-
Description:
Key stretching issue may lead to brute-force attacking a password
-
Reproduction Procedure:
Attempt a password hash after setting 31 as the parameter for
salt generation.
For example: BCrypt.hashpw("pass", BCrypt.gensalt(31));
int log_rounds, which is the parameter for the gensalt method
is used to increase the calculations against the password
hash by '2 ^ log_rounds'.
A calculation of '2 ^ 31' requires some time, which increases
its resistance against brute-force attacks. However, an issue
in jBCrypt results in the calculation taking place with round 0,
and the hash calculation is completed right away.
The implementation of BCrypt alerts users to specify round
from 4 - 31 so that round 0 is not used. An error should occur
when specifying a value outside of that range. However, this
restriction is not applied in this particular case.
[Possible Impacts]
-
A user not knowing about this issue may set the number of
rounds to the maximum, 31 and mistakenly believe that a strong
password hash has been generated. This password hash is
susceptible to brute-force attacks.
[Possible Workarounds]
-
Specify a value up to 30 for parameter in the
BCrypt.gensalt(int log_rounds) method.
30 rounds results in a calculation of '2 ^ 30' which should
result in sufficient strength.
(My Core i 5.1.7GHz machine did not respond, so round 31 is
probably not practical for use)
Also 10 rounds is sufficiently stronger than 0 rounds. 10
rounds is the default value, when a value is not specified.
Thus, a user does not necessarily need to specify 31 rounds
in jBCrypt or PicketLink.
|
