[Owncloud] Salt

Andreas Schneider asn at cryptomilk.org
Fri Jun 8 09:19:22 UTC 2012


On Friday 08 June 2012 10:30:54 Frank Karlitschek wrote:
> Hi Andreas,

Hi Frank,

> thanks for the hint. Waiting for your patch ;-)
> 
> The challenge is that we can´t implement it as usual and put a salt into the
> code. This would be useless because the code is open source.
> 
> So the salt has to be different for every installation. We could generate a
> random salt during installation and store it in the config file. The admin
> has to understand that the user database can´t be migrated to a different
> host without the config.php entry.

that's the way to do it. Why?

a) SQL injections are the most likely attack
b) You can even store the salt (nonce) next to the password hash in the 
database. Salting makes it really hard to use a rainbow table to brute force 
the password. You need the most time to create the rainbow table with the 
salt.

http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-
what-you-need-to-know-about-s.html

> This is not a protection if the server
> is completely cracked as the one from linkedin was because the salt is
> stored in cleartext on server.

Well, if the server is completely cracked there is no protection at all. I 
change the code and dump the cleartext passwords.

> Obviously this only help if someone used the
> internal ownCloud usermanagement and has no effect if LDAP or any other
> user backend is used.

Well in this case LDAP is responsible for storing the passwords securely.

> 
> 
> Suggestions?

See above.


	-- andreas

-- 
Andreas Schneider                   GPG-ID: F33E3FC6
www.cryptomilk.org                asn at cryptomilk.org




More information about the Owncloud mailing list