Security in Cancel-Lock password handling (secrets.conf)

Julien ÉLIE julien at trigofacile.com
Mon Oct 4 19:55:22 UTC 2021 

Hi all,

Two questions about security and what's the best thing to do with the 
upcoming secrets.conf file containing:

cancels {
     canlockuser: [ password anotherpassword ]
     canlockadmin: [ adminpassword anotheradminpassword ]
}


1/ Can secrets.conf remain in memory (in a struct) or should it be 
loaded, used, erased with explicit_bzero() and freed for each article 
injection?


2/ For interoperability reasons, we need to send both sha1 and sha256 
hashes.  Yet RFC 8315 has the following MUST:

    If multiple <c-lock> elements are added to the Cancel-Lock header
    field by a single agent, each <c-lock> element MUST use a unique
    key "K" to improve security.

The rationale is that "a preimage attack on the different hash 
algorithms may be easier if the attacker knows that the output of those 
hash algorithms was created with the same input" (sha1 and sha256).

Which means that we MUST NOT use "adminpassword" for both sha1 and sha256.
Would the use of "sha1adminpassword" and "sha256adminpassword" for 
instance with prepending the password by a (publicly known) prefix be 
good?  (At least, it complies with the MUST.)
Otherwise, what would you suggest?


cancels {
     canlockuser: [ password anotherpassword ]
     canlockadmin: [ adminpassword anotheradminpassword ]
     canlocksalt: XYZ
}

which would use "adminpassword" for sha1 and "XYZadminpassword" for 
sha256?  XYZ would not be publicly known, but we have secrets sharing 
the same suffix "adminpassword".

Or:

cancels {
     canlockuser: [ password anotherpassword ]
     canlockadmin: [ adminpassword anotheradminpassword ]
     canlockuser2: [ passwordXX ]
     canlockadmin2: [ adminpasswordZZ anotheradminpasswordTT ]
}

Maybe overkill...  And more complex for the user.
This would permit having 2 different passwords though!  (And yes, we can 
have 2 passwords for sha1 and only 1 for sha256 in canlockuser2...)

Or a permutation?  For instance "password" for sha1 and "cnffjbeq" for 
sha256 (a ROT13 permutation).

-- 
Julien ÉLIE

« A man who is not married is incomplete; a man who is married is
   finished. »

More information about the inn-workers mailing list