Number of iterations used for key derivation is 1
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
People
(Reporter: dmitrvla, Assigned: kjacobs)
Details
(Keywords: reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(3 files)
Firefox version 84.0.1, 64-bit
Windows 10, ver. 2004, 64-bit / Ubuntu 20.04.1 - 64-bit
There is only 1 hash iteration in KDF for master key before it is used in encryption of "password-check".
But by default it should be 10000 due to previous fix( https://bugzilla.mozilla.org/show_bug.cgi?id=1562674#c11 ).
The lower value allows to bruteforce user's passwords.
Steps before:
1.Install Firefox 84.0.1, 64-bit
2.Start and set master-key for profile
3.Add login and password for example-web
4.key4.db file in profile folder now contains necessary infomations
In the first image in the .pdf are parts of sequence from key4.db, it shows "field-1" has value 1, which is count
of iteration.
Values in green box are used in hash and encryption of "password-check", blue underlined value is
encrypted "password-check", which is also stored in key4.db.
There is example url, login and password at the bottom of 1.image, which is received by decryption using only 1 iteration in kdf for master key.
2. image shows parts which used for check, that 1 iteration in kdf is really used(sha1, hmac_sha256,aes_256_cbc).
3. image: encryption of the check phrase with 1 iteration - which has same value as at 1. image - blue underlined value.
4. image: 10.000 iteration - which should be default value. Not equal to our value from 1.image.
Comment 1•4 years ago
|
||
This looks bad. Sam or Dana, can you take a look when you're back?
Updated•4 years ago
|
Comment 2•4 years ago
|
||
In sftk_DBInit
, if NSS_DISABLE_DBM
is defined, legacy
will always be PR_TRUE
, which means that NSS will think that the softoken db uses the legacy format, which is wrong. This eventually leads to using an iteration count of 1 in sftkdb_ChangePassword
.
Comment 3•4 years ago
|
||
I accidentally cleared my need-info flag earlier, but it looks like this found its way to the right person & place. Let me and tim know if you need anything from passwordmgr.
Assignee | ||
Comment 4•4 years ago
|
||
Thanks for the report (and analysis).
I have a patch for this but need to figure out a test so that we don't regress on this again.
Assignee | ||
Comment 5•4 years ago
|
||
Assignee | ||
Comment 6•4 years ago
|
||
Updated•4 years ago
|
Assignee | ||
Comment 7•4 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/d4991bb56852e86f45494efbdd535ac0ef1558ca
https://hg.mozilla.org/projects/nss/rev/a8de35c990e3361b13c82b0ba8e3a0d3aa11c5a6
Updated•4 years ago
|
Updated•4 years ago
|
Updated•3 years ago
|
Updated•5 months ago
|
Description
•