Saturday, 2012-06-16

« Friday, 2012-06-15 Index Sunday, 2012-06-17 »
*** Joins: dhx1 (~anonymous@60-242-247-232.static.tpgi.com.au)00:34
*** Joins: paulr (~IceChat09@cpc1-enfi15-2-0-cust580.hari.cable.virginmedia.com)01:44
*** Quits: dhx1 (~anonymous@60-242-247-232.static.tpgi.com.au) (Remote host closed the connection)04:21
GitHub36[mantisbt] rombert pushed 1 new commit to master-1.2.x: http://git.io/5DpY3Q04:21
GitHub36[mantisbt/master-1.2.x] Fix #13415: cloning issue with attachments doesn't work  - Robert Munteanu04:21
GitHub31[mantisbt] rombert pushed 1 new commit to master: http://git.io/1osfDQ04:21
GitHub31[mantisbt/master] Fix #13415: cloning issue with attachments doesn't work  - Robert Munteanu04:21
*** Joins: dhx1 (~anonymous@60-242-247-232.static.tpgi.com.au)04:22
*** Quits: nextgens (~florent@freenet/developer/nextgens) (Quit: Reconnecting)08:26
*** Joins: nextgens1 (~florent@95.154.209.46)08:26
*** Quits: nextgens1 (~florent@95.154.209.46) (Client Quit)08:26
*** Joins: nextgens (~florent@freenet/developer/nextgens)08:28
nextgensdhx1> I have a few questions regarding the PBKDF2 patch08:29
dhx1nextgens: hi08:30
dhx1nextgens: fire away :)08:30
nextgensshould the number of iterations increase over time (taking into consideration moore's law)?08:30
nextgensis it acceptable for mantis will get slower and slower? - on the same hardware08:30
dhx1nextgens: my primary concern is avoiding a DoS attack (also see the reasoning by DJB's use of elliptic curve cryptography in DNSCurve)08:31
nextgenswell08:32
dhx1nextgens: at the rate technology improves, I'd rather we just encourage users to upgrade frequently08:32
dhx1nextgens: it is reasonable to expect that new security features in browsers/web applications will be produced fairly regularly08:33
dhx1nextgens: thus I'd rather we encourage users towards the path of remaining current with the times (this same philosophy holds true for the Linux kernel too)08:33
nextgenswhile I agree with you in theory, my experience has shown me that people don't upgrade08:34
nextgenshence I'm asking whether such a 'feature' makes sense08:34
dhx1I see where you're coming from08:34
nextgenshttp://code.bulix.org/m5ub4m-8166708:34
nextgensthat being said, I'd perfectly understand that some people feel that it'd be unacceptable for mantis to be gradually slower over time (on purpose)08:35
nextgensthe above is part of the patch I'm using08:36
dhx1nextgens: do you have an aim for the number of milliseconds worth of work that the key strengthening process uses?08:36
nextgensno, not right now08:36
dhx1*stretching08:36
nextgensI just use that formula08:36
nextgensphp's crypto is awfully slow08:37
dhx1indeed08:37
nextgensand it won't get PBKDF2 until 5.5 according to what I've read on php-dev recently08:37
nextgensand openssl's bindings suck08:37
nextgens(as in they're both incomplete and slow too)08:38
nextgensnow, from a practical standpoint, it'd be way easier to hardcode the number of iterations (so that I don't have to store it)08:38
nextgensbut then I feel that chosing what it should be will lead to heated debates08:39
dhx1nextgens: a good idea -- but also quite complex to implement -- would be to generate the iteration count based on:08:39
nextgens(how many cpu cycles should one consider wasting to handle a login attempt?)08:39
dhx11. maximum calculated compute speed of the server08:39
dhx12. required password validations/second (when also factoring in other workload on the server)08:39
dhx1or 2b. historical trends for validations/second... a self-learning algorithm08:40
paulrwow08:41
paulryour up late08:41
dhx1paulr: yes :)08:41
nextgensI've seen people use (1) in other software; personally I don't think it makes any sense08:41
paulrdhx1: when would make sense to release 2.0?08:41
paulr20/12/2012? :P08:41
dhx1nextgens: indeed, it is almost impossible to calculate in any meaningful way08:41
nextgensas what really matters is how much horsepower you should assume the attacker to have, rather than how much you're willing to spend08:42
nextgensnot to mention that it'll vary over time (or rather it'll be difficult to get an accurate measurement)08:42
nextgensthere's also a third approach that I've seen used08:43
nextgenshardcode the number of iterations and 'factor-in' your safety margin08:43
dhx1I prefer that approach of factoring in a safety margin for the next X years in advance08:43
nextgensie: assume the software will be deployed and not upgraded for X years, use that iteration count all the time08:43
nextgensok08:44
dhx1I just wish BASIC authentication was useful in some way so that browsers could do the busy work08:44
nextgensso that makes things simpler and leads to next question: what should be X and how many iterations does that give us? :p08:44
nextgensthere's some schemes like that08:45
nextgenswhere you can make the client/browser solve a hashcash per authentication attempt08:45
nextgensthat's how you solve the DoS problem08:45
dhx1yep08:45
* nextgens suggests to cross that bridge if that becomes a problem, not now08:46
dhx1I'm just concerned with putting a huge amount of security (very performance heavy) around the storage of passwords within MantisBT's database08:48
nextgenstime php test.php08:48
nextgensreal0m0.404s08:48
nextgensthat's 10k iterations of sha512 here on a slowish 32bits vm08:48
nextgenswith php 5.308:48
nextgensI think that's more than affordable, how much 'safety' margin do we want on top?08:48
dhx1when the more realistic threat is that an attacker can just read the passwords in cleartext (usually /var/www/example.com/mantisbt/... would be fairly easy for an attacker to modify)08:49
dhx1I'm concerned that 0.404s limits a MantisBT installation to a login rate of 1 attempt per second per core/CPU08:50
nextgensdhx1> I think that mantis should do its due dilligence to ensure that it's non-trivial for someone who gets hold of the db to crack all of the hashes08:50
dhx1(providing 60% overhead for other work the server is performing)08:50
dhx1agreed08:50
nextgensbut then again, in a typical workflow, users login only once08:50
nextgensand thanks to <other> bugs, they'll stay logged in forever08:51
nextgensit only starts to become a problem under active attack (online bruteforce) or really big setups08:51
dhx165k iterations is about 16 bits of added entropy08:51
nextgensthat takes 2s here08:52
dhx1I should try to work out what the entropy rate of real world passwords is08:52
nextgensI'm not sure how you find out 'added entropy' compared to 'number of iterations'08:52
nextgensit's unrelated I think08:53
nextgensunless you assume the attacker has the same 'cost' than you do08:53
nextgenswhich he obviously doesn't08:53
nextgenshe won't spend 60% of his ressources somewhere else, he won't use PHP08:53
dhx1entropy is actually the wrong word to use08:53
dhx1the point is that the size of a hardware cracking circuit (and more importantly, the cost) expands with a higher number of iterations08:54
nextgenshow big is the biggest known setup of mantis? how many users are registered? how many genuine logins/hour does such a system handle?08:54
dhx1so it'll take longer or be significantly more expensive, statistically speaking, to crack an average password08:54
nextgensdhx1> only linearly08:54
dhx1nextgens: indeed08:55
nextgenswhereas increasing the password's entropy increases the complexity exponentially08:55
nextgensbut users (don't/can't) do that08:55
dhx1nextgens: it won't be very high... open source bug trackers would be lucky to have over 100k bug reports... and most viewers will be anonymous08:55
dhx1nextgens: we're more database bound than anything else08:56
nextgensok08:56
nextgensso we can afford a high number of iterations08:56
dhx1yep08:56
* nextgens tries 100k08:56
dhx1:o08:56
nextgensthat's ~3s here08:56
dhx1if MantisBT was a C++ FastCGI application I'd be happier with 100k08:57
dhx1at this stage I would like to aim for 100ms calculation time on an average VPS node08:58
nextgenshmm08:58
dhx1the user could override if necessary08:59
nextgensthat'll be a very low amount of iterations08:59
nextgensdhx1> the idea was not to store that value08:59
nextgens(to make the patch simpler/less intrusive)08:59
dhx1I agree actually... I wouldn't make it a setting because it gets into the realm of micromanagement09:00
dhx1but a user could still hack the code themselves if they really wanted to (just boost the hardcoded iteration count)09:00
nextgens.1s is ~900 iterations here09:00
nextgensthat's very low by today's standards09:01
dhx1ugh, PHP = :(09:01
nextgensrfc2898 said use 1k in 200009:01
nextgens(for another hash method, but still)09:01
* nextgens would really like to see more than 10k iterations09:02
nextgens50k is 1.5s here (slow 32bits vm)09:03
nextgenssha512 is faster on 64bits09:03
nextgensas long as it's under 2s, I think that users won't notice09:03
dhx1for a typical MantisBT installation it should be OK09:04
nextgensok. sorted then. :)09:04
dhx1given that most users will be logged in via cookie09:04
dhx1(or anonymous)09:04
nextgensnext question09:05
nextgensthe salt:09:05
nextgenssame thing, I'd like to avoid having to store it09:05
dhx1and in terms of DoS protection -- there are far more expensive calls an anonymous user could do (resulting in database queries)09:05
dhx1the salt should be per-user though09:05
nextgensI was thinking hmac(magic_secret,username)09:05
nextgensany other idea?09:05
dhx1hmm09:05
nextgenswhere magic secret is a per-installation value09:06
nextgensthe username is immutable, right?09:06
nextgensalternatively I could use the row_id (an auto-increment field)09:06
dhx1nextgens: we don't provide a means in the UI to rename a user... but it would still be possible behind the scenes to do a rename09:07
dhx1the user_id is a better value to use09:07
nextgenssecurity wise, the salt is there to prevent rainbow-table attacks, it doesn't have to be random09:07
nextgensit has to be non-predictable, that's all09:07
dhx1yep09:07
nextgensdhx1> my scheme would let you rename the user, provided you reset his password09:08
nextgens(or know it)09:08
nextgensthe reason I didn't consider user_id is because code-wise it's a little less intrusive to use the username09:09
nextgens(the row is inserted in create_user, with the current patch I don't change that method at all)09:09
dhx1$g_crypto_master_salt already exists in the 'master' branch and is used as a secret key for the entire installation09:09
nextgensbut I'm happy to change the patch if you feel it's required09:10
nextgensyeah, that's the key of the hmac09:10
nextgensI don't think it's a good idea to use it as-is09:10
dhx1I think it'd be better to use user_id to prevent any future issues with renaming users, etc... a lot easier in the long run09:10
nextgensand we really want the salt to be different for each user09:10
dhx1nextgens: the idea of $g_crypto_master_salt was that it would never be used on it's own... it would always be used to derive other salts/etc09:11
nextgensyeah, makes sense09:12
nextgensok, so hmac(master_salt,user_id) is fine by me09:12
nextgensI'll update the patch accordingly09:12
dhx1nextgens: now you reminded me that I have to check we're using hmac() instead of just a standard hash function elsewhere in MantisBT for deriving values from $g_crypto_master_salt09:12
nextgensdhx1> I've got two things I'd like to see corrected (will submit different patches)09:13
dhx1nextgens: we're currently using the Whirlpool hash function (AES-like)09:13
nextgens1) new password generation is weak09:13
dhx1nextgens: I assume you're referring to 1.2.x for (1)?09:14
nextgensany specific reason?09:14
nextgensyeah, on 1.209:16
nextgensauth_generate_confirm_hash is a case where you should use hmac rather than hash09:16
dhx1nextgens: something different... + it was recommended by the NESSIE project09:16
nextgens(on 1.3)09:17
dhx1yep09:17
nextgensnot to mention that 384bit of entropy is a waste09:17
dhx1nextgens: it's more of a convenience that divides nicely into a base64 encoded string that doesn't need any padding09:18
dhx164 characters of base64 encoded output09:18
dhx1192bit is probably better though (32 characters output)09:19
dhx1(in base64 encoding)09:19
nextgensdhx1> it's a slow hash function with no obvious additional security property to SHA-2 candidates09:20
nextgensi'd use sha512 if I were you09:20
nextgensdhx1> anything above 128bits is good enough, shorter URLs/cookies are better09:20
nextgensthe cookie will have to be sent for every single request09:21
dhx1http://www.cryptopp.com/benchmarks.html09:21
nextgensreally, you want it small ranther than big09:21
dhx1Whirlpool = 57MiB/s, SHA-512 = 99MiB/s in that test09:21
dhx1yes09:21
nextgensthat's c++ on old cpus09:22
dhx1indeed... but still demonstrates relative differences09:22
nextgenssha512 is twice faster ;)09:23
dhx1... and also far more likely to have a vectorised x86_64 implementation :)09:23
nextgensI'd understand the choice if we were talking about the password-storage (where we want it slow), but not the 'unique-url' generation09:23
nextgensI'm happy to use whirlpool for password storage if you think it's usefull09:24
dhx1I'd rather switch to SHA-209:24
nextgensok09:24
nextgenswill send a patch for that too then09:25
dhx1but really don't care too much :)09:25
nextgensthere's no dependancy here, it's easy09:25
dhx1yep09:25
nextgensok, I'm out of questions for now, thanks for the input09:25
nextgens:)09:25
dhx1sounds good so far :)09:25
dhx1I was playing around with PostgreSQL's RBAC (role based access control) features the other day... not sure it's flexible enough for use with MantisBT though09:26
dhx1+ we really need row-level access control for private bugs09:27
dhx1I've got to head off for now09:30
dhx1will be back later if you have further questions09:31
dhx1what you've done so far sounds very promising :)09:31
dhx1thanks09:31
*** Joins: dregad (~dregad@239-26.76-83.cust.bluewin.ch)14:43
*** Quits: dregad (~dregad@239-26.76-83.cust.bluewin.ch) (Quit: We be chillin - IceChat style)15:29
*** Joins: dregad (~damien@239-26.76-83.cust.bluewin.ch)15:39
*** Quits: dregad (~damien@239-26.76-83.cust.bluewin.ch) (Client Quit)15:42
*** Joins: dregad (~damien@239-26.76-83.cust.bluewin.ch)15:59
*** Quits: dregad (~damien@239-26.76-83.cust.bluewin.ch) (Remote host closed the connection)15:59
*** Joins: dregad (~damien@239-26.76-83.cust.bluewin.ch)15:59
*** Quits: dregad (~damien@239-26.76-83.cust.bluewin.ch) (Quit: Ex-Chat)16:31
*** Quits: paulr (~IceChat09@cpc1-enfi15-2-0-cust580.hari.cable.virginmedia.com) (Quit: Friends help you move. Real friends help you move bodies.)16:34
*** Quits: sdfjkljkdfsljkl (~sdfjkljkd@static.96.23.63.178.clients.your-server.de) (Remote host closed the connection)17:00
*** Joins: sdfjkljkdfsljkl (~sdfjkljkd@static.96.23.63.178.clients.your-server.de)17:00
« Friday, 2012-06-15 Index Sunday, 2012-06-17 »

Generated by irclog2html.py 2.10.0 by Marius Gedminas - find it at mg.pov.lt!