Closed Bug 256076 Opened 21 years ago Closed 21 years ago

go back to old salting with subdirectory

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: asa, Assigned: benjamin)

References

Details

(Keywords: fixed-aviary1.0, Whiteboard: [have patch] ready to land)

Attachments

(1 file, 1 obsolete file)

updated, only salt once per creation dialog
3.10 KB, patch
dveditz
: review+
brendan
: superreview+
bugs
: approval-aviary+
Details | Diff | Splinter Review
We need to go back to the old salting method for PR.
Assignee: firefox → bugs
Flags: blocking-aviary1.0PR+
Blocks: 255238
What's the story on this one? I care that there *be* salting, but I don't strongly prefer one way over another. The current firefox default of three chars seems a bit weak, but you don't necessarily need a whole subdirectory to fix that and zapping the subdir made at least some people happy.
dveditz: I claim three chars of salt is too few, and to go higher, wouldn't we run into 8.3 defau~1.xyz uniqueness problems that reduce or nullify the strength of the added chars? /be
Ah yes, good old shortname aliasing. The system will ignore all but the first three characters of the extension in the shortname form. Using more is pointless, and we both agree three is too few. As I mentioned I don't have strong preferences for how we increase the salting, but I'll throw out another idea for the "please don't add another level" crowd: put the salt first and use the friendly name as the extension. This gives you 8 full chars for the salting as the extra level does. In the shortname alias the full salt is preserved (attempting to use more than 8 perversely reduces your salt to 6) and the user-friendly part we don't care about gets chopped to the first three. asdf9876.piranha pete (== asdf9876.pir) vs piranha pete/asdf9876.slt (== piranh~1/asdf9876.slt) vs piranha pete.asdf9876 (== piranh~1.asd) Obviously the "default" profile is even worse in the last case. This is more or less the approach wallet/single-signon take with the <blah>.w and <blah>.s files. belt and suspenders extra salting in case people were able to get past the profile salting. Adding the extra level works better with the "create a profile" UI we have in the Moz suite. People might not like picking a specific directory (even creating it) and then have us mess with the name. Many don't like us adding the ugly extra level, but at least we *did* use the part they specified. I don't know if Firefox has a profile creating UI like the moz suite. Ok, I guess I'm 90% sold that adding a directory level is the best approach to get additional salt. Depends on the profile UI -- we *could* just default to salt.name and let people edit it out at their own peril. This would /really/ make the anti-salting people happy :-)
But also asdf9876.piranha pete == asdf98~1.pir So you still only get 6 characters that way whenever the friendly name is 4 or longer. All of this is assuming the Microsoft implementation of LFN with the default settings but that's probably 99.99% of the user base anyways.
> But also asdf9876.piranha pete == asdf98~1.pir D'oh! Of course, sorry I missed that. It sounds like they had something when they filed this bug to do it the old way, I just wanted the reasons documented. I know people will complain when it comes back, now we can show them this thread.
What's the point of salting when the profile directory can be read from $USER_HOME\Application Data\Mozilla\Firefox\profiles.ini anyway?
hey, someone wanna cc me on bugs I made... I don't mind salt8888.profilename, if three chars is really considered insufficient
Attached patch Do 8.profilename salting (obsolete) — Splinter Review
Assignee: bugs → bsmedberg
Status: NEW → ASSIGNED
Attachment #156523 - Flags: review?(darin)
Attachment #156523 - Flags: approval-aviary?
Comment on attachment 156523 [details] [diff] [review] Do 8.profilename salting need dveditz and brendan on this... darin out until next week
Attachment #156523 - Flags: superreview?(brendan.eich)
Attachment #156523 - Flags: review?(dveditz)
Attachment #156523 - Flags: review?(darin)
Comment on attachment 156523 [details] [diff] [review] Do 8.profilename salting need dveditz and brendan on this... darin out until next week
Attachment #156523 - Flags: superreview?(brendan)
Comment 5 explains why 8.profilename doesn't work.
Jesse: what does comment 5 demonstrate? We still win, with six characters of salt instead of three. What am I missing? /be
3 chars of salt is 1:36^3 = 1:46,656 6 chars of salt is 1:36^6 = 1:2,176,782,336 I can see an attacker possibly looping through the first. Not the second, not without someone noticing.
Comment on attachment 156523 [details] [diff] [review] Do 8.profilename salting > function updateProfileName(aNewName) { > checkCurrentInput(aNewName); > >- if (gProfileRoot.leafName == gOldProfileName) { >- gProfileRoot.leafName = aNewName; >+ var re = new RegExp("^[a-z0-9]{8}\\." + >+ gOldProfileName.replace(/[|^$()\[\]{}\\+?\.\*]/g, "\\$&") >+ + '$'); >+ >+ if (re.test(gProfileRoot.leafName)) { >+ gProfileRoot.leafName = saltName(aNewName); > updateProfileDisplay(); This happens on every keystroke, with the profile directory changing radically (new salt) on each character. It's a distracting effect, but I could live with it since creating a new profile would be rare. Otherwise, r=dveditz
Attachment #156523 - Flags: review?(dveditz) → review+
Actually the chances of an attacker guessing are probably much better than that. The salting function uses Math.random which is based on the Java random number generator. That is a linear congruential generator which is not cryptographically secure. Although single samples are well distributed, larger runs are significantly predictable. This type of generator has been the basis of several known attacks.
> The salting function uses Math.random which is based on the Java random number > generator. That is a linear congruential generator which is not This is not true for the 99% case, which uses the libc rand() function. The JS salting code only gets hit when using the profile manager UI, which may be removed. > This happens on every keystroke, with the profile directory changing radically > (new salt) on each character. It's a distracting effect, but I could live with > it > since creating a new profile would be rare. Maybe I can salt once per dialog and save the salt.
Attachment #156523 - Attachment is obsolete: true
I'd expect the average libc rand to be worse not better. There should be better sources of randomness already in the codebase at least on the C side, or we could try to use the good bits more efficiently here.
Whiteboard: [have patch]
We're not encrypting, just a run of 8 mostly-random characters. Would knowledge of which rand() algorithm was used really help an attacker do anything other than a brute-force search of possible profile names?
Comment on attachment 156594 [details] [diff] [review] updated, only salt once per creation dialog r=dveditz
Attachment #156594 - Flags: review+
Comment on attachment 156594 [details] [diff] [review] updated, only salt once per creation dialog Not sure how knowing the PRNG helps, as dveditz said. You'd have to know the time used to seed it, and that's not something an attacker can know with a profile (unlike, say, with an SSL session key where the attacker knows when the connection was made). Nit: you don't need to \ . or * in a character class in a JS regexp. As timeless points out, you don't need to \-escape [ either, but it looks better to me if you do that. Yank at least those two extra escapes, and sr=me. /be
Attachment #156594 - Flags: superreview+
Comment on attachment 156594 [details] [diff] [review] updated, only salt once per creation dialog a=ben@mozilla.org
Attachment #156594 - Flags: approval-aviary+
Whiteboard: [have patch] → [have patch] ready to land
Fixed on branch and trunk
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Keywords: fixed-aviary1.0
Resolution: --- → FIXED
If the salting is close enough to guessable that it warrants changing the profile path for a third time, why was such a limited character table picked? With lowercase letters, plus numbers, 36^6 = 2 million Add in uppercase letters to the mix, 62^6 = 57 million Also, as you've gone and broken tab completion again for everyone trying to enter their profile from the command line, I'd at least like to know what everyone's so absolutely terrified about here. What cases have existed where an attacker had read access to someone's local files, but not access to run wildcards through 'sh', or read directory listings? I suppose it may seem too trivial to split the code up here, but is there any chance of UNIX builds using username.salt instead of salt.username, since UNIX's filesystem isn't so screwy? UNIX users tend to be the ones manually typing in their profile directory name all day long anyway, whereas on Windows it's just as easy to click on l1If2j0o.default (that's el-one-eye) as it is anything else. Please? Pretty please?
Oh. Right. DOS is case-insensitive. The @#(*&! hunk of junk.
Comment on attachment 156523 [details] [diff] [review] Do 8.profilename salting please don't request approval until you have a fully reviewed patch. thanks.
Attachment #156523 - Flags: approval-aviary?
Hang on a sec here- the attack on the rng is a math attack not requiring the seed value. Any single draw from an lcg is relatively well distributed. But when you take multiple draws that even distribution is compromised. There's a bias towards certain pairs and a stronger bias towards certain triples and so on. Exploiting this requires knowing the coefficients (likely to be known) but does not require the seed value. The attack improves the on-average brute force time by trying just the high probability sequences. It's not guaranteed to work but almost always wins. This is a variation of the lattice reduction attack. That these generators are probably seeded with the time of day which can be bounded to some small portion of the seed space is just gravy. The protection given by the short salt is pretty thin. I can't give you specifics for how much damage this technique could do, but even a modest power reduction makes the 6-salt likely to be compromisable.
Attachment #156523 - Flags: superreview?(brendan)
Attachment #156523 - Flags: superreview?(brendan.eich)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: