[Owncloud] Salt

Frank Karlitschek frank at owncloud.org
Fri Jun 8 09:40:00 UTC 2012 

On 08.06.2012, at 11:19, Andreas Schneider <asn at cryptomilk.org> wrote:

> On Friday 08 June 2012 10:30:54 Frank Karlitschek wrote:
>> Hi Andreas,
> 
> Hi Frank,
> 
>> thanks for the hint. Waiting for your patch ;-)
>> 
>> The challenge is that we can´t implement it as usual and put a salt into the
>> code. This would be useless because the code is open source.
>> 
>> So the salt has to be different for every installation. We could generate a
>> random salt during installation and store it in the config file. The admin
>> has to understand that the user database can´t be migrated to a different
>> host without the config.php entry.
> 
> that's the way to do it. Why?
> 
> a) SQL injections are the most likely attack
> b) You can even store the salt (nonce) next to the password hash in the 
> database. Salting makes it really hard to use a rainbow table to brute force 
> the password. You need the most time to create the rainbow table with the 
> salt.
> 
> http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-
> what-you-need-to-know-about-s.html
> 
>> This is not a protection if the server
>> is completely cracked as the one from linkedin was because the salt is
>> stored in cleartext on server.
> 
> Well, if the server is completely cracked there is no protection at all. I 
> change the code and dump the cleartext passwords.
> 
>> Obviously this only help if someone used the
>> internal ownCloud usermanagement and has no effect if LDAP or any other
>> user backend is used.
> 
> Well in this case LDAP is responsible for storing the passwords securely.
> 
>> 
>> 
>> Suggestions?
> 
> See above.


O.K. I will add an option in the config.php file to set a salt which will be used to hash the passwords.
This salt will be auto generated during setup.
This means of course that your user accounts are lost if you only delete the config file but not the database.
But this is probably the price of security.


Frank





> 
> 
> 	-- andreas
> 
> -- 
> Andreas Schneider                   GPG-ID: F33E3FC6
> www.cryptomilk.org                asn at cryptomilk.org
> 
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud

More information about the Owncloud mailing list