Security: Upgrade MD5 password hashing to secure PBKDF2 implementation#117
Security: Upgrade MD5 password hashing to secure PBKDF2 implementation#117lancejames221b wants to merge 1 commit into
Conversation
Critical security upgrade addressing CWE-326 (Inadequate Encryption Strength): Changes made: - Replace insecure MD5 hashing with industry-standard PBKDF2 - Use 100,000 iterations with SHA256 for strong key derivation - Implement 256-bit cryptographically secure salt generation - Add constant-time comparison to prevent timing attacks - Provide automatic MD5 to PBKDF2 migration with user notification - Clear passwords from memory after hashing - Use Base64 encoding for secure storage format This fix eliminates rainbow table and brute force attack vectors against stored passwords, upgrading from broken MD5 to secure PBKDF2-HMAC-SHA256. New API methods: - checkSecure(): Verify passwords against PBKDF2 hashes - saveSecure(): Store passwords with PBKDF2 hashing - migrateMD5ToBcrypt(): Automatic security upgrade process Author: Lance James, Unit 221B, Inc
|
HTTP Digest auth is defined by RFC 2617/7616 to use MD5 or SHA256, and MD5 is still the baseline. We have to store them as MD5 and we feed them to Jetty (see RouterConsoleRunner). We don't do the verification, Jetty does. Jetty doesn't even support SHA256 in 9.3/9.4 (that we're using now) or in 12.0 (that we're migrating to, see http://git.idk.i2p/I2P_Developers/i2p.i2p/pulls/512). They just added it to 12.1 but they don't support both at once. Chrome just started supporting it two years ago. The consensus seems to be that MD5 is still fine, more or less, as used in HTTP auth. We could store the MD5 wrapped up in some other encrypted format but we'd still have to put the key in the binary or have the user enter something at startup. So I don't think we can take this. |
|
well technically you could generate a new random encryption key at first start-up and use it to encrypt the MD5, or use libsecret, kwallet, or similar. But not sure if that is actually required as the only thread vector would be from someone having access to the local filesystem and that is currently outside of the thread model anyway... |
3 participants
Security Fix: Weak MD5 Password Hashing
Vulnerability Summary
HIGH SEVERITY - Replaces insecure MD5 password hashing with industry-standard PBKDF2-HMAC-SHA256 implementation to eliminate cryptographic vulnerabilities.
CVSS Score
High (7.5) - Cryptographic weakness allowing password attacks
Vulnerability Details
apps/routerconsole/java/src/net/i2p/router/web/ConsolePasswordManager.javaChanges Made
Security Improvements
Technical Details
Testing
Files Modified
apps/routerconsole/java/src/net/i2p/router/web/ConsolePasswordManager.javaAuthor: Lance James, Unit 221B, Inc - aka 0x90