pbkdf2 icon indicating copy to clipboard operation
pbkdf2 copied to clipboard
verified publisher icon browserify

DoS with long password

Open Sc00bz opened this issue 7 years ago • 11 comments

If you enter a long password it will take significantly longer. This runs in O(pwLen * rounds) time instead of in O(pwLen + rounds) time.

Ideally you'd want to do a cached HMAC for a 2x speed increase (on normal sized passwords):

var cachedCtx = createHmac(digest, password)

...

-var T = createHmac(digest, password).update(block1).digest()
+var T = "cachedCtx.clone()".update(block1).digest()

...

-U = createHmac(digest, password).update(U).digest()
+U = "cachedCtx.clone()".update(U).digest()

Their are some problems with the "create-hmac" package and once those are fixed cached HMAC will be the best way to go. See https://github.com/crypto-browserify/createHmac/pull/27. Also I do not know the proper way to clone an object in Node.js. Thus the quotes around cachedCtx.clone().

Sc00bz avatar Oct 12 '18 13:10 Sc00bz

ok so the fist big issue is that you can't actually clone node crypto objects like this, but there is a reason we aren't actually using createHmac here and it's becasue it has a bunch of overhead related to streaming object creation that we didn't want which means that we probably can fix this in the library.

that being said looking at how we use the hmac and how the hmac works are you sure that applies here ?

calvinmetcalf avatar Oct 12 '18 17:10 calvinmetcalf

Sorry I removed the reference to the lines of code https://github.com/crypto-browserify/pbkdf2/blob/master/lib/sync.js#L36-L40

Sc00bz avatar Oct 12 '18 23:10 Sc00bz

ah so funny enough that will never actually use the create-hmac library because that only runs in node so it probably wont help

On Fri, Oct 12, 2018 at 7:39 PM Steve Thomas [email protected] wrote:

Sorry I removed the reference to the lines of code https://github.com/crypto-browserify/pbkdf2/blob/master/lib/sync.js#L36-L40

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/crypto-browserify/pbkdf2/issues/82#issuecomment-429490285, or mute the thread https://github.com/notifications/unsubscribe-auth/ABE4n8FhzQU8Fbz9ZvkW3AzZacOKF6mNks5ukSgsgaJpZM4XZdfa .

calvinmetcalf avatar Oct 13 '18 01:10 calvinmetcalf

This library is pretty complex as it handles several different scenarios:

  • in node.js but an old one that doesn't support some of the newer features
  • the browser in synchronous mode or in browser that doesn't support webcypto
  • the browser asynchronously via web crypto

so it's not necessarily obvious at first glance what code path will be taken it what environment but I believe I actually tested this back in the day and it was faster to create a node.js hmac object then to use a non streaming one because the node.js one would use a native hmac function while in the browser it wouldn't.

calvinmetcalf avatar Oct 15 '18 17:10 calvinmetcalf

Unfortunately, the Hmac class does not have the copy method as the Hash class:

Bildschirmfoto 2020-06-03 um 23 28 49

But what could be pulled out of the loop is this key normalization https://github.com/crypto-browserify/pbkdf2/blob/v3.1.0/lib/sync-browser.js#L26-L30, such that the native hmac always gets the correct key length.

webmaster128 avatar Jun 03 '20 21:06 webmaster128