Jeremy Spilman recently proposed changes to how user's hashes are stored in website's and companies databases. This post was originally going to look at some of the issues involved in the scheme he envisioned, however, he rather quickly posted a followup article with a well thought out solution that countered all of the issues that other people and myself were able to come up with. I'd strongly recommend reading both if you haven't done so. Instead of announcing flaws, I'm turning this into a post with a simple functional implementation of the described scheme in Ruby using DataMapper.
At first I'd like to point out that this is one of those few examples where a form of security through obscurity is actually increasing not only the perceived security but the cost to attack a system as well.
Please note this code is a minimal, functional, example and should not be used in production. It is missing a lot of things that I personally would add before attempting to use this but that is an exercise for the reader. It is licensed under the MIT license. I'll walk through the code briefly afterwards going over some bits.
# encoding: utf-8 require "rubygems" # You only need this if you use bundler require "dm-core" require "dm-migrations" require "dm-sqlite-adapter" require "dm-validations" require "scrypt" DataMapper.setup :default, "sqlite:hash.db" class User include DataMapper::Resource property :id, Serial property :username, String, :required => true, :unique => true property :crypt_hash, String, :required => true, :length => 64 property :salt, String, :required => true, :length => 25 def check_password(plaintext_password) encrypted_hash = scrypt_helper(plaintext_password, self.salt) hash_obj = SiteHash.first(:crypt_hash => encrypted_hash) if hash_obj.nil? puts "Invalid password" return false end verification_hash = scrypt_helper(plaintext_password, hash_obj.salt) if self.crypt_hash == verification_hash return true else puts "WARNING: Found matching hash, but verification failed." return false end end def password=(plaintext_password) generate_salt encrypted_password = SiteHash.new encrypted_password.crypt_hash = scrypt_helper(plaintext_password, self.salt) encrypted_password.save self.crypt_hash = scrypt_helper(plaintext_password, encrypted_password.salt) end private def generate_salt self.salt = SCrypt::Engine.generate_salt(:max_time => 1.0) end def scrypt_helper(plaintext_password, salt) SCrypt::Engine.scrypt(plaintext_password, salt, SCrypt::Engine.autodetect_cost(salt), 32).unpack('H*').first end end class SiteHash include DataMapper::Resource property :id, Serial property :crypt_hash, String, :required => true, :length => 64 property :salt, String, :required => true, :length => 25 def initialize(*args) super generate_salt end private def generate_salt self.salt = SCrypt::Engine.generate_salt(:max_time => 1.0) end end DataMapper.finalize DataMapper.auto_upgrade!
I tried to keep this as a simple minimum implementation without playing golf. Strictly speaking the validations on the data_mapper models aren't necessary and could have been removed, in this case, however, the length fields do actually indicate a bit more of what you might expect to see in the database, while the requires are just good habits living on.
Both of the two models are required to have both a salt and a hash, the name ‘crypt_hash’ was chosen do too a conflict with one of data_mapper's reserved words ‘hash’, the same goes for the model name, however, that class comes from elsewhere. Raw scrypt'd hashes are 256 bits long or 64 hex characters long, while the salts are 64 bits (16 hex characters) plus some meta-data totaling 25 hex characters in this example.
Salts are hashes are computed by the ‘scrypt’ gem. In this example I've bumped up the max time option to create a hash from the default of 0.2 seconds up to 1 second. This is one of those things that I could have left out as the default is fine for an example, but it also couldn't hurt slightly increasing it in case someone did copy-paste this into production.
The one thing that I'd like to point out is a couple of ‘puts’ statements I dropped in the check_password method on the User model. The first one simply announces an invalid password. A lot of these could indicate a brute force attack. The second one is more serious, it indicates that there is either a bug in the code, a hash collision has occurred, or an attacker has been able to drop in hash of their choosing into the site_hashes table, but haven't updated the verification hash on the user model yet. I'd strongly recommend reading through both of Jeremy's posts if you want to understand how this threat works and specifically the second post to see how the verification hash protects what it does.
So how would you use this code? Well you'd want to create a user with a password and then check if their password is valid or not later on like so:
User.create(:username => 'admin', :password => 'admin') User.first(:username => 'admin').check_password('admin')
One of the key ways this separation increases the security of real users hashes is by having a large number of fake hashes in the hash table that the attackers will have to crack at the same time. As a bonus I've written a module to handle just that for the code I've already provided. Once again this is licensed under the MIT license and should not be considered production ready.
# This is the code above, you can also include everything below # this in the same file if you're into that sort of thing require "user_hash_example" module HashFaker def self.fast_hash SiteHash.create(:crypt_hash => get_bytes(32)) end def self.hash SiteHash.create(:crypt_hash => scrypt_helper(get_bytes(24), generate_salt)) end def self.generate_hashes(count = 5000, fast = false) count.times do fast ? fast_hash : hash end end private def self.generate_salt SCrypt::Engine.generate_salt(:max_time => 1.0) end def self.get_bytes(num) OpenSSL::Random.random_bytes(num).unpack('H*').first end def self.scrypt_helper(plaintext_password, salt) SCrypt::Engine.scrypt(plaintext_password, salt, SCrypt::Engine.autodetect_cost(salt), 32).unpack('H*').first end end