs fewer bits than it takes in WILL ALWAYS HAVE COLLISIONS. This is expected, and well known. Security vulnerabilities in hashes only arise when a method of reversing a hash become pheasible. |
|
From: Frank Schlottmann-G. <fra...@ep...> - 2004-09-21 11:01:28
|
Alex Peshkov wrote:
> Hi!
> Question: should crypt plugins be added to (frozen !) 2.0 or not ?
Yes, please.
Frank
--
"Fascinating creatures, phoenixes, they can carry immensely heavy loads,
their tears have healing powers and they make highly faithful pets."
- J.K. Rowling
|
|
From: Alex P. <pe...@in...> - 2004-09-21 14:17:53
|
Frank Schlottmann-Goedde wrote: > Alex Peshkov wrote: > >> Hi! >> Question: should crypt plugins be added to (frozen !) 2.0 or not ? > > > Yes, please. I also think so. But let's wait for other peoples minds. A. |
|
From: Jim S. <ja...@ne...> - 2004-09-21 11:50:05
|
Alex Peshkov wrote: > Hi! > > During last two weeks I implemented crypt plugins facility for > firebird engine. This work was discussed privately with Paul and Dmitry. Private "security reviews" are stupid and short sighted. Security is either robust or a joke. Security isn't robust until many interested eyes and minds have reviewed the set of problems and prospective solutions. Are you trying to solve real problems and just looking for a circle to run around? I asked before that a security architect be developed and discussed before anything was implemented. Without a security architecture, how do we know how a smattering of features interplays with other work under development? For example, Interbase and Firebird through 2.0 use an architecturally unsupportable hack that breaks the layering to connect to the security database. It can't be implemented in Vulcan. You're adding special semantics for the security database. How does it know that it's a security database? Why do you care is J. Random User reads a secure hash of a password? He can't do anything with it? Trying to hide the hash is completely pointless. Hiding it in an ineffective manner is less than pointless. What earthly good is a patch that blocks readers if a user can copy the database file and compile a version of Firebird without the patch? Without an end to end analysis, plugging perceived holes is dumb. The politcally/correct hack was an example of really stupid design, as was the silly idea of "encrypting" passwords on the wire. Plugging holes usually means little plugs in big holes that do nothing to make the entire system more secure. At worst, they are ineffective hacks that interfere with future robust security. I'm really sorry if it's an inconvenience to write up and present a prospective architecture for others to review, but that's the only way to make a system secure. The security architecture is more important that the code. It should come first. I don't want to see any "security" enhancements checked into anything until we have had an opportunity to review the big picture first. Phasing in a secure hash make sense. I don't see that any of the rest makes sense at all. |
|
From: Alex P. <pe...@in...> - 2004-09-21 14:16:41
|
Jim Starkey wrote: > > > Alex Peshkov wrote: > >> Hi! >> >> During last two weeks I implemented crypt plugins facility for >> firebird engine. This work was discussed privately with Paul and Dmitry. > > > Private "security reviews" are stupid and short sighted. Security is > either robust or a joke. Security isn't robust until many interested > eyes and minds have reviewed the set of problems and prospective > solutions. Are you trying to solve real problems and just looking for > a circle to run around? It seems to me that I've described them in my letter - we can't prevent stealing hashes of passwords (at least for CS on posix). Current hashes may be relatively easy brutforced on a modern CPUs. Therefore let's try to make them hard to brutforce. The best way is to let people use that hashes they trust. Therefore - crypt plugins. > I asked before that a security architect be developed and discussed > before anything was implemented. Without a security architecture, how > do we know how a smattering of features interplays with other work > under development? For example, Interbase and Firebird through 2.0 > use an architecturally unsupportable hack that breaks the layering to > connect to the security database. It can't be implemented in Vulcan. > You're adding special semantics for the security database. How does > it know that it's a security database? It asks class SecurityDatabase about security db-name, and compares with one to be attached. > Why do you care is J. Random User reads a secure hash of a password? > He can't do anything with it? Appears with exesting hashes - can. It's possible to brutforce them. > Trying to hide the hash is completely pointless. Please compare /etc/passwd and /etc/master.passwd in FreeBSD. Are you sure they do pointless things? > Hiding it in an ineffective manner is less than pointless. With some additional work done I can effectively hide them for remote connections. Is this pointless? If sysadmin wants to hide them completely, it's enough for him to block local (embedded) connections. > What earthly good is a patch that blocks readers if a user can copy > the database file and compile a version of Firebird without the patch? I thought that patch is well known. It does absolutely nothing with engine - only database modification. For details please http://www.volny.cz/iprenosil/interbase/ > > Without an end to end analysis, plugging perceived holes is dumb. The > politcally/correct hack was an example of really stupid design, as was > the silly idea of "encrypting" passwords on the wire. Plugging holes > usually means little plugs in big holes that do nothing to make the > entire system more secure. At worst, they are ineffective hacks that > interfere with future robust security. I tried to avoid mentioned problems, but before discussing something public, it was necessary (for me) to have a working prototype. Building it helped me find problems, which I could not even imagine without this work done. > > I'm really sorry if it's an inconvenience to write up and present a > prospective architecture for others to review, but that's the only way > to make a system secure. > > The security architecture is more important that the code. It should > come first. > > I don't want to see any "security" enhancements checked into anything > until we have had an opportunity to review the big picture first. > Phasing in a secure hash make sense. I don't see that any of the rest > makes sense at all. Sorry, it simply doesn't work without other changes. I tried to explain why, may be I expressed my thought not well enough, but I'd like to see what real problems this change creates, not only common words. I wanted to solve one main problem - give users an ability to use such hashes for passwords that they want. I think my design solves this particular problem. I don't know, what addtional problems it may raise for future security design. Moreover, with hash calculation, moved from client to server, future security review seems easier - for example, implementation of auth plugins. Alex. |
|
From: Thomas M. <tm...@bs...> - 2004-09-21 14:43:20
|
> > Sorry, it simply doesn't work without other changes. I tried to > explain why, may be I expressed my thought not well enough, but I'd > like to see what real problems this change creates, not only common > words. > I wanted to solve one main problem - give users an ability to use such > hashes for passwords that they want. I think my design solves this > particular problem. I don't know, what addtional problems it may raise > for future security design. Moreover, with hash calculation, moved > from client to server, future security review seems easier - for > example, implementation of auth plugins. > > Alex. > The question isn't whether is is good, bad, or indifferent. There are lots of issues surrounding security that are bad in FB. Instead of band aiding it, Jim is proposing that we come up with a strategy to fix it right in FB3. 2.0 is frozen. I am hoping to see the security database disappear in FB3 so security is built into the db file. I am also hoping that all security is supported and can be managed through SQL code. I suggested a long time ago to have a plug in solution for encryption and compression, not of the passwords, but the data going over the wire. So if a plugin architecture is being designed, developed and implemented, it would make sense that it work in both places. I am sure there are other security issues that need to be addressed that I am unfamiliar with (which is why Jim wants an open discussion so more eyes are on the problem). -- Thomas Miller Delphi Client/Server Certified Developer BSS Accounting & Distribution Software BSS Enterprise Accounting FrameWork http://www.bss-software.com http://sourceforge.net/projects/dbexpressplus |
|
From: Jim S. <ja...@ne...> - 2004-09-21 15:03:43
|
Alex Peshkov wrote: > JIt seems to me that I've described them in my letter - we can't > prevent stealing hashes of passwords (at least for CS on posix). > Current hashes may be relatively easy brutforced on a modern CPUs. > Therefore let's try to make them hard to brutforce. The best way is to > let people use that hashes they trust. Therefore - crypt plugins. Wrong on every count. The SHA hashes are considered by security experts to be secure. SHA-1 produces a 160 bit hash, which is considered unbreakable. It can be broken by iterating through every possible password or lists of possible passwords, but reasonable password security can readily defeat that. The point, however, is that the strength of security is the weakest link, and the hash algorithm is far, far from the weakest link. It is rather pointless to worry about the relative merits of SHA versus MD5 when we're sending passwords in the clear. Any password sniffer installed on any lan through which IP traffic passes can pick up the passwords, so why worry about the hash? The reason that a security architecture is essential is to determine the relative strengths of the links and shore up the weaker. Sure, the existing cypt is a farce and should be replaced with SHA, but the rest of your proposal adds nothing to security and gets in the way of doing it right. > >> I asked before that a security architect be developed and discussed >> before anything was implemented. Without a security architecture, >> how do we know how a smattering of features interplays with other >> work under development? For example, Interbase and Firebird through >> 2.0 use an architecturally unsupportable hack that breaks the >> layering to connect to the security database. It can't be >> implemented in Vulcan. You're adding special semantics for the >> security database. How does it know that it's a security database? > > > It asks class SecurityDatabase about security db-name, and compares > with one to be attached. Vulcan supports any number of security databases. Your scheme is useless in version 3. But since there is no reliable way to compare two Windows filenames (which is the source of endless database corruptions), your scheme doesn't even work in version 2. > >> Why do you care is J. Random User reads a secure hash of a password? >> He can't do anything with it? > > > Appears with exesting hashes - can. It's possible to brutforce them. You might want to do some homework before you make this statement. > >> Trying to hide the hash is completely pointless. > > > Please compare /etc/passwd and /etc/master.passwd in FreeBSD. Are you > sure they do pointless things? We're talking about Firebird here. What FreeBSD may or may not have done has nothing to do with the merits of your proposal. If you have a security analysis, publish it and we'll consider it. Otherwise, write one. > >> Hiding it in an ineffective manner is less than pointless. > > > With some additional work done I can effectively hide them for remote > connections. Is this pointless? If sysadmin wants to hide them > completely, it's enough for him to block local (embedded) connections. Yes, it is pointless. You can't block embedded access if the file can be read. All you can do is make it moderately inconvenient. Don't confuse "inconvenient" with "secure". > >> Without an end to end analysis, plugging perceived holes is dumb. >> The politcally/correct hack was an example of really stupid design, >> as was the silly idea of "encrypting" passwords on the wire. >> Plugging holes usually means little plugs in big holes that do >> nothing to make the entire system more secure. At worst, they are >> ineffective hacks that interfere with future robust security. > > > I tried to avoid mentioned problems, but before discussing something > public, it was necessary (for me) to have a working prototype. > Building it helped me find problems, which I could not even imagine > without this work done. If this is a working prototype, why are you asking whether you can check it in? > >> >> I'm really sorry if it's an inconvenience to write up and present a >> prospective architecture for others to review, but that's the only >> way to make a system secure. >> >> The security architecture is more important that the code. It should >> come first. >> >> I don't want to see any "security" enhancements checked into anything >> until we have had an opportunity to review the big picture first. >> Phasing in a secure hash make sense. I don't see that any of the >> rest makes sense at all. > > > Sorry, it simply doesn't work without other changes. I tried to > explain why, may be I expressed my thought not well enough, but I'd > like to see what real problems this change creates, not only common > words. > I wanted to solve one main problem - give users an ability to use such > hashes for passwords that they want. I think my design solves this > particular problem. I don't know, what addtional problems it may raise > for future security design. Moreover, with hash calculation, moved > from client to server, future security review seems easier - for > example, implementation of auth plugins. No architecture, no implementation. Unless you have an analysis that demonstates, after full discussion, that your proposal increases security, it shouldn't be done. Why not phase out the crypt hash in favor of SHA-1 and skip the rest? -- Jim Starkey Netfrastructure, Inc. 978 526-1376 |
|
From: Alex P. <pe...@in...> - 2004-09-22 07:22:01
|
Jim Starkey wrote: > > > Alex Peshkov wrote: > > Wrong on every count. The SHA hashes are considered by security > experts to be secure. SHA-1 produces a 160 bit hash, which is > considered unbreakable. It can be broken by iterating through every > possible password or lists of possible passwords, but reasonable > password security can readily defeat that. > > The point, however, is that the strength of security is the weakest > link, and the hash algorithm is far, far from the weakest link. It is > rather pointless to worry about the relative merits of SHA versus MD5 > when we're sending passwords in the clear. Any password sniffer > installed on any lan through which IP traffic passes can pick up the > passwords, so why worry about the hash? The reason is simple. It's easy to protect your network connection from sniffers using any tool you like. But currently it's impossible to protect from 'select user_name, password from users;', no 3-rd party software will help you. Any user can read hashes of all others. We can solve this problem only inside firebird, for example, making hashes harder to brutforce. > > The reason that a security architecture is essential is to determine > the relative strengths of the links and shore up the weaker. Sure, > the existing cypt is a farce and should be replaced with SHA, but the > rest of your proposal adds nothing to security and gets in the way of > doing it right. > Agreed, letting users change there passwords, stands aside. I was wrong mixing two different features together. But do you think it's useless? Without the rest of my proposals new hashes don't work, I mean don't work reliably. Assume sysdba attaching to server with gsec version 1.5. He successfully changes sysdba's password (yes, he is wrong, but he is even not warned about!), but this is not SHA hash, this is existing crypt hash. The only known to me way to save such database is to copy it to the server with working firebird and use new gsec. Almost all the rest of my proposals is to exclude such situation. What about replacing crypt with HSA - it is certainly possible, but plugins desision seems better. Why force people using one and only one kind of hash? Experts now say that SHA is safe, but when current crypt was used it also seemed to be OK. >> >>> I asked before that a security architect be developed and discussed >>> before anything was implemented. Without a security architecture, >>> how do we know how a smattering of features interplays with other >>> work under development? For example, Interbase and Firebird through >>> 2.0 use an architecturally unsupportable hack that breaks the >>> layering to connect to the security database. It can't be >>> implemented in Vulcan. You're adding special semantics for the >>> security database. How does it know that it's a security database? >> >> >> >> It asks class SecurityDatabase about security db-name, and compares >> with one to be attached. > > > Vulcan supports any number of security databases. Your scheme is > useless in version 3. But since there is no reliable way to compare > two Windows filenames (which is the source of endless database > corruptions), your scheme doesn't even work in version 2. Current isc_expand() seems to give reliable results for existing files. May be there are special tricks to break this method, but being used they will lead to corruption of security.fdb, as you mentioned already, and I changed nothing here. I hope that this scheme will not be needed in v.3 with new security architecture, but in version 2 it is needed for one simple reason - help people avoid attaching to security database using old versions of gsec, which used to build hashes on the client. If sysdba wants to break security database (or user wants to attach to it and write bad hash for hymself), certainly he can do it, but this is not a trivial task, and he will not do it accidentially, as it was really easy without this change. >> >> >> Appears with exesting hashes - can. It's possible to brutforce them. > > > You might want to do some homework before you make this statement. May be - I trusted information reported by someone (Mark ? Sorry, don't remember exactly) in fb* lists, that current hashes are not enough strong for brutforce. I didn't try myself. > >> >>> Trying to hide the hash is completely pointless. >> >> >> >> Please compare /etc/passwd and /etc/master.passwd in FreeBSD. Are you >> sure they do pointless things? > > > We're talking about Firebird here. What FreeBSD may or may not have > done has nothing to do with the merits of your proposal. If you have > a security analysis, publish it and we'll consider it. Otherwise, > write one. Agreed, and this was not my purporse. I wanted to let people, not happy with quality of current hashes, use one they like. > >> >>> Hiding it in an ineffective manner is less than pointless. >> >> >> >> With some additional work done I can effectively hide them for remote >> connections. Is this pointless? If sysadmin wants to hide them >> completely, it's enough for him to block local (embedded) connections. > > > Yes, it is pointless. You can't block embedded access if the file > can be read. All you can do is make it moderately inconvenient. > Don't confuse "inconvenient" with "secure". Agreed once more. I wanted to make it inconvenient to avoid accidential misuse with old tools. >> >>> Without an end to end analysis, plugging perceived holes is dumb. >>> The politcally/correct hack was an example of really stupid design, >>> as was the silly idea of "encrypting" passwords on the wire. >>> Plugging holes usually means little plugs in big holes that do >>> nothing to make the entire system more secure. At worst, they are >>> ineffective hacks that interfere with future robust security. >> >> >> >> I tried to avoid mentioned problems, but before discussing something >> public, it was necessary (for me) to have a working prototype. >> Building it helped me find problems, which I could not even imagine >> without this work done. > > > If this is a working prototype, why are you asking whether you can > check it in? Because 2.0 is frozen. I like NS proposal to build a public branch, and will follow it. After other people review my changes and if they also treat them useful, they will be used in 2.0. Alex. |
|
From: Aleksey K. <kar...@cm...> - 2004-09-22 08:26:10
|
"Alex Peshkov" <pe...@in...> wrote in message news:415...@in...... > > The reason is simple. It's easy to protect your network connection from > sniffers using any tool you like. But currently it's impossible to > protect from 'select user_name, password from users;', no 3-rd party > software will help you. Any user can read hashes of all others. We can > solve this problem only inside firebird, for example, making hashes > harder to brutforce. As always, there is no need to reinvent the wheel. The problem of secure authentication has been addressed by security protocols such as Kerberos or NTLM. Using such a protocol will completely hide the details of password hashing algorithm, data encryption, etc. The work on using OS-integrated security protocols was planned to develop in Yaffil, but due to some reasons, both objective and subjective, only the initial research was done. Secure authentication will require the following development: 1. Modification of network protocol to allow transmission of authentacation handshake packets both with sealed/encrypted data packets and negotiating security capabilities supported. 2. Interface to OS-provided (or external librarires) security components. 3. The format of user identity information and mapping to database users. 4. Handling of group membership and mapping it to the existing authorization method (SQL roles) or developing a new group authorization model. 5. Configuration, both on client on server. It is should be clear that the problem of "stealing the security database" has no software solution. If an attacker can steal the security database, it is likely he can steal any other file as well, including the database files itself. Which hashing algorithm is used is therefore irrelevant. For secure database there should be the physical security arranged on the database server. Thus, there are two subjects in the network conversation : the client and the server. The authentication (establising of trust relationship) is performed between them (mutual authentication is reasonable), but not between the client and the database. Thus, it seems that controlling security on per-database basis seems questionable. > > > > Vulcan supports any number of security databases. Your scheme is > > useless in version 3. But since there is no reliable way to compare > > two Windows filenames (which is the source of endless database > > corruptions), your scheme doesn't even work in version 2. > > Current isc_expand() seems to give reliable results for existing files. There is, actually, a reliable method to check if two files are the same on Windows, at least on the local disks. However, it has little sense in the described situation because you address the effect but not the cause. Regards, Aleksey Karyakin |
|
From: Jim S. <ja...@ne...> - 2004-09-22 11:47:53
|
Alex Peshkov wrote: >> >> The point, however, is that the strength of security is the weakest >> link, and the hash algorithm is far, far from the weakest link. It >> is rather pointless to worry about the relative merits of SHA versus >> MD5 when we're sending passwords in the clear. Any password sniffer >> installed on any lan through which IP traffic passes can pick up the >> passwords, so why worry about the hash? > > > The reason is simple. It's easy to protect your network connection > from sniffers using any tool you like. But currently it's impossible > to protect from 'select user_name, password from users;', no 3-rd > party software will help you. Any user can read hashes of all others. > We can solve this problem only inside firebird, for example, making > hashes harder to brutforce. Ah, clearly you have never run a network of Linux servers. The life expectancy of an out-of-the-box Linux from a disto is about 72 hours. However, even without hackers, any PC user can put his ethernet board into promiscuous mode and get all traffic. And if you leave your LAN, every node on any IP routing can read your traffic. Do you really want to hand them your passwords? If you don't believe in the strength of encryption, however, nothing works. For security design purposes, secure hash is presumed secure. In practice and known theory, SHA is secure. Loss of password over the wire is 10**10 more important than worrying that someone will break a secure hash. > >> >> The reason that a security architecture is essential is to determine >> the relative strengths of the links and shore up the weaker. Sure, >> the existing cypt is a farce and should be replaced with SHA, but the >> rest of your proposal adds nothing to security and gets in the way of >> doing it right. >> > Without the rest of my proposals new hashes don't work, I mean don't > work reliably. Assume sysdba attaching to server with gsec version > 1.5. He successfully changes sysdba's password (yes, he is wrong, but > he is even not warned about!), but this is not SHA hash, this is > existing crypt hash. The only known to me way to save such database is > to copy it to the server with working firebird and use new gsec. > Almost all the rest of my proposals is to exclude such situation. What > about replacing crypt with HSA - it is certainly possible, but plugins > desision seems better. Why not just encode all new passwords with SHA (no choice) and check first for SHA then crypt. Then no changes are necessary in any tools. All a DBA has to do to cut over is redefine all passwords. It compatible, no worse than what is there now, and he can do it at his leasure. > Why force people using one and only one kind of hash? Experts now say > that SHA is safe, but when current crypt was used it also seemed to be > OK. Crypt is what all Unix systems used at the time. Not much point in being more secure than the platform you run on. It was a bad choice, but better than rolling their own. In any case, they (the Borland guys) didn't think about it very much. >>>> I asked before that a security architect be developed and discussed >>>> before anything was implemented. Without a security architecture, >>>> how do we know how a smattering of features interplays with other >>>> work under development? For example, Interbase and Firebird >>>> through 2.0 use an architecturally unsupportable hack that breaks >>>> the layering to connect to the security database. It can't be >>>> implemented in Vulcan. You're adding special semantics for the >>>> security database. How does it know that it's a security database? >>> >>> >>> >>> >>> It asks class SecurityDatabase about security db-name, and compares >>> with one to be attached. >> >> >> >> Vulcan supports any number of security databases. Your scheme is >> useless in version 3. But since there is no reliable way to compare >> two Windows filenames (which is the source of endless database >> corruptions), your scheme doesn't even work in version 2. > > > Current isc_expand() seems to give reliable results for existing files. Alex, it doesn't. It can't detect that a local file with a remote mount are the same. That's how databases get trashed. It's also how to break your scheme. > May be there are special tricks to break this method, but being used > they will lead to corruption of security.fdb, as you mentioned > already, and I changed nothing here. I hope that this scheme will not > be needed in v.3 with new security architecture, but in version 2 it > is needed for one simple reason - help people avoid attaching to > security database using old versions of gsec, which used to build > hashes on the client. If sysdba wants to break security database (or > user wants to attach to it and write bad hash for hymself), certainly > he can do it, but this is not a trivial task, and he will not do it > accidentially, as it was really easy without this change. Again, it doesn't work in V2 and it's a non-starter in V3. > > May be - I trusted information reported by someone (Mark ? Sorry, > don't remember exactly) in fb* lists, that current hashes are not > enough strong for brutforce. I didn't try myself. This would be big news in the crypto community. If he can break SHA, he will be rich and famous. |
|
From: Alex P. <pe...@in...> - 2004-09-22 14:52:30
|
Jim Starkey wrote: > > >> The reason is simple. It's easy to protect your network connection >> from sniffers using any tool you like. But currently it's impossible >> to protect from 'select user_name, password from users;', no 3-rd >> party software will help you. Any user can read hashes of all others. >> We can solve this problem only inside firebird, for example, making >> hashes harder to brutforce. > > > Ah, clearly you have never run a network of Linux servers. The life > expectancy of an out-of-the-box Linux from a disto is about 72 hours. In one honey-net report I've seen even much smaller digits, for four experimental boxes it varied from 19 minutes to 25 hours. > However, even without hackers, any PC user can put his ethernet board > into promiscuous mode and get all traffic. This means - if you want secure network, use switches, not hubs. > And if you leave your LAN, every node on any IP routing can read your > traffic. Do you really want to hand them your passwords? > Certainly not, that's why if I need remote connection to firebird, I always use zebedee. > If you don't believe in the strength of encryption, however, nothing > works. For security design purposes, secure hash is presumed secure. > In practice and known theory, SHA is secure. Loss of password over > the wire is 10**10 more important than worrying that someone will > break a secure hash. > Agreed, but I can protect from loss of passwords in network without moification of engine (as described above). >> >>> >>> The reason that a security architecture is essential is to determine >>> the relative strengths of the links and shore up the weaker. Sure, >>> the existing cypt is a farce and should be replaced with SHA, but >>> the rest of your proposal adds nothing to security and gets in the >>> way of doing it right. >>> >> Without the rest of my proposals new hashes don't work, I mean don't >> work reliably. Assume sysdba attaching to server with gsec version >> 1.5. He successfully changes sysdba's password (yes, he is wrong, but >> he is even not warned about!), but this is not SHA hash, this is >> existing crypt hash. The only known to me way to save such database >> is to copy it to the server with working firebird and use new gsec. >> Almost all the rest of my proposals is to exclude such situation. >> What about replacing crypt with HSA - it is certainly possible, but >> plugins desision seems better. > > > Why not just encode all new passwords with SHA (no choice) and check > first for SHA then crypt. And at any moment have a number of passwords in crypt, not SHA, due to bad client, and without any warnings... I wanted to make default install without attempt to check for crypt hash. > Then no changes are necessary in any tools. All a DBA has to do to > cut over is redefine all passwords. It compatible, no worse than what > is there now, and he can do it at his leasure. > >> Why force people using one and only one kind of hash? Experts now say >> that SHA is safe, but when current crypt was used it also seemed to >> be OK. > > > Crypt is what all Unix systems used at the time. Not much point in > being more secure than the platform you run on. It was a bad choice, > but better than rolling their own. In any case, they (the Borland > guys) didn't think about it very much. > Sometimes it seems that they didn't think very much about many things. Could they that time : - calculate hashes on server, not client, - add a feature to use plugins for creating hashes, interbase might smoothly migrate from crypt to MDn and later to SHA-n. >>> >>> Vulcan supports any number of security databases. Your scheme is >>> useless in version 3. But since there is no reliable way to compare >>> two Windows filenames (which is the source of endless database >>> corruptions), your scheme doesn't even work in version 2. >> >> >> >> Current isc_expand() seems to give reliable results for existing files. > > > Alex, it doesn't. It can't detect that a local file with a remote > mount are the same. That's how databases get trashed. It's also how > to break your scheme. Ouuh, that's a bug in ISC_expand_filename(). I haven't known about it. Or may be it's a feature to access remote files on local sql server? I see a clear way to fix it, but may be someone use it as a 'feature'? But on a box, where I tried to reproduce a problem it was a setting to restrict database access in firebird.conf. Certainly, there was no path on mounted disk in restrict-list. Therefore I was not able to get access to security database using remote mount. But out-of-the-box installation really makes it possible to do this trick. On the other hand, will security database be trashed after such access? If yes, wrong hash in it doesn't make any difference. > >> May be there are special tricks to break this method, but being used >> they will lead to corruption of security.fdb, as you mentioned >> already, and I changed nothing here. I hope that this scheme will not >> be needed in v.3 with new security architecture, but in version 2 it >> is needed for one simple reason - help people avoid attaching to >> security database using old versions of gsec, which used to build >> hashes on the client. If sysdba wants to break security database (or >> user wants to attach to it and write bad hash for hymself), certainly >> he can do it, but this is not a trivial task, and he will not do it >> accidentially, as it was really easy without this change. > > > Again, it doesn't work in V2 and it's a non-starter in V3. > >> >> May be - I trusted information reported by someone (Mark ? Sorry, >> don't remember exactly) in fb* lists, that current hashes are not >> enough strong for brutforce. I didn't try myself. > > > This would be big news in the crypto community. If he can break SHA, > he will be rich and famous. > No, crypt was mentioned there. It's some misunderstanding, sorry. I meant crypt/DES. Alex. |
|
From: Jim S. <ja...@ne...> - 2004-09-22 15:53:52
|
Alex Peshkov wrote: > Jim Starkey wrote: > >> Why not just encode all new passwords with SHA (no choice) and check >> first for SHA then crypt. > > > And at any moment have a number of passwords in crypt, not SHA, due to > bad client, and without any warnings... I wanted to make default > install without attempt to check for crypt hash. A new install won't have any crypt hashed passwords. An update will, however, but unless you are prepared to brute force crypt for recover the original passwords (good luck), the clients will have to recreate their passwords anyway, which will be hash by SHA. I wouldn't bother with warnings; the system has worked that way since Interbase version 4, and if any case, you really aren't increasing the security of the system. >> Then no changes are necessary in any tools. All a DBA has to do to >> cut over is redefine all passwords. It compatible, no worse than >> what is there now, and he can do it at his leasure. > First, SHA is sufficient. Second, we don't have a security architecture or a serious design for a security plugin, so anything you do now is likely going to be deprecated in the next release. Third, either you restrict the user to a small set of builtin alternatives (none of which would be better than SHA), you have to go through the fuss and bother of designing an API for loadable hash algorithms. Fourth, the necessary changes to the configuration file will be inconsistent with Vulcan configuration files (Vulcan supports an object type for security plugin). Fifth, the hash algorithm is a property of one particularly security option, so it shouldn't be in the core system. Sixth, the "plugin manager" has been dropped from Vulcan as non-portable and replaced with a set of layered classes, so you implementation would be throw away. Bottom line: Because it's a lot of work that introduces more serious problems than it solves. It's short sighted, doesn't address serious problem, and isn't part of a coherent security architecture. >>> >>> Current isc_expand() seems to give reliable results for existing files. >> >> Alex, it doesn't. It can't detect that a local file with a remote >> mount are the same. That's how databases get trashed. It's also how >> to break your scheme. > > > Ouuh, that's a bug in ISC_expand_filename(). I haven't known about it. > Or may be it's a feature to access remote files on local sql server? I > see a clear way to fix it, but may be someone use it as a 'feature'? If you have a solution you will save dozens of users from opening database with different path names, getting different lock tables, and trashing their databases. If you've got a fix, the lock manager needs it. >>> May be - I trusted information reported by someone (Mark ? Sorry, >>> don't remember exactly) in fb* lists, that current hashes are not >>> enough strong for brutforce. I didn't try myself. >> >> >> This would be big news in the crypto community. If he can break SHA, >> he will be rich and famous. >> > No, crypt was mentioned there. It's some misunderstanding, sorry. I > meant crypt/DES. > Crypt was secure on a PDP-11/40. Computers have gotten faster since then. DES was down graded from a 64 bit key to a 56 bit key so it could be broken. But please remember, security is only as strong as the weakest link, and even DES would be a step up. If you want to do something useful before we can agree on a security architecture, why not implement "create user" in SQL so we can phase out gsec altogether? -- Jim Starkey Netfrastructure, Inc. 978 526-1376 |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X