Sunday 24 July 2011

Password Sodium

So on food labels they often show the amount of Sodium in the food, which is useful, but less useful than if they showed the actual amount of Salt, which is what you need to watch out for (apparently the conversion is Salt = Sodium x 2.5).  Putting Sodium instead of Salt is a trick by manufacturers to make high in Salt products look like there is less Salt in the food than there actually is.

So I have been thinking about better ways to authenticate via passwords recently, which has nothing to do with food labels, but everything to do with hiding useful information.  I have been thinking about ways to make an authentication scheme secure even if an attacker gets access to the password hash.  So far the problem as I see it is that an attacker is always able to use a dictionary of passwords to try and get a match with a password hash.  We can make this computationally expensive, but we can't stop it without removing some vital piece of information.  I still believe there is scope for a creative solution here, but it occurred to me we could also transform the problem into something we are better at solving.

If we encrypt the password salt then if the attacker gets hold of the password hashes they will be of no use whatsoever because because it is computationally infeasible to guess the salt. I am going to call the encrypted password salt ... the password sodium.

This suggestion, as I mentioned, merely transforms the problem for the attacker from one of gaining access to the password hashes, to gaining access to the password hashes and the salt encryption key.  A practical example of this would be to say that instead of a SQL Injection vulnerability being enough to get the password hashes and begin cracking them, the attacker needs to compromise the machine as well (depending on where the encryption key is stored).

The hope here is that we have made the task more difficult for the attacker.  That hope depends on how and where we store our encryption keys, but that certainly is not a new problem and many companies have standard solutions.

Certainly with the numerous high-profile password hash disclosures that have happened over the last couple of months adding a little defense in depth by encrypting password salts should help protect people's passwords and minimise the damage of password hash disclosures.

No comments:

Post a Comment