[jira] [Commented] (CASSANDRA-13626) Check hashed password matches expected bcrypt hash format before checking

Wed, 30 Aug 2017 02:55:18 -0700 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-13626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16146990#comment-16146990
 ] 

Sam Tunnicliffe commented on CASSANDRA-13626:
---------------------------------------------

bq.checkpw does an even worse job of failing nicely

In what way(s)? Checking with a few strings that would be caught by this 
validation, {{checkpw}} seems to behave as expected. 
This validation would help us detect that we have stored invalid hash values, 
so that could be useful in diagnosing unexpected auth failures & debugging 
their causes. That will obviously require logging when the validation fails 
before throwing the {{AuthenticationException}}, so we should separate it from 
the actual {{checkPw}} call.  

On the actual validation, the 22 character component is actually the salt, not 
the cost - the bcrypt format is {{$<id>$<cost>$<salt><digest>}}. Cost, salt and 
digest are all fixed length (2, 22 & 31 chars repectively), whereas id may be 1 
or 2 chars, though we have only ever used a version of jbcrypt that generates 
the 2 char variant. So we could simplify that check to {{length == 60}}. If 
{{checkpw}} *is* correctly returning false when the stored hash is invalid 
though, we only really need to do the validation on failure, in which case we 
could a more thorough check than simply looking at the length, if that's 
worthwhile.   


> Check hashed password matches expected bcrypt hash format before checking
> -------------------------------------------------------------------------
>
>                 Key: CASSANDRA-13626
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13626
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Auth
>            Reporter: Jeff Jirsa
>            Assignee: Jeff Jirsa
>            Priority: Minor
>             Fix For: 3.0.x, 3.11.x, 4.x
>
>
> We use {{Bcrypt.checkpw}} in the auth subsystem, but do a reasonably poor job 
> of guaranteeing that the hashed password we send to it is really a hashed 
> password, and {{checkpw}} does an even worse job of failing nicely. We should 
> at least sanity check the hash complies with the expected format prior to 
> validating.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to