thabet-fix / freemedforms

Automatically exported from code.google.com/p/freemedforms
Other
0 stars 0 forks source link

Password hashing is too weak #366

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
This issue was created by revision 11c26abf41fa.

>>> >> SHA-1 (used by FMF in /libs/utils/global.cpp to hash password) is a
>>> >> message digest, not a secure password hashing algorithm.
>>> >> see: 
http://www.infosecurity-magazine.com/view/14059/sha1-crypto-protocol-cracked-usi
ng-amazon-cloud-computing-resources/

The main problem was that Qt4.x does only include Md4, Md5 and SHA1 hashing 
methods. Qt5 introduces many more (SHA256).

Qt4.8 (default Qt version in wheezy & still in sid)

    http://qt-project.org/doc/qt-4.8/qcryptographichash.html

Qt5.3 (available in wheezy and sid)

    http://qt-project.org/doc/qt-5/qcryptographichash.html

The password hash are stored in the FMF user database.
We can store password in a prefixed string like this:

    <sha1-hash>         // for old compatibility
    <method>:<method-hash>      // updated password hash

Eg:
    sha256:<sha256-hash>    // updated sha256
    sha512:<sha512-hash>    // updated sha512

This will prohibit the retrocompatibility with a previous version in case of 
problems. As version <= 0.9.0 will not be able to check the passwords of users 
using more than SHA1 hashing method.

Original issue reported on code.google.com by eric.mae...@gmail.com on 27 Jul 2014 at 10:22

GoogleCodeExporter commented 9 years ago
This issue was updated by revision 03975c370908.

Original comment by eric.mae...@gmail.com on 27 Jul 2014 at 4:09

GoogleCodeExporter commented 9 years ago
This issue was updated by revision f96fcdb5b23f.

Original comment by eric.mae...@gmail.com on 27 Jul 2014 at 9:01

GoogleCodeExporter commented 9 years ago
This issue was updated by revision 18fe4c1e200d.

Password encryption: correcting Qt5 code (unit-tests)

Original comment by eric.mae...@gmail.com on 27 Jul 2014 at 9:01

GoogleCodeExporter commented 9 years ago
This issue was updated by revision 660a95e7b7fa.

Renaming member: Utils::crypt -> Utils::nonDestructiveEncryption

Original comment by eric.mae...@gmail.com on 27 Jul 2014 at 11:00

GoogleCodeExporter commented 9 years ago
This issue was updated by revision 40ad16fb9a9c.

Password encryption: better definition of available algorithm, unit-tests

Original comment by eric.mae...@gmail.com on 27 Jul 2014 at 11:00

GoogleCodeExporter commented 9 years ago
This issue was updated by revision 3cbbb083c4de.

Using the new Password encryption method in the code
/!\ User connection not fully tested

Original comment by eric.mae...@gmail.com on 27 Jul 2014 at 11:00

GoogleCodeExporter commented 9 years ago
This issue was updated by revision f1a8970aa4c8.

Unit-testings

Original comment by eric.mae...@gmail.com on 27 Jul 2014 at 11:00

GoogleCodeExporter commented 9 years ago
This issue was updated by revision 11f2510faf76.

We now need some testings migrating user database from 0.9.0 to the current 
development version.
Test should include SQLite & MySQL configurations

Original comment by eric.mae...@gmail.com on 27 Jul 2014 at 11:07

GoogleCodeExporter commented 9 years ago
This issue was updated by revision c22414e53ed2.

FIXME: Tag userbase version

Original comment by eric.mae...@gmail.com on 28 Jul 2014 at 7:33

GoogleCodeExporter commented 9 years ago
This issue was updated by revision 106735793776.

Tagging user database version with the running Qt version.
This is required for the password hashing.
Check compatibility with database/running Qt versions.

Original comment by eric.mae...@gmail.com on 29 Jul 2014 at 7:35