[TYPO3-project-4-3] Salted Passwords in Combination with RSAauth

Steffen Ritter info at rs-websystems.de
Sun Jun 14 20:58:34 CEST 2009 

Dmitry Dulepov schrieb:
>>
>> Dmitry found a "workaround" for this, which will only work with with
>> plain and md5 passwords, not with salted or any other encryption, which
>> won't always return same result (details follow).
> 
> I do not think the above is correct. Rsaauth will process any evaluation that is registered with TCEmain. So if saltedpw implements a TCEmain evaluation, RSAAuth should work with with it. t3sec_saltedpw did not work because it has checks for the "loginLevel" settings. It expects to see "normal" there and refuses to run if it sees "rsa". That was the problem as I discovered it.
> 

So you did not get it... First, we do not speak about t3sec_saltedpw. So 
level "rsa" activates the new extension. The evaluation is executed as 
you it should.
So let's go into details:
Eval Function of TCE is ment to process the plain value to the value 
which is stored in the db. 2 possibilities: JS or PHP.
So what does the evaluation do in saltedpasswords: It encrypts the 
password.
With md5 this will be everytime the same: md5(test) will ever be md5(test).
When you enter a new password it has to get encrypted... this will 
happen with a random salt! so salt(test) won't (nearly) ever be the same 
as salt(test).

So what does your test do: it calls the eval function which would be 
used for a new password, so it's hashed with a random salt.
Then you pass the salted hash to the most basic authservice. Which 
compares it to the value in DB (which has been hashed with another salt).

So I'm sorry: this approach would never work for salted things...

>> I did a small fix in checkAuthentification (which really nobody will
>> hurt) and therefore this works, and rsauth can be cleaned up be many
>> lines...
> 
> -3 and +1 lines in your patch. But I am not sure if this change is correct. I deliberately passed the evaluation of the password to the default service. It allows to reuse the existing code. I do not understand the meaning of the added line and removed lines are wrong.

The service stuff is supposed to act like: if one failed go to the next 
one.. With your -1 you disable all following services... This is against 
the principle, and i want to use a service after yours, there's no other 
possibility.

The line I added: Just an update of the sent password in the auth-Class.
> 
> If the login level is set to the RSA, RSA service is the only one who can authenticate the user.

That's wrong... It's against the service priority system.
And indeed, the rsaauth is no real auth service but an securing of the 
communication channel... So it has highest priority decrypting the 
received data... But in the evaluating against db is task of a "real" 
auth service... May it be the "standard" (which will take care for md5 
or plain) or any service level in between.

> Salted passwords must be evaluated as TCEmain evaluations and then they will work with RSA service.
> 

As I hopefully explained in detail enough, won't work :)

>> So --> the only thing the rsa service has to do: save the decrypted
>> password to the parent object and let do the normal authservices their
>> job...
> 
> I think it is dangerous. It means that the password may become available to any intermediate code. I do not like it :(
> 

So you say: it's dangerous to give the auth services an submitted password?
It stays in the Auth-Lib...
Or in detail... It's the same as the auth-Lib themselves does for the 
hardcoded Security Levels.


>> The attached patch for rsaauth, is without cleanup of stuff which is not
>> needed anymore because I did not won't to mix up things... so there is
>> just a change in storing the data and hand around to other services.
> 
> Please, do not clean up anything there. There is only necessary code and each line of it is truly necessary. During the review of this code I got proposals to clean up some lines, I explained why they are there and we all agreed they are necessary. By removing something from the there, you risk breaking this module.
> 
...  Sounds like "don't doubtful any of my code, I'm right all the time" 
to me... So don't know what I should say to this...

regards

Steffen

More information about the TYPO3-project-4-3 mailing list