SlideShare uma empresa Scribd logo

Secure password storing with saltedpasswords in TYPO3

Steffen Gebert
Steffen Gebert

This document discusses securely storing passwords in TYPO3 using the saltedpasswords extension. It begins by explaining the risks of storing passwords in cleartext and introduces hashing and salting as more secure alternatives. The saltedpasswords extension implements salted hashing methods like MD5 and Blowfish. The document covers installing and configuring the extension, ensuring compatibility with existing passwords, and provides background on password hashing formats.

Tecnologia
1 de 22
Baixar para ler offline
Image: Carlos Porto / FreeDigitalPhotos.net TYPO3camp Munich - 11./12. September 2010 Inspiring people to Secure password storing with saltedpasswords share
Secure password storing with TYPO3’s system extension “saltedpasswords” Steffen Gebert <steffen@steffen-gebert.de> Translated slides, original title: “TYPO3-Passwörter sicher speichern mit saltedpasswords” http://www.slideshare.net/StephenKing/passwrter-in-typo3-sicher-speichern-mit TYPO3camp Munich- 11./12. September 2010 Inspiring people to Secure password storing with saltedpasswords share
Introduction Your Speaker Steffen Gebert Student, Freelancer TYPO3 Core Team Member Inspiring people to Secure password storing with saltedpasswords share
Introduction Ouch! TYPO3 Assicciation, 3rd Quarterly Report 2008 “What happened? An unauthorized person gained administrative access to the typo3.org website. As far as we can tell, an admin password was stolen and used to find out more passwords on typo3.org.” Inspiring people to Secure password storing with saltedpasswords share
Introduction Saving passwords Definite no-go: Storing cleartext password Instead Saving of a hash (“check sum”) Comparing with hash during login Inspiring people to Secure password storing with saltedpasswords share
Introduction Fundamental knowledge: Hashing One-way function identical input => identical output md5(‘joh316’) = ‘bacb98acf97e0b6112b1d1b650b84971’ opposite direction not argorithmically computable Most frequently used algorithm: MD5 not considered secure since ages (clashes easy to compute, huge rainbow tables available) Alternatives (SHA) only provide bigger result set => just new rainbow tables needed Inspiring people to Secure password storing with saltedpasswords share
Introduction Saving a salted password User input: ‘joh316’ Generate salt, e.g. ‘7deb882cf’ Compute Hash md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’ Save salt and hash Inspiring people to Secure password storing with saltedpasswords share
Introduction Validating a salted password User intut: ‘joh316’ Read used salt from database: ‘7deb882cf’ Compute hash md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’ Compare with saved hash Inspiring people to Secure password storing with saltedpasswords share
The Extension System extension saltedpasswords Formerly t3sec_saltedpasswords by Marcus Krause, Member of the TYPO3 security team Integration into TYPO3 Core version 4.3 after rework by Steffen Ritter Inspiring people to Secure password storing with saltedpasswords share
The Extension Implemented salting methods Salted MD5 Portable PHP password hashing framework Available for various PHP applications (Drupal etc.) Repetetive exectution of MD5 (slow) Blowfish Availability dependent of environment Starting with PHP 5.3 implementation shipped with PHP Inspiring people to Secure password storing with saltedpasswords share
The Extension Crux of the matter... Password must be available in plaintext TYPO3 by default transfers MD5 hash Plaintext transfer unsecure Prerequisite (at least one) SSL secured connection System extension rsaauth Encrypts passwords prior transfer using RSA algorithm Inspiring people to Secure password storing with saltedpasswords share
Installation & Configuration rsaauth Prerequisite OpenSSL: PHP extension recommended, binary as fallback JavaScript Activation Frontend $TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘rsa’ Backend $TYPO3_CONF_VARS[BE][loginSecurityLevel] = ‘rsa’; Inspiring people to Secure password storing with saltedpasswords share
Installation & Configuration saltedpasswords with SSL encryption Frontend $TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘normal’ Backend $TYPO3_CONF_VARS[BE][lockSSL] > 0 Inspiring people to Secure password storing with saltedpasswords share
Installation & Configuration Installation of saltedpasswords Checks availability of rsaauth or lockSSL Separate activation for Frontend and Backend Choice of hashing method Inspiring people to Secure password storing with saltedpasswords share
Compatibility Backwards compatibility Existing passwords? (unsalted MD5) immediate conversion not possible, as cleartext not available only possible moment: during Login Inspiring people to Secure password storing with saltedpasswords share
Compatibility Extensions Frontend felogin compatibel srfeuserregister_t3secsaltedpw Alternative FE-User registrations? Adjustions for own extensions might be needed Inspiring people to Secure password storing with saltedpasswords share
Background knowledge Password formats MD5 without salt bacb98acf97e0b6112b1d1b650b84971 MD5 with Salt starts with $1$, 12 characters of salt $1$13NETowd$WFpl6npZF71YKkCCzGds2. Blowfish starts with $2a$, 22 characters of salt $2a$07$DZpLLz7wtIfhSSMwyEXjA.Nbh6rpDlqbgwVKa.IoDLyuLe5C7Jp8W PHPASS starts with $P$ $P$Ccw7UIZ..SkvKBXDWnZlZ.qHcbktrB. Inspiring people to Secure password storing with saltedpasswords share
Background knowledge Password formats: Pro & Contra PHPASS Low system requirements (compatible with every PHP version) Requires PHPASS implementation in application MD5 / Blowfish Format of Unix’ crypt(), compatible with system services (/etc/passwd) The better choice (?) Availability of algorithms system dependent with PHP 5.3.2 also SHA-256/512 possible Inspiring people to Secure password storing with saltedpasswords share
Background knowledge Usage of crypt() Password validation: crypt($user_input, $encrypted_password) == $encrypted_password Saved hash (including salt): $1$13NETowd$WFpl6npZF71YKkCCzGds2. Checking against saved password ‘joh316’ crypt(joh316, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$WFpl6npZF71YKkCCzGds2. crypt(password, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$SeAArtswHd8jzc9SQvH691 Inspiring people to Secure password storing with saltedpasswords share
Web links Free Rainbow Tables http://www.freerainbowtables.com PHPASS http://www.openwall.com/phpass/ PHP Manual: crypt() http://de2.php.net/manual/en/function.crypt.php Wikipedia: crypt (Unix) http://en.wikipedia.org/wiki/Crypt_(Unix)#Library_Function Inspiring people to Secure password storing with saltedpasswords share
????? ?? ? ?? ?? ? Inspiring people to Secure password storing with saltedpasswords share
inspiring people to share.

Recomendados

Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияdefcon_kz
 
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and TonuCryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and TonuHasin Hayder
 
Cryptography for the mere mortals
Cryptography for the mere mortalsCryptography for the mere mortals
Cryptography for the mere mortalsM A Hossain Tonu
 
Linux Hardening - Made Easy
Linux Hardening - Made EasyLinux Hardening - Made Easy
Linux Hardening - Made EasyGuy Barnhart-Magen
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Hack the box open admin writeup
Hack the box open admin writeupHack the box open admin writeup
Hack the box open admin writeuptamlaiyin
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
Cryptography With PHP
Cryptography With PHPCryptography With PHP
Cryptography With PHPMark Niebergall
 

Recomendados

Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияdefcon_kz
 
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and TonuCryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and TonuHasin Hayder
 
Cryptography for the mere mortals
Cryptography for the mere mortalsCryptography for the mere mortals
Cryptography for the mere mortalsM A Hossain Tonu
 
Linux Hardening - Made Easy
Linux Hardening - Made EasyLinux Hardening - Made Easy
Linux Hardening - Made EasyGuy Barnhart-Magen
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Hack the box open admin writeup
Hack the box open admin writeupHack the box open admin writeup
Hack the box open admin writeuptamlaiyin
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
Cryptography With PHP
Cryptography With PHPCryptography With PHP
Cryptography With PHPMark Niebergall
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptographyErik LaBianca
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rdsWill Alexander
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityAntiy Labs
 
Passwords & security
Passwords & securityPasswords & security
Passwords & securityPer Thorsheim
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authenticationFrank Denis
 
Hashing Considerations In Web Applications
Hashing Considerations In Web ApplicationsHashing Considerations In Web Applications
Hashing Considerations In Web ApplicationsIslam Heggo
 
Encryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsEncryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsJohn Congdon
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia PotapenkoFwdays
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception saconPriyanka Aash
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Cracking Salted Hashes
Cracking Salted HashesCracking Salted Hashes
Cracking Salted Hashesn|u - The Open Security Community
 
Globally Distributed RESTful Object Storage
Globally Distributed RESTful Object Storage Globally Distributed RESTful Object Storage
Globally Distributed RESTful Object Storage MongoDB
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityPatrycja Wegrzynowicz
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersGökhan Şengün
 
HARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERHARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERUtah Networxs Consultoria e Treinamento
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesOVHcloud
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentThierry Gayet
 
Building an IoT SuperNetwork on top of the AWS Global Infrastructure
Building an IoT SuperNetwork on top of the AWS Global InfrastructureBuilding an IoT SuperNetwork on top of the AWS Global Infrastructure
Building an IoT SuperNetwork on top of the AWS Global InfrastructureSteffen Gebert
 
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...Steffen Gebert
 

Mais conteúdo relacionado

Semelhante a Secure password storing with saltedpasswords in TYPO3

Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityAntiy Labs
 
Passwords & security
Passwords & securityPasswords & security
Passwords & securityPer Thorsheim
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authenticationFrank Denis
 
Hashing Considerations In Web Applications
Hashing Considerations In Web ApplicationsHashing Considerations In Web Applications
Hashing Considerations In Web ApplicationsIslam Heggo
 
Encryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsEncryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsJohn Congdon
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia PotapenkoFwdays
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception saconPriyanka Aash
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Globally Distributed RESTful Object Storage
Globally Distributed RESTful Object Storage Globally Distributed RESTful Object Storage
Globally Distributed RESTful Object Storage MongoDB
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersGökhan Şengün
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesOVHcloud
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentThierry Gayet
 

Semelhante a Secure password storing with saltedpasswords in TYPO3 (20)

Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rds
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network Identity
 
Passwords & security
Passwords & securityPasswords & security
Passwords & security
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authentication
 
Hashing Considerations In Web Applications
Hashing Considerations In Web ApplicationsHashing Considerations In Web Applications
Hashing Considerations In Web Applications
 
Encryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsEncryption: It's For More Than Just Passwords
Encryption: It's For More Than Just Passwords
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Cracking Salted Hashes
Cracking Salted HashesCracking Salted Hashes
Cracking Salted Hashes
 
Globally Distributed RESTful Object Storage
Globally Distributed RESTful Object Storage Globally Distributed RESTful Object Storage
Globally Distributed RESTful Object Storage
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
 
HARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERHARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVER
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy Tales
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managment
 

Mais de Steffen Gebert

Building an IoT SuperNetwork on top of the AWS Global Infrastructure
Building an IoT SuperNetwork on top of the AWS Global InfrastructureBuilding an IoT SuperNetwork on top of the AWS Global Infrastructure
Building an IoT SuperNetwork on top of the AWS Global InfrastructureSteffen Gebert
 
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...Steffen Gebert
 
Feature Management Platforms
Feature Management PlatformsFeature Management Platforms
Feature Management PlatformsSteffen Gebert
 
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT Devices
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT DevicesServerless Networking - How We Provide Cloud-Native Connectivity for IoT Devices
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT DevicesSteffen Gebert
 
How our Cloudy Mindsets Approached Physical Routers
How our Cloudy Mindsets Approached Physical RoutersHow our Cloudy Mindsets Approached Physical Routers
How our Cloudy Mindsets Approached Physical RoutersSteffen Gebert
 
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)Jenkins vs. AWS CodePipeline (AWS User Group Berlin)
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)Steffen Gebert
 
Jenkins vs. AWS CodePipeline
Jenkins vs. AWS CodePipelineJenkins vs. AWS CodePipeline
Jenkins vs. AWS CodePipelineSteffen Gebert
 
Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0Steffen Gebert
 
(Declarative) Jenkins Pipelines
(Declarative) Jenkins Pipelines(Declarative) Jenkins Pipelines
(Declarative) Jenkins PipelinesSteffen Gebert
 
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins PipelinesAn Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins PipelinesSteffen Gebert
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateSteffen Gebert
 
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the Web
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the WebCleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the Web
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the WebSteffen Gebert
 
Investigating the Impact of Network Topology on the Processing Times of SDN C...
Investigating the Impact of Network Topology on the Processing Times of SDN C...Investigating the Impact of Network Topology on the Processing Times of SDN C...
Investigating the Impact of Network Topology on the Processing Times of SDN C...Steffen Gebert
 
SDN interfaces and performance analysis of SDN components
SDN interfaces and performance analysis of SDN componentsSDN interfaces and performance analysis of SDN components
SDN interfaces and performance analysis of SDN componentsSteffen Gebert
 
The Development Infrastructure of the TYPO3 Project
The Development Infrastructure of the TYPO3 ProjectThe Development Infrastructure of the TYPO3 Project
The Development Infrastructure of the TYPO3 ProjectSteffen Gebert
 
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-Entwicklung
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-EntwicklungDer Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-Entwicklung
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-EntwicklungSteffen Gebert
 
Official typo3.org infrastructure &
the TYPO3 Server Admin Team
Official typo3.org infrastructure &
the TYPO3 Server Admin TeamOfficial typo3.org infrastructure &
the TYPO3 Server Admin Team
Official typo3.org infrastructure &
the TYPO3 Server Admin TeamSteffen Gebert
 

Mais de Steffen Gebert (20)

Building an IoT SuperNetwork on top of the AWS Global Infrastructure
Building an IoT SuperNetwork on top of the AWS Global InfrastructureBuilding an IoT SuperNetwork on top of the AWS Global Infrastructure
Building an IoT SuperNetwork on top of the AWS Global Infrastructure
 
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
 
Feature Management Platforms
Feature Management PlatformsFeature Management Platforms
Feature Management Platforms
 
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT Devices
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT DevicesServerless Networking - How We Provide Cloud-Native Connectivity for IoT Devices
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT Devices
 
How our Cloudy Mindsets Approached Physical Routers
How our Cloudy Mindsets Approached Physical RoutersHow our Cloudy Mindsets Approached Physical Routers
How our Cloudy Mindsets Approached Physical Routers
 
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)Jenkins vs. AWS CodePipeline (AWS User Group Berlin)
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)
 
Jenkins vs. AWS CodePipeline
Jenkins vs. AWS CodePipelineJenkins vs. AWS CodePipeline
Jenkins vs. AWS CodePipeline
 
Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0
 
(Declarative) Jenkins Pipelines
(Declarative) Jenkins Pipelines(Declarative) Jenkins Pipelines
(Declarative) Jenkins Pipelines
 
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins PipelinesAn Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
 
Continuous Delivery
Continuous DeliveryContinuous Delivery
Continuous Delivery
 
Jenkins Pipelines
Jenkins PipelinesJenkins Pipelines
Jenkins Pipelines
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a Certificate
 
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the Web
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the WebCleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the Web
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the Web
 
Investigating the Impact of Network Topology on the Processing Times of SDN C...
Investigating the Impact of Network Topology on the Processing Times of SDN C...Investigating the Impact of Network Topology on the Processing Times of SDN C...
Investigating the Impact of Network Topology on the Processing Times of SDN C...
 
SDN interfaces and performance analysis of SDN components
SDN interfaces and performance analysis of SDN componentsSDN interfaces and performance analysis of SDN components
SDN interfaces and performance analysis of SDN components
 
Git Power-Workshop
Git Power-WorkshopGit Power-Workshop
Git Power-Workshop
 
The Development Infrastructure of the TYPO3 Project
The Development Infrastructure of the TYPO3 ProjectThe Development Infrastructure of the TYPO3 Project
The Development Infrastructure of the TYPO3 Project
 
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-Entwicklung
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-EntwicklungDer Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-Entwicklung
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-Entwicklung
 
Official typo3.org infrastructure &
the TYPO3 Server Admin Team
Official typo3.org infrastructure &
the TYPO3 Server Admin TeamOfficial typo3.org infrastructure &
the TYPO3 Server Admin Team
Official typo3.org infrastructure &
the TYPO3 Server Admin Team
 

Último

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Último (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Secure password storing with saltedpasswords in TYPO3

  • 1. Image: Carlos Porto / FreeDigitalPhotos.net TYPO3camp Munich - 11./12. September 2010 Inspiring people to Secure password storing with saltedpasswords share
  • 2. Secure password storing with TYPO3’s system extension “saltedpasswords” Steffen Gebert <steffen@steffen-gebert.de> Translated slides, original title: “TYPO3-Passwörter sicher speichern mit saltedpasswords” http://www.slideshare.net/StephenKing/passwrter-in-typo3-sicher-speichern-mit TYPO3camp Munich- 11./12. September 2010 Inspiring people to Secure password storing with saltedpasswords share
  • 3. Introduction Your Speaker Steffen Gebert Student, Freelancer TYPO3 Core Team Member Inspiring people to Secure password storing with saltedpasswords share
  • 4. Introduction Ouch! TYPO3 Assicciation, 3rd Quarterly Report 2008 “What happened? An unauthorized person gained administrative access to the typo3.org website. As far as we can tell, an admin password was stolen and used to find out more passwords on typo3.org.” Inspiring people to Secure password storing with saltedpasswords share
  • 5. Introduction Saving passwords Definite no-go: Storing cleartext password Instead Saving of a hash (“check sum”) Comparing with hash during login Inspiring people to Secure password storing with saltedpasswords share
  • 6. Introduction Fundamental knowledge: Hashing One-way function identical input => identical output md5(‘joh316’) = ‘bacb98acf97e0b6112b1d1b650b84971’ opposite direction not argorithmically computable Most frequently used algorithm: MD5 not considered secure since ages (clashes easy to compute, huge rainbow tables available) Alternatives (SHA) only provide bigger result set => just new rainbow tables needed Inspiring people to Secure password storing with saltedpasswords share
  • 7. Introduction Saving a salted password User input: ‘joh316’ Generate salt, e.g. ‘7deb882cf’ Compute Hash md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’ Save salt and hash Inspiring people to Secure password storing with saltedpasswords share
  • 8. Introduction Validating a salted password User intut: ‘joh316’ Read used salt from database: ‘7deb882cf’ Compute hash md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’ Compare with saved hash Inspiring people to Secure password storing with saltedpasswords share
  • 9. The Extension System extension saltedpasswords Formerly t3sec_saltedpasswords by Marcus Krause, Member of the TYPO3 security team Integration into TYPO3 Core version 4.3 after rework by Steffen Ritter Inspiring people to Secure password storing with saltedpasswords share
  • 10. The Extension Implemented salting methods Salted MD5 Portable PHP password hashing framework Available for various PHP applications (Drupal etc.) Repetetive exectution of MD5 (slow) Blowfish Availability dependent of environment Starting with PHP 5.3 implementation shipped with PHP Inspiring people to Secure password storing with saltedpasswords share
  • 11. The Extension Crux of the matter... Password must be available in plaintext TYPO3 by default transfers MD5 hash Plaintext transfer unsecure Prerequisite (at least one) SSL secured connection System extension rsaauth Encrypts passwords prior transfer using RSA algorithm Inspiring people to Secure password storing with saltedpasswords share
  • 12. Installation & Configuration rsaauth Prerequisite OpenSSL: PHP extension recommended, binary as fallback JavaScript Activation Frontend $TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘rsa’ Backend $TYPO3_CONF_VARS[BE][loginSecurityLevel] = ‘rsa’; Inspiring people to Secure password storing with saltedpasswords share
  • 13. Installation & Configuration saltedpasswords with SSL encryption Frontend $TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘normal’ Backend $TYPO3_CONF_VARS[BE][lockSSL] > 0 Inspiring people to Secure password storing with saltedpasswords share
  • 14. Installation & Configuration Installation of saltedpasswords Checks availability of rsaauth or lockSSL Separate activation for Frontend and Backend Choice of hashing method Inspiring people to Secure password storing with saltedpasswords share
  • 15. Compatibility Backwards compatibility Existing passwords? (unsalted MD5) immediate conversion not possible, as cleartext not available only possible moment: during Login Inspiring people to Secure password storing with saltedpasswords share
  • 16. Compatibility Extensions Frontend felogin compatibel srfeuserregister_t3secsaltedpw Alternative FE-User registrations? Adjustions for own extensions might be needed Inspiring people to Secure password storing with saltedpasswords share
  • 17. Background knowledge Password formats MD5 without salt bacb98acf97e0b6112b1d1b650b84971 MD5 with Salt starts with $1$, 12 characters of salt $1$13NETowd$WFpl6npZF71YKkCCzGds2. Blowfish starts with $2a$, 22 characters of salt $2a$07$DZpLLz7wtIfhSSMwyEXjA.Nbh6rpDlqbgwVKa.IoDLyuLe5C7Jp8W PHPASS starts with $P$ $P$Ccw7UIZ..SkvKBXDWnZlZ.qHcbktrB. Inspiring people to Secure password storing with saltedpasswords share
  • 18. Background knowledge Password formats: Pro & Contra PHPASS Low system requirements (compatible with every PHP version) Requires PHPASS implementation in application MD5 / Blowfish Format of Unix’ crypt(), compatible with system services (/etc/passwd) The better choice (?) Availability of algorithms system dependent with PHP 5.3.2 also SHA-256/512 possible Inspiring people to Secure password storing with saltedpasswords share
  • 19. Background knowledge Usage of crypt() Password validation: crypt($user_input, $encrypted_password) == $encrypted_password Saved hash (including salt): $1$13NETowd$WFpl6npZF71YKkCCzGds2. Checking against saved password ‘joh316’ crypt(joh316, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$WFpl6npZF71YKkCCzGds2. crypt(password, $1$13NETowd$WFpl6npZF71YKkCCzGds2.) = $1$13NETowd$SeAArtswHd8jzc9SQvH691 Inspiring people to Secure password storing with saltedpasswords share
  • 20. Web links Free Rainbow Tables http://www.freerainbowtables.com PHPASS http://www.openwall.com/phpass/ PHP Manual: crypt() http://de2.php.net/manual/en/function.crypt.php Wikipedia: crypt (Unix) http://en.wikipedia.org/wiki/Crypt_(Unix)#Library_Function Inspiring people to Secure password storing with saltedpasswords share
  • 21. ????? ?? ? ?? ?? ? Inspiring people to Secure password storing with saltedpasswords share