Date: Thu, 27 Feb 2014 20:14:17 -0500 From: Allan Jude <freebsd@allanjude.com> To: FreeBSD Current <freebsd-current@freebsd.org> Subject: Feature Proposal: Transparent upgrade of crypt() algorithms Message-ID: <530FE2E9.5010902@allanjude.com>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --tGWrCDJ6hnqBuHX9taUi43m2RbVIcg0n9 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable With r262501 (http://svnweb.freebsd.org/base?view=3Drevision&revision=3D262501) import= ing the upgraded bcrypt from OpenBSD and eventually changing the default identifier for bcrypt to $2b$ it reminded me of a feature that is often seen in Forum software and other web apps. Transparent algorithm upgrade. Excuse the sloppy pseudo-code: new_format =3D login_conf.get('passwd_format') username =3D user.input() plain_pass =3D user.input() hash =3D master.passwd.get(username) salt =3D hash.get_salt() if (crypt(plain_pass, salt) =3D=3D hash) { /* Successful login */ if (crypt_get_format(hash) !=3D new_format) { /* Upgrade crypt() algorithm */ crypt_set_format(new_format) new_salt =3D random() new_hash =3D crypt(plain_pass, new_salt) result =3D master.passwd.set_password(username, new_hash) } } else { /* Unsuccessful login */ } Basically, when a user successfully authenticates, if some new option is enabled in login.conf, use the plain text password attempt while we have it, to re-hash the password with the new algorithm and update the master.passwd file This would make it much easier to transition a very large userbase from md5crypt to bcrypt or sha512crypt, rather than expiring the passwords or something. This might actually be more applicable with my next suggestion, exposing tuneables to control the number of rounds for bcrypt and sha512crypt. As this would make it easy to upgrade all existing bcrypt/sha512crypt hashes from the default number of rounds (10^4 and 5000 respectively) to higher values. --=20 Allan Jude --tGWrCDJ6hnqBuHX9taUi43m2RbVIcg0n9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTD+LsAAoJEJrBFpNRJZKfuPAP/0kBuEW5hEA9oshtC/5s2QcG GT/FyalHfZoMDZFP2/j6gRTy/PC9meI5xeGxMaJiP3O+KxkFScUdU3hS4yRK671Q NLG2qb1VoZInzFk56v6hL49TpTj6uCLq4I8O8VywtjqahCKJbAtSAqtJtj9pGn89 RrXS1r3m3t0QgRZg6jI2u/D/t8Y8y+2mN9UBaUP8o/GtH7LBeh0n5ZOpOBsiYObE Lp1LU9oZnYQQ9M6Br4oyG5HJQAKRU8Yl9AdLSPkIDdFlgP9GMuHqMeTABAZ3ISYU FQvMkpTW8SDjnISszujNU9WEvvpsf//Dubfp3isSd0L6cuSrVvBxmMgUPi7TqM/p TxnWMd43DnTHEF0mdknHLqPPDlaD3pivbcVQ5w97dKYIcNKHv+TmvAeowfUYN2F5 bmKjfYkB70fAOmBbLDpvEo06YxFH8N3hm3LTXC1L0YLNqPYjURL/yh9IBGHQaFoA TU90nKQC03VRABIe3vpK5IRDEYaj+Dk7akVqbnPQRliz8gSVje8gqg0FCFrOcphD cDdsFroR3T81Kmc/OA3foOv3McnEnzTnIOUB/Pkss9lYTel0Kb/Jzvb1hNCli8TH Xmbs9QW9j6ouKzeuhUprx2vQ7HJliByVBwchX0InUYzVP9NIVl1MpUO7AaPz+S64 XjWIrLOAQ49kZ2xmnkVj =lA5B -----END PGP SIGNATURE----- --tGWrCDJ6hnqBuHX9taUi43m2RbVIcg0n9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?530FE2E9.5010902>