Closed Bug 1684300 Opened 4 years ago Closed 4 years ago

Number of iterations used for key derivation is 1

Categories

(NSS :: Libraries, defect, P1)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: dmitrvla, Assigned: kjacobs)

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(3 files)

Attached file ver84.0.1.pdf

Firefox version 84.0.1, 64-bit
Windows 10, ver. 2004, 64-bit / Ubuntu 20.04.1 - 64-bit

There is only 1 hash iteration in KDF for master key before it is used in encryption of "password-check".
But by default it should be 10000 due to previous fix( https://bugzilla.mozilla.org/show_bug.cgi?id=1562674#c11 ).
The lower value allows to bruteforce user's passwords.

Steps before:
1.Install Firefox 84.0.1, 64-bit
2.Start and set master-key for profile
3.Add login and password for example-web
4.key4.db file in profile folder now contains necessary infomations

In the first image in the .pdf are parts of sequence from key4.db, it shows "field-1" has value 1, which is count
of iteration.
Values in green box are used in hash and encryption of "password-check", blue underlined value is
encrypted "password-check", which is also stored in key4.db.
There is example url, login and password at the bottom of 1.image, which is received by decryption using only 1 iteration in kdf for master key.
2. image shows parts which used for check, that 1 iteration in kdf is really used(sha1, hmac_sha256,aes_256_cbc).
3. image: encryption of the check phrase with 1 iteration - which has same value as at 1. image - blue underlined value.
4. image: 10.000 iteration - which should be default value. Not equal to our value from 1.image.

Flags: sec-bounty?

This looks bad. Sam or Dana, can you take a look when you're back?

Type: task → defect
Component: Security → Password Manager
Flags: needinfo?(sfoster)
Flags: needinfo?(dkeeler)
Product: Firefox → Toolkit
Flags: needinfo?(sfoster)

In sftk_DBInit, if NSS_DISABLE_DBM is defined, legacy will always be PR_TRUE, which means that NSS will think that the softoken db uses the legacy format, which is wrong. This eventually leads to using an iteration count of 1 in sftkdb_ChangePassword.

Assignee: nobody → nobody
Group: firefox-core-security → crypto-core-security
Component: Password Manager → Libraries
Flags: needinfo?(dkeeler)
Product: Toolkit → NSS
Summary: Number of iterations used for key derivation is 1. → Number of iterations used for key derivation is 1
Version: unspecified → other

I accidentally cleared my need-info flag earlier, but it looks like this found its way to the right person & place. Let me and tim know if you need anything from passwordmgr.

Thanks for the report (and analysis).

I have a patch for this but need to figure out a test so that we don't regress on this again.

Assignee: nobody → kjacobs.bugzilla
Severity: -- → S2
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P1
Keywords: sec-high
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.61
Group: crypto-core-security → core-security-release
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: