[TYPO3-dev] Password handling (Regarding youngest security issues)
Xavier Perseguers
typo3 at perseguers.ch
Fri Nov 14 17:53:24 CET 2008
Hi,
>> Ok.. these are my thoughts.
>>
>> I'd be glad to get some feedback.
>>
>> Sebastian G.
> Good idea:
> the Install tool has this option allready "Encryption key:"
> and its used for cHash atm.
>
> Maybe use crypt with a extra salt instead of md5 - because in theory
> there are algorithm that can "calculate" some origns for a md5 hash imho.
The point for using md5 at all is that it is present as well as a
JavaScript library which allow this cool feature of encrypting password
the way to TYPO3 from the BE login (it should be, as said, the default
option for FE login too). Changing the encryption means to find a
compatible library in JS. As there is still no md6 library available, we
may stick to sha1 which should be available as JS.
Now another point is the challenge response from the BE login form in
superchallenge mode for instance. The way it works is following:
TYPO3 sends a challenge as part of the form, the "password" or hash that
is sent back is
hash = MD5( username :: MD5( password ) :: challenge )
where :: stands for concatenation.
This way, the auth service is able to recreate this hash and compare it.
The password stored in the DB is the MD5 ( password ) part of the hash
function above.
If you want to salt your password with a domain key, e.g., the
encryption key as proposed by Daniel, then you won't be able to
calculate this hash as the hash calculated from TYPO3 will be
hash_TYPO3 = MD5( username :: MD5( salted-password ) :: challenge )
which will force you to send the salt within the BE login form, which
you don't want of course.
--
Xavier Perseguers
http://xavier.perseguers.ch/en
More information about the TYPO3-dev
mailing list