Use a password-based key derivation function to mitigate brute-force attacks against the local password

ubuntu / authd

Authentication daemon for external Brokers

GNU Lesser General Public License v3.0

58 stars 8 forks source link

Use a password-based key derivation function to mitigate brute-force attacks against the local password #473

Closed adombeck closed 3 weeks ago

adombeck commented 3 weeks ago

Passwords set by the user should be protected against brute-force attacks by using a computationally expensive key derivation function. We currently don't use a key derivation function but encrypt the tokens directly with the (salted) user password.

UDENG-4058

adombeck commented 3 weeks ago

We currently don't use a key derivation function but encrypt the tokens directly with the (salted) user password.

That's incorrect, we actually do use scrypt to derive a key from the user password:

https://github.com/ubuntu/authd-oidc-brokers/blob/1a5fc29619fae63fddcb8ca3ad7dc51d08c52627/internal/broker/encrypt.go#L25-L25

That's a valid key derivation function, so this issue is obsolete.