Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0006046opensim[GRID] User Servicepublic2012-06-09 16:522012-06-10 06:35
ReporterSignpostMarv 
Assigned To 
PrioritynormalSeveritytweakReproducibilityN/A
StatusnewResolutionopen 
PlatformOSOS Version
Product Versionmaster (dev code) 
Target VersionFixed in Version 
Summary0006046: seamless migration of password hash & salt from md5 to sha-512
DescriptionDecided to see if it was possible to seamlessly migrate from md5 salting to sha-512 salting. Works as expected, although the attached patch should be considered incomplete as I'm unfamiliar with the MSSQL/SQLITE syntax for altering db field lengths.

I'm not a security expert by any means, but I'm led to believe sha-512 is considered more secure than md5.

Downside to this change is it'll break any software that directly reads the authentication table on the assumption it's an md5 hash (e.g. any front ends that don't check logins via a c# module)
TagsNo tags attached.
Git Revision or version number8a8755605587ca321b950d108c7bea92c8e330b7
Run ModeStandalone (1 Region)
Physics EngineBasicPhysics
Environment.NET / Windows64
Mono VersionNone
Viewer
Attached Filespatch file icon SHA512-Auth.patch [^] (5,806 bytes) 2012-06-09 16:52 [Show Content]

- Relationships

-  Notes
(0021642)
melanie (administrator)
2012-06-10 06:35

I don't see a need for this patch. Neither the salt nor the salted hash are ever communicated to clients, so they don't present a target for cracking. The only reason passwords are salted at all is he case where the entire database is compromised. Although md5 has been broken for some cases, the probability of breaking the salted hashes algorithmically is negligibly small.
The over-the-wire password sent by the client is sent as a simple md5 hash and this is where the real issue lies. If this password can be intercepted, algorithmic reversal of digesting and/or brute forcing can be attempted. However, this is something that is under client control and one really should not trust grids that don't offer a https:// loginuri.
Im my opinion this patch creates needless hardship for 3rd party modules; needless because there is no measurable gain in security.

-1 as a mandatory change for everyone

I would consider the patch if it were supplied as an optional function in an alternative authentication module for grids to migrate to if they want to, but not as changes against the main module.

- Issue History
Date Modified Username Field Change
2012-06-09 16:52 SignpostMarv New Issue
2012-06-09 16:52 SignpostMarv File Added: SHA512-Auth.patch
2012-06-10 06:35 melanie Note Added: 0021642


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker