2.6.0 'feature': Use SHA-512 for user password hashes

mkcharlie · Feb 14, 2022, 6:18 PM

Hi,

Not sure I understand this change: https://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html#authentication .

At least, I hope I don't understand it. Was the hashing algorithm for user passwords really downgraded from bcrypt to SHA512? I checked the linked ticket, but there is a very strange explanation not related to passwords at all. It is just linking to a generic advice about secure hashing functions. There is a huge difference between hashing for let's say signatures and other integrity checks versus hashing user passwords.. One of the important points for password hashing is that the algorithm must be slow. Bcrypt is slow (of course, depending on the config / number of rounds etc.). SHA512 is blazingly fast.

The fact that this change made the release worries me a bit. Any comments on this?

Kr

jimp · Feb 14, 2022, 6:49 PM

It's pretty much a toss up when it comes to bcrypt and SHA-512. FreeBSD currently uses SHA-512 and we tend to follow their lead. Older SHA hash algorithms were less desirable but SHA-512 is considered roughly equivalent to bcrypt last I saw, primarily due to its reliance on 64-bit operations.

Also IIRC SHA-512 hashing doesn't suffer from bcrypt's character limit on password length. The bcrypt hash stops somewhere around 70-72 chars which may be a lot for some passwords but not necessarily for people who use passphrases. And length is more desirable for security over complexity in current NIST and other recommendations.

Sc00bz · Feb 16, 2022, 4:17 PM

Hi mkcharlie, your confusion as to why they would switch from bcrypt to "SHA-512" is understandable. I also thought they switched to a fast cryptographic hash, but they seem to not like using the algorithm's name, "sha512crypt". This algorithm should never be used because long passwords will cause a DoS because it runs in O(pwLen^2+pwLen*rounds) time. Also the settings used for sha512crypt (5000 rounds) and bcrypt (cost 10) make this change 100x to 200x easier to crack.

If they don't like bcrypt and don't want to do pre-hashing (e.g. "bcrypt(sha512_hmac_hex_output(key:"netgate", message:password))"), then using PBKDF2-HMAC-SHA512 is at least not broken (assuming they don't hit any of its footguns). If they do switch to PBKDF2-HMAC-SHA512, then they should use at least 450000 iterations to match the strength of bcrypt cost 10. For more info and progress on this see issue 12800.

-Steve

mkcharlie · Feb 16, 2022, 5:06 PM

@sc00bz thanks for the link to https://redmine.pfsense.org/issues/12800 . It's my point exactly. So I guess it will be tracked and hopefully fixed there.

jimp · Feb 23, 2022, 2:31 PM

I'm adding a choice to the GUI to allow the user to choose between bcrypt and sha512, and the default will be changed back to bcrypt. This way those who prefer one or the other can opt for whichever method they wish.

It should be in snapshots later this week.

https://redmine.pfsense.org/issues/12855

jimp · Feb 23, 2022, 5:06 PM

This has been merged and will be in snapshots soon.

For those who would like to try it out, even on 22.01/2.6.0, install the System Patches package and then create entries for 961f240c18f8421b0a28ee192ffa041e754e8f8e and then 8ddf2b5a999772754080825f07acf9b6326f1f04 to apply the fix.

Apply 961f240c18f8421b0a28ee192ffa041e754e8f8e first followed by 8ddf2b5a999772754080825f07acf9b6326f1f04