Project

General

Profile

Feature #7646

New password encryption method

Added by Yannick Warnier over 4 years ago. Updated about 4 years ago.

Status:
Feature implemented
Priority:
Normal
Assignee:
Category:
Global / Others / Misc
Target version:
Start date:
21/04/2015
Due date:
% Done:

100%

Estimated time:
10.00 h
Complexity:
Normal
SCRUM pts - complexity:
?

Description

Currently, the strongest password encryption we have is SHA1, which is already considered insecure.

We need a new encryption method, or a new set of encryption methods.
Most complex (and secure) encryption methods nowadays use 2 parameters:
  • one salt
  • one number of encryption processes
This means that we need to add those two parameters to configuration.dist.php and then update all the code that deals with the current encryption method:
  • search for $_configuration['password_encryption']
  • check all remaining uses of "sha1" in the Chamilo code, just in case

Then modify (mainly) the api_get_encrypted_password() function in api.lib.php to be able to use other stuff than sha1.

An interesting place to look for algorithms is in main/inc/lib/phpseclib/Net and /Crypt

This might be added to 1.10.0 if we get the time to do so. Otherwise we'll just pass it to 2.0.

Julio, is there any existing library that we could use for that, integrating the current hashing algorithms we have (none, md5 and sha1) without too much difficulty?

Associated revisions

Revision dd947882 (diff)
Added by Julio Montoya over 4 years ago

Add symfony2 security encoders see #7646

- Add bcrypt enconder.
- Add password-compat if bcrypt is used in php < 5.5.
- New db fields: user.salt, user.username_canonical.
- Remove use of api_get_encrypted_password().
- During installation the UserManager::create_user() is now used.
- Add Repository and Manager classes for the user entity.
- Remove function encryptPass in cm_webservice.php
- Fix registration.soap.php

Revision 0f517ebf (diff)
Added by Yannick Warnier about 4 years ago

Fix missing password validation in profile edition - refs #7646

History

#1

Updated by Julio Montoya over 4 years ago

  • Assignee changed from Julio Montoya to Yannick Warnier

The security component of Symfony2 does the job.

It supports custom encoders and already has support for bcrypt, sha1.
I could integrate only that component.

http://symfony.com/doc/current/components/security/introduction.html
http://symfony.com/doc/current/components/security/authentication.html
http://symfony.com/doc/2.3/reference/configuration/security.html#reference-security-bcrypt

#2

Updated by Yannick Warnier over 4 years ago

  • Assignee changed from Yannick Warnier to Julio Montoya

How many hours do you estimate it might take you (approx)?

#3

Updated by Julio Montoya over 4 years ago

  • Assignee changed from Julio Montoya to Yannick Warnier

I think 1 or 2 hours. Is more easy now because we have entities already added in the base code.

#4

Updated by Yannick Warnier over 4 years ago

  • Status changed from Needs more info to Assigned
  • Assignee changed from Yannick Warnier to Julio Montoya

OK, go ahead with this change then. Please make sure this integrates with the current encryption mechanisms we have in Chamilo (even if it takes a little longer): none, MD5 and SHA1 (yeah, I know, the first two are not encryption mechanisms), so a user can easily migrate to 1.10.x maintaining his current encryption method, but new installations can support at least one strong encryption method.

Please note that bcrypt requires PHP 5.5 or the composer installation of a compatibility module, so either use another method or install the compat module (I prefer avoiding the compat module until we move to a strict requirement of PHP 5.5, but I'll let you take the decision).

#5

Updated by Julio Montoya over 4 years ago

Yannick Warnier wrote:

OK, go ahead with this change then. Please make sure this integrates with the current encryption mechanisms we have in Chamilo (even if it takes a little longer): none, MD5 and SHA1 (yeah, I know, the first two are not encryption mechanisms), so a user can easily migrate to 1.10.x maintaining his current encryption method, but new installations can support at least one strong encryption method.

Please note that bcrypt requires PHP 5.5 or the composer installation of a compatibility module, so either use another method or install the compat module (I prefer avoiding the compat module until we move to a strict requirement of PHP 5.5, but I'll let you take the decision).

No need to do that.
I found this:

In Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder

        if (!function_exists('password_hash')) {
            throw new \RuntimeException('To use the BCrypt encoder, you need to upgrade to PHP 5.5 or install the "ircmaxell/password-compat" via Composer.');
        }

This package "ircmaxell/password-compat" seem to resolve that problem.

#6

Updated by Yannick Warnier over 4 years ago

That's what I meant by a "compatibility module" :-p

#7

Updated by Julio Montoya over 4 years ago

  • Status changed from Assigned to Needs more info
  • Assignee changed from Julio Montoya to Yannick Warnier

In main/admin/user_list.php there's a code that detects "easy passwords".

This code will not work with the new changes because we use a salt to check the password.
It means that to validate a password 2 fields are needed the user salt and the user password.

#8

Updated by Yannick Warnier over 4 years ago

  • Status changed from Needs more info to Assigned
  • Assignee changed from Yannick Warnier to Julio Montoya
  • % Done changed from 0 to 30

Just check the password field in this case (the salt is not important in the sense that it is used to hash the rest and it will not be asked to the user trying to enter the platform).
Make sure there is a mechanism to offer a default random hash (otherwise we'll confuse the user). Actually, the hash itself could simply be generated automatically. You don't need to ask the user at all (don't even show it in the form). It's internal.

#9

Updated by Julio Montoya over 4 years ago

  • Assignee changed from Julio Montoya to Yannick Warnier

Yannick Warnier wrote:

Just check the password field in this case (the salt is not important in the sense that it is used to hash the rest and it will not be asked to the user trying to enter the platform).
Make sure there is a mechanism to offer a default random hash (otherwise we'll confuse the user). Actually, the hash itself could simply be generated automatically. You don't need to ask the user at all (don't even show it in the form). It's internal.

As far as I read, I need the salt to validate/compare passwords. So I have to ask for every user if their password is easy or not (in admin/user_list.php) If the salt is empty it will work but not for users with salt.

#10

Updated by Yannick Warnier about 4 years ago

  • Status changed from Assigned to Feature implemented
  • Assignee changed from Yannick Warnier to Julio Montoya
  • % Done changed from 30 to 100

OK, the main/admin/user_list.php feature can be forgotten in case of bcrypt (just disable this feature there). I was talking specifically about the password recommendation on the profile edition page (which was broken). I just fixed that with https://github.com/chamilo/chamilo-lms/commit/0f517ebf1e7d67470b604dcbb7aee903e38ec30e. Closing the task. Good job over the new authentication mechanism!

Also available in: Atom PDF