New old vulnerability: Firefox password manager has been using outdated SHA-1 for 9 years
AdBlock Plus creator Vladimir Palant (Wladimir Palant) discovered a vulnerability in the Firefox browser and Thunderbird mail client, which allows them to pick up their master password by brute force. The source of the problem is the SHA-1 hashing mechanism used.
More details about the vulnerability below.
/ photo by Z Jason CC
')
In his blog, Palant describes the operation of the sftkdb_passwordToKey () function , which converts a user's password to an encryption key by hashing a string containing the salt and the master password itself . SHA-1 is used as a hashing algorithm.
The problem is that the function is used only once in Firefox and Thunderbird, although generally accepted industry practice involves at least 10 thousand iterations. In LastPass, for example, 100 thousand are used.
Modern GPUs calculate SHA-1 hashes extremely well. For example , one Nvidia GTX 1080 graphics card computes 8.5 billion SHA-1 hashes per second. According to a Microsoft study , the password for an ordinary user is about 40 bits. It turns out that for its selection you need about 2 39 attempts - this means that the selection of a password of average complexity will take about a minute.
About this vulnerability Mozilla reported Justin Dolske (Justin Dolske) nine years ago, having issued a corresponding bug report. Justin drew the attention of developers that such a small number of hash function iterations poses a threat to the security of browser users. However, for some reason the problem remained unsolved.
The irony is that SHA-1 was still part of the browser even after Mozilla stopped supporting websites with certificates using this hashing algorithm in October 2016.
The main reason was the possibility of collision - a phenomenon in which two different blocks of information after hashing have an identical appearance. This allowed replacing these certificates with fabricated ones. The possibility of a "collisional attack" experts said in 2012, predicting that by 2021 the resources for its implementation would be enough for ordinary computer systems used in research institutes.
And in early 2017, Google announced the first successful collision attack. As a result of the experiment, the Google team was able to get two identical hashes for two different PDF documents. To launch the attack, engineers first created a PDF prefix , and then used Google’s extensive technical resources to calculate collisions. The company produced a total of 9 quintillon calculations SHA-1.
In connection with the successful replay of the collision attack on Google, information security experts were advised to start using the more secure SHA-256 and SHA-3 hashing algorithms as soon as possible.
/ photo by Z Jason CC
The answer to the Mozilla forum was received only after Vladimir Palant "resurrected" Justin Dolske's bug report 9 years ago. In response, the developers noted that the vulnerability will be fixed with the release of Lockbox - a new component for the password manager. While the utility is available as a separate extension, depending on the password manager Firefox Accounts.
However, Palant himself suggested that developers start using the Argon2 hashing algorithm, which uses multiple memory passes, to solve the problem. Argon2 was announced the winner of the Password Hashing Competition in 2015, whose members developed a new password hashing function.
First, Argon2 hashes the password using the Blake2b hash function. The hash result is written to memory blocks, which are converted using the G compression function (it accepts two 8192-bit blocks as input, and outputs a 1024-bit block), and the key is generated as a result.
The function is optimized for x86 architecture and utilizes the features of the organization of the cache and memory in Intel and AMD processors. At the same time Argon2 allows you to customize the number of iterations, the size of the result, the secret key, etc.
PS Materials on the subject of information security from the First Corporate IaaS blog:
More details about the vulnerability below.
/ photo by Z Jason CC
')
The essence of the problem
In his blog, Palant describes the operation of the sftkdb_passwordToKey () function , which converts a user's password to an encryption key by hashing a string containing the salt and the master password itself . SHA-1 is used as a hashing algorithm.
The problem is that the function is used only once in Firefox and Thunderbird, although generally accepted industry practice involves at least 10 thousand iterations. In LastPass, for example, 100 thousand are used.
Modern GPUs calculate SHA-1 hashes extremely well. For example , one Nvidia GTX 1080 graphics card computes 8.5 billion SHA-1 hashes per second. According to a Microsoft study , the password for an ordinary user is about 40 bits. It turns out that for its selection you need about 2 39 attempts - this means that the selection of a password of average complexity will take about a minute.
Not the first bug report
About this vulnerability Mozilla reported Justin Dolske (Justin Dolske) nine years ago, having issued a corresponding bug report. Justin drew the attention of developers that such a small number of hash function iterations poses a threat to the security of browser users. However, for some reason the problem remained unsolved.
The irony is that SHA-1 was still part of the browser even after Mozilla stopped supporting websites with certificates using this hashing algorithm in October 2016.
The main reason was the possibility of collision - a phenomenon in which two different blocks of information after hashing have an identical appearance. This allowed replacing these certificates with fabricated ones. The possibility of a "collisional attack" experts said in 2012, predicting that by 2021 the resources for its implementation would be enough for ordinary computer systems used in research institutes.
And in early 2017, Google announced the first successful collision attack. As a result of the experiment, the Google team was able to get two identical hashes for two different PDF documents. To launch the attack, engineers first created a PDF prefix , and then used Google’s extensive technical resources to calculate collisions. The company produced a total of 9 quintillon calculations SHA-1.
In connection with the successful replay of the collision attack on Google, information security experts were advised to start using the more secure SHA-256 and SHA-3 hashing algorithms as soon as possible.
/ photo by Z Jason CC
Potential problem solution
The answer to the Mozilla forum was received only after Vladimir Palant "resurrected" Justin Dolske's bug report 9 years ago. In response, the developers noted that the vulnerability will be fixed with the release of Lockbox - a new component for the password manager. While the utility is available as a separate extension, depending on the password manager Firefox Accounts.
However, Palant himself suggested that developers start using the Argon2 hashing algorithm, which uses multiple memory passes, to solve the problem. Argon2 was announced the winner of the Password Hashing Competition in 2015, whose members developed a new password hashing function.
First, Argon2 hashes the password using the Blake2b hash function. The hash result is written to memory blocks, which are converted using the G compression function (it accepts two 8192-bit blocks as input, and outputs a 1024-bit block), and the key is generated as a result.
The function is optimized for x86 architecture and utilizes the features of the organization of the cache and memory in Intel and AMD processors. At the same time Argon2 allows you to customize the number of iterations, the size of the result, the secret key, etc.
PS Materials on the subject of information security from the First Corporate IaaS blog:
- Features of two-factor authentication: does it work in the IaaS cloud
- Cloud Security Testing, or Security Tips
- Building Qualified and Secured Infrastructures Based on VMware Solutions
- Personal data protection: a European approach
- VMware NSX: A New Approach to Health Security
- What to look for when choosing a cloud PCI DSS hosting service
Source: https://habr.com/ru/post/352380/
All Articles