You Shall (Maybe) Pass!

Transcript

1. You Shall (Maybe) Pass! Eric Mann

2. Poster by DirectArtPrint - https://amzn.to/2ZYAMGq

3. Authentication

4. None
5. None
6. None
7. None
8. None
9. None

10. Password Strength

11. (Full image slide with caption) Password Strength - xkcd -

    https://xkcd.com/936/

12. Information Entropy - https://www.itdojo.com/a-somewhat-brief-explanation-of-password-entropy/

13. Restrict passwords obtained from previously breached corpuses

14. Have I Been Pwned - https://haveibeenpwned.com/

15. Have I Been Pwned Password API - https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity

16. Brute Force Protection

17. None
18. None

19. <?php $timeTarget = 0.05; // 50 milliseconds $cost = 8;

    do { $cost++; $start = microtime(true); password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]); $end = microtime(true); } while (($end - $start) < $timeTarget); echo "Appropriate Cost Found: " . $cost;

20. <?php $timeTarget = 0.05; // 50 milliseconds $cost = 1;

    do { $cost++; $start = microtime(true); password_hash("test", PASSWORD_ARGON2I, ["time_cost" => $cost]); $end = microtime(true); } while (($end - $start) < $timeTarget); echo "Appropriate Cost Found: " . $cost;

21. Secure Remote Passwords

22. None

23. PHP Example … in the July 2018 issue of php[architect]:

    https://www.phparch.com/magazine/2018-2/july/

24. $salt = random_bytes(SODIUM_CRYPTO_PWHASH_SALTBYTES); $seed = sodium_crypto_pwhash(/* ... */); $keypair =

    sodium_crypto_kx_seed_keypair($seed); $public_key = sodium_crypto_kx_publickey($keypair); // POST this data to the server to register $registration = [ 'identifier' => $email, 'salt' => sodium_bin2hex($salt), 'public_key' => sodium_bin2hex($public_key) ]; SRP - Client Registration

25. $user = get_user_from_database($email); $keypair = sodium_crypto_kx_keypair(); $public_key = sodium_crypto_kx_publickey($keypair); $keys

    = sodium_crypto_kx_server_session_keys($keypair, $user->key); $client_secret = $keys[1]; $server_secret = $keys[0]; $message = random_bytes(32); $hash = sodium_crypto_generichash($message, $server_secret); $proof = sodium_bin2hex($message . $hash); SRP - Initialize Auth Challenge (Server)

26. $keys = sodium_crypto_kx_server_session_keys($keypair, $server_key); $client_secret = $keys[0]; $server_secret = $keys[1];

    $server_proof = sodium_hex2bin($server_proof); $message = substr($server_proof, 0, 32); $hash = substr($server_proof, 32); if (!hash_equals( sodium_crypto_generichash($message, $server_secret), $hash )) { exit; } SRP - Complete Auth Challenge (Client)

27. $keys = sodium_crypto_kx_server_session_keys($keypair, $server_key); $client_secret = $keys[0]; $server_secret = $keys[1];

    /* ... */ $message = random_bytes(32); $hash = sodium_crypto_generichash($message, $client_secret); $proof = sodium_bin2hex($message . $hash); SRP - Complete Auth Challenge (Client)

28. $client_proof = sodium_hex2bin($proof); $message = substr($client_proof, 0, 32); $hash =

    substr($client_proof, 32); if (!hash_equals( sodium_crypto_generichash($message, $client_secret), $hash )) { exit; } // Store the user's email in a session for subsequent requests $_SESSION['identifier'] = $email; SRP - Complete Auth Challenge (Server)

29. The node-sodium project is a JS port of Libsodium for

    use on Node-powered servers.

30. The libsodium.js project uses transpiling to convert the raw C

    code directly to WebAssembly for use in the browser!

31. In Review ... Something you are, know (, and have)

    Strong passwords are a must Strong hashing is a must If you can, avoid ever seeing or interacting with passwords

32. Questions?

33. Thank you [email protected] | 503.925.6266