Title: SMF modification needed -- upgrade password hash security -- 40 BTC Post by: theymos on June 03, 2012, 06:01:26 AM The forum will pay 40 BTC for a patch to SMF version 1.1.16 upgrading password hash security.
You should use these PHP functions I've written for doing the actual hashing: Code: //salted SHA-256 with 7500 rounds You need to do this: - In LogInOut.php, upgrade SMF SHA-1 hashes to these new hashes automatically. Also, update any passwords that pass password_is_valid() but have a different CRYPT_PARAMS prefix than is being used currently. - Change all old password comparisons to the new method. - Wherever passwords are updated, use newpass() instead of SMF's method. - Thoroughly test all aspects of this modification. I am mostly paying someone to do this change instead of doing it myself because bugs in this would create a huge mess and I therefore want someone more experienced in software testing to do it. Hint: SMF has a "salt" column in the database and a "passwordSalt" variable, but these aren't actually used for password hashing. You only need to deal with the "passwd" column/variable. PM me or post here if you're interested. I will pick the best candidate in a week or two. You should only apply if you're already pretty well-trusted in the community. (Do not post in this thread about how you prefer another hashing method.) Title: Re: SMF modification needed -- upgrade password hash security -- 40 BTC Post by: M4v3R on June 07, 2012, 11:42:34 AM I have some experience with SMF v1.1 mods, and I run a Bitcoin exchange (built with PHP) which already uses proper password security. So I can provide the extension you need.
Title: Re: SMF modification needed -- upgrade password hash security -- 40 BTC Post by: publio on June 07, 2012, 08:01:45 PM If you're creating salts, you may want to use a CSPRNG. So, you want /dev/random instead of urandom.
Title: Re: SMF modification needed -- upgrade password hash security -- 40 BTC Post by: theymos on June 07, 2012, 08:24:42 PM If you're creating salts, you may want to use a CSPRNG. So, you want /dev/random instead of urandom. /dev/urandom is more than sufficient. It's not very important for the salt to be unpredictable. Title: Re: SMF modification needed -- upgrade password hash security -- 40 BTC Post by: publio on June 08, 2012, 12:08:47 AM It's considered best practice to use CSPRNGs for any cryptography, including salts. Predictable salts may offer protection against rainbow tables.. Maybe it protects against "theoretical attacks"?
Take a look at this page: http://books.google.com/books?id=QJNoykS0Tv4C&lpg=PT199&ots=JN9mj5AsnT&dq=salt+csprng&pg=PT199&redir_esc=y#v=onepage&q&f=false (http://books.google.com/books?id=QJNoykS0Tv4C&lpg=PT199&ots=JN9mj5AsnT&dq=salt+csprng&pg=PT199&redir_esc=y#v=onepage&q&f=false) It turns out that urandom is also cryptographically secure. :D The php function, mt_rand(), for example, is not. Title: Re: SMF modification needed -- upgrade password hash security -- 40 BTC Post by: live627 on June 12, 2012, 08:51:36 PM Do you want a direct file edit or a modification format that the package manager can use? I'm comfortable with both; however, the latter could be a no-go for you for obvious security reasons.
Title: Re: SMF modification needed -- upgrade password hash security -- 40 BTC Post by: AndyRossy on June 13, 2012, 12:33:40 AM has the candidate for this been chosen yet theymos?
Title: Re: SMF modification needed -- upgrade password hash security -- 40 BTC Post by: theymos on June 13, 2012, 01:02:32 AM has the candidate for this been chosen yet theymos? No. Do you want a direct file edit or a modification format that the package manager can use? I'm comfortable with both; however, the latter could be a no-go for you for obvious security reasons. Either is fine. I was thinking a non-modification patch, since that seems much easier to write. Title: Re: SMF modification needed -- upgrade password hash security -- 40 BTC Post by: live627 on June 13, 2012, 03:37:09 AM I'm willing to do this.
Title: Re: SMF modification needed -- upgrade password hash security -- 40 BTC Post by: error on June 16, 2012, 03:09:26 PM Just saw this post. I've taken a quick look and I believe I can do this as an SMF mod. Among my other qualifications I help run another SMF forum (http://bbs.freetalklive.com/profile/?u=1551) you may have heard of.
Title: Re: SMF modification needed -- upgrade password hash security -- 40 BTC Post by: theymos on June 18, 2012, 04:10:40 AM I've offered the job to error.
Thanks to all applicants for your interest! Title: Re: SMF modification needed -- upgrade password hash security -- 40 BTC Post by: error on July 11, 2012, 12:42:39 AM This probably doesn't even need to be said, but theymos paid on time and in full. Not to mention it was a pleasure to work with him on this little project. I'm happy, and I am standing by in case there are any unforeseen issues.
Title: Re: SMF modification needed -- upgrade password hash security -- 40 BTC Post by: theymos on July 11, 2012, 12:53:27 AM This probably doesn't even need to be said, but theymos paid on time and in full. Not to mention it was a pleasure to work with him on this little project. I'm happy, and I am standing by in case there are any unforeseen issues. Thank you for your nice work on this. Title: Re: SMF modification needed -- upgrade password hash security -- 40 BTC Post by: Maged on July 11, 2012, 07:31:42 AM Fantastic job on this, both of you!
|