-
Description:
Key stretching issue may lead to brute-force attacking a password
-
Reproduction Procedure:
Attempt a password hash after setting 31 as the parameter for salt generation. For example: BCrypt.hashpw("pass", BCrypt.gensalt(31));
int log_rounds, which is the parameter for the gensalt method is used to increase the calculations against the password hash by '2 ^ log_rounds'. A calculation of '2 ^ 31' requires some time, which increases its resistance against brute-force attacks. However, an issue in jBCrypt results in the calculation taking place with round 0, and the hash calculation is completed right away.
The implementation of BCrypt alerts users to specify round from 4 - 31 so that round 0 is not used. An error should occur when specifying a value outside of that range. However, this restriction is not applied in this particular case.
[Possible Impacts]
-
A user not knowing about this issue may set the number of
rounds to the maximum, 31 and mistakenly believe that a strong password hash has been generated. This password hash is susceptible to brute-force attacks.
[Possible Workarounds]
-
Specify a value up to 30 for parameter in the
BCrypt.gensalt(int log_rounds) method. 30 rounds results in a calculation of '2 ^ 30' which should result in sufficient strength. (My Core i 5.1.7GHz machine did not respond, so round 31 is probably not practical for use)
Also 10 rounds is sufficiently stronger than 0 rounds. 10 rounds is the default value, when a value is not specified. Thus, a user does not necessarily need to specify 31 rounds in jBCrypt or PicketLink.
|