[TYPO3-dev] Password handling (Regarding youngest security issues)
Martin Kutschker
masi-no at spam-typo3.org
Fri Nov 14 21:33:09 CET 2008
Christoph Blömer schrieb:
> Martin Kutschker schrieb:
>> Xavier Perseguers schrieb:
>>
>>> Now another point is the challenge response from the BE login form in
>>> superchallenge mode for instance. The way it works is following:
>>>
>>> TYPO3 sends a challenge as part of the form, the "password" or hash that
>>> is sent back is
>>>
>>> hash = MD5( username :: MD5( password ) :: challenge )
>>>
>>> where :: stands for concatenation.
>>>
>>> This way, the auth service is able to recreate this hash and compare it.
>>> The password stored in the DB is the MD5 ( password ) part of the hash
>>> function above.
>>>
>>> If you want to salt your password with a domain key, e.g., the
>>> encryption key as proposed by Daniel, then you won't be able to
>>> calculate this hash as the hash calculated from TYPO3 will be
>>>
>>> hash_TYPO3 = MD5( username :: MD5( salted-password ) :: challenge )
>>>
>>> which will force you to send the salt within the BE login form, which
>>> you don't want of course.
>>>
>>
>> Of course you don't.
>>
>> If we make the salt optional we can rely on SSL for transport security.
>>
>> If you have external password mechanisms (like LDAP authentication) you
>> have also to turn superchallenge mode off. To me it is ok that I have to
>> use SSL to get some extra protection within my storage system against
>> data theft.
>>
>> Masi
>>
> First of all, Typo3.org needs https to prevent capturing our password.
> Sending a md5 which is calculated by JS doesn't make sense at all.
Don't mix up BE and FE authentication!
> Somebody can capture the md5 and send it to the server to login.
I think no one has suggested to do this foe FE login. Superchallenged
works only for BE and uses a one time challenge, so it won't help you to
intercept the hashed password. It won't be accepted a second time so you
cannot replay the login.
> This would make sense only when the server sends a unique challenge key
> for each login.
See above.
Masi
More information about the TYPO3-dev
mailing list