New old vulnerability: Firefox password manager uses outdated SHA-1 for 9 years
AdBlock Plus creator Vladimir Palant (Wladimir Palant) discovered a vulnerability in the Firefox browser and the Thunderbird mail client, allowing you to pick up their master password by brute force. The source of the problem is the SHA-1 hash mechanism used.
More details about the vulnerability below.
/ photo Z Jason CC
On his blog, Palant describes the operation of the sftkdb_passwordToKey () function , which converts a user’s password into an encryption key by hashing a string containing salt and the master password itself . As a hash algorithm, SHA-1 is used.
The problem is that in Firefox and Thunderbird the function is used only once, although generally accepted practice in the industry involves at least 10 thousand iterations. LastPass, for example, uses 100 thousand.
Modern GPUs calculate SHA-1 hashes extremely well. For example , one Nvidia GTX 1080 graphics card computes 8.5 billion SHA-1 hashes per second. According to researchMicrosoft, the complexity of the password of an ordinary user is about 40 bits. It turns out that to select it you need about 2 39 attempts - this means that the selection of a password of medium complexity will take about a minute.
Justin Dolske just nine years ago reported Mozilla about this vulnerability , having issued a corresponding bug report. Justin drew the attention of developers that such a small number of iterations of the hash function poses a threat to the security of browser users. However, for some reason, the problem remained unsolved.
The irony is that SHA-1 was still part of the browser even after Mozilla stopped supporting sites with certificates using this hashing algorithm in October 2016 .
The main reason was the possibility of collision - a phenomenon in which two different blocks of information after hashing have an identical appearance. This made it possible to replace real certificates with fabricated ones. On the possibility of a "collision attack" expertsstated back in 2012, predicting that by 2021 the resources for its implementation would be enough for ordinary computing systems used in research institutes.
And in early 2017, Google announced the first successful collision attack. As a result of the experiment, the Google team was able to get two identical hashes for two different PDF documents. To carry out the attack, engineers first created a PDF prefix , and then used Google’s massive technical resources to calculate the collision. In total, the company produced 9 quintillion calculations of SHA-1.
In connection with the successful replication of the collision attack, Google recommended that information security specialists start using the more secure hashing algorithms SHA-256 and SHA-3 as soon as possible.
/ photo Z Jason CC
The response to the Mozilla forum came only after Vladimir Palant “resurrected” Justin Dolske’s bug report 9 years ago. In response, the developers noted that the vulnerability would be fixed with the release of Lockbox - a new component for the password manager. While the utility is available as a separate extension, depending on the password manager Firefox Accounts.
However, Palant himself proposed to developers to start using the Argon2 hash algorithm, which uses multiple memory passes. Argon2 was declared the winner of the Password Hashing Competition in 2015, the participants of which developed a new password hashing function.
Argon2 first hashes the password using the Blake2b hash function. The hash result is written into memory blocks, which are converted using the compression function G (it receives two 8192-bit blocks as an input, and produces a 1024-bit block), and as a result, a key is generated.
The function is optimized for x86 architecture and utilizes the features of cache and memory organization in Intel and AMD processors. At the same time, Argon2 allows you to configure the number of iterations, the size of the result, the secret key, etc.
PS Materials on the topic of information security from the First blog about corporate IaaS:
More details about the vulnerability below.
/ photo Z Jason CC
The essence of the problem
On his blog, Palant describes the operation of the sftkdb_passwordToKey () function , which converts a user’s password into an encryption key by hashing a string containing salt and the master password itself . As a hash algorithm, SHA-1 is used.
The problem is that in Firefox and Thunderbird the function is used only once, although generally accepted practice in the industry involves at least 10 thousand iterations. LastPass, for example, uses 100 thousand.
Modern GPUs calculate SHA-1 hashes extremely well. For example , one Nvidia GTX 1080 graphics card computes 8.5 billion SHA-1 hashes per second. According to researchMicrosoft, the complexity of the password of an ordinary user is about 40 bits. It turns out that to select it you need about 2 39 attempts - this means that the selection of a password of medium complexity will take about a minute.
Not the first bug report
Justin Dolske just nine years ago reported Mozilla about this vulnerability , having issued a corresponding bug report. Justin drew the attention of developers that such a small number of iterations of the hash function poses a threat to the security of browser users. However, for some reason, the problem remained unsolved.
The irony is that SHA-1 was still part of the browser even after Mozilla stopped supporting sites with certificates using this hashing algorithm in October 2016 .
The main reason was the possibility of collision - a phenomenon in which two different blocks of information after hashing have an identical appearance. This made it possible to replace real certificates with fabricated ones. On the possibility of a "collision attack" expertsstated back in 2012, predicting that by 2021 the resources for its implementation would be enough for ordinary computing systems used in research institutes.
And in early 2017, Google announced the first successful collision attack. As a result of the experiment, the Google team was able to get two identical hashes for two different PDF documents. To carry out the attack, engineers first created a PDF prefix , and then used Google’s massive technical resources to calculate the collision. In total, the company produced 9 quintillion calculations of SHA-1.
In connection with the successful replication of the collision attack, Google recommended that information security specialists start using the more secure hashing algorithms SHA-256 and SHA-3 as soon as possible.
/ photo Z Jason CC
Potential Solution
The response to the Mozilla forum came only after Vladimir Palant “resurrected” Justin Dolske’s bug report 9 years ago. In response, the developers noted that the vulnerability would be fixed with the release of Lockbox - a new component for the password manager. While the utility is available as a separate extension, depending on the password manager Firefox Accounts.
However, Palant himself proposed to developers to start using the Argon2 hash algorithm, which uses multiple memory passes. Argon2 was declared the winner of the Password Hashing Competition in 2015, the participants of which developed a new password hashing function.
Argon2 first hashes the password using the Blake2b hash function. The hash result is written into memory blocks, which are converted using the compression function G (it receives two 8192-bit blocks as an input, and produces a 1024-bit block), and as a result, a key is generated.
The function is optimized for x86 architecture and utilizes the features of cache and memory organization in Intel and AMD processors. At the same time, Argon2 allows you to configure the number of iterations, the size of the result, the secret key, etc.
PS Materials on the topic of information security from the First blog about corporate IaaS:
- Features of two-factor authentication: does it work in the IaaS cloud
- Cloud Security Testing, or Security Tips
- Creation of certified and secure infrastructures based on VMware solutions
- Personal data protection: a European approach
- VMware NSX: A New Approach to Health Security
- What to look for when choosing a cloud PCI DSS hosting service