Security in Cancel-Lock password handling (secrets.conf)

Julien ÉLIE julien at trigofacile.com
Mon Oct 4 20:57:42 UTC 2021


Hi Richard,

>> 1/ Can secrets.conf remain in memory (in a struct) or should it be 
>> loaded, used, erased with explicit_bzero() and freed for each article 
>> injection?
> 
> nnrpd is network-facing so destroying secrets when not in use seems like 
> a good strategy.  Recall that part of what made Heartbleed so bad was 
> that it could be used to exfiltrate long-term secret keys from the 
> victim server.

OK, seems reasonable to destroy secrets after their use.



>> 2/ For interoperability reasons, we need to send both sha1 and sha256 
>> hashes.  Yet RFC 8315 has the following MUST:
>>
>>     If multiple <c-lock> elements are added to the Cancel-Lock header
>>     field by a single agent, each <c-lock> element MUST use a unique
>>     key "K" to improve security.
>>
>> The rationale is that "a preimage attack on the different hash 
>> algorithms may be easier if the attacker knows that the output of 
>> those hash algorithms was created with the same input" (sha1 and sha256).
>>
>> Which means that we MUST NOT use "adminpassword" for both sha1 and 
>> sha256.
> 
> The RFC8315 s4 example for calculating K will produce distinct K for 
> distinct hashes, _assuming_ that the HMAC is parameterized by the same 
> hash function as will be used to compute the c-lock-string. (IMO it 
> would be perverse to violate this assumption.)

As this is not a requirement, it may happen...

    Note that the hash algorithm used as the base for the HMAC operation
    is not required to be the same as that specified by <scheme>.


> i.e.
>   K1 = HMAC-SHA1(adminpassword, uid+mid)
>   c-lock-string#1 = Base64(SHA-1(Base64(K1))
>   K2 = HMAC-SHA256(adminpassword, uid+mid)
>   c-lock-string#2 = Base64(SHA-256(Base64(K2))
> 
> K1 and K2 won't even be the same length.

Hmm, yes you're right, K1 and K2 are different.
It is indeed the case with Michael's libcanlock, which we'll use for 
INN.  The HMAC is parameterized by the same hash function.

That's perfect!  Thanks for your answers.

-- 
Julien ÉLIE

« Une fois rien, c'est rien ; deux fois rien, c'est pas beaucoup, mais
   pour trois fois rien, on peut déjà acheter quelque chose, et pour pas
   cher. » (Raymond Devos)


More information about the inn-workers mailing list