Identityserver4: Secret Hashing

A salt is to thwart dictionary-style attacks. Given that we're using high entropy secrets, a salt isn't really necessary.

Sorry -- I should have added that if you disagree, please feel free to express your concerns.

Right - the recommendation for client secrets is to use random numbers - which already have a high enough entropy.

Maybe I'm just old school but without a salt, if two clients used the same secret, then they'd end up with the same "Sha256" value. Correct?

True. But secrets should be random keys to start with.

Sent from my iPhone

On 12.09.2016, at 14:29, dpbevin [email protected] wrote:

Maybe I'm just old school but without a salt, if two clients used the same secret, then they'd end up with the same "Sha256" value. Correct?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

Also, you should be generating these from your client registration. Look into this API: https://github.com/IdentityModel/IdentityModelv2/blob/dev/src/IdentityModel/CryptoRandom.cs#L34

Thanks for the tip

I share the same concern as @dpbevin, though I admit that I am very new to IdentityServer/OAuth/OpenId Connect. It seems that we should be using salts and a more secure algorithm to hash the secrets, not because the secrets aren't high enough entropy, but in order to prevent brute force attacks if, say, the database storing the secrets were to become compromised. Am I thinking about this incorrectly or missing something?

A 128 bit entropy secret hashed once should be sufficient. If you have anything to show this is not sufficient, please share. Also, you can always use a larger key space.

I have nothing to share at this time that would prove this to be insufficient. I suppose that I'm just a bit paranoid of the situation in which vulnerabilities or implementation errors do happen to be found with Sha256. While salts may not necessarily be a cure-all depending on the type of vulnerability, I would imagine that they could end up helping to minimize the attack surface and overall exposure at a relatively low cost if such a situation were to arise, no?

If Sha256 is vulnerable we'll have bigger problems than our client secrets ;)

Anyways - you can use Sha512 as well - just make sure the secrets have a good entropy to start with - or implement your own secret validator with your preferred hashing algorithm.

Good point.. I appreciate your feedback! Thanks for everything you guys do!

@leastprivilege @brockallen The vulnerability is not within SHA256 but hashing function weaknesses in general when not leveraging a salt. Many pre-computed databases of common hash functions exist that allow for an attacker to simply lookup a hash to know the pre-hashed string. E.g. Rainbow tables. The issue is not in remotely brute forcing against IdentityServer but an attacker whom is able to compromise ID Secrets database and then gather pre-hash secrets/passwords via a simple lookup in a table. I just wanted to add this note so that if any other developers find this they know unsalted hashes used for authentication is not a best practice. You can obviously work around this with your own modifications in IdentityServer but I would recommend this not be how IdentityServer works by default as plenty of people are probably not fixing this themselves.

My client secret is TNW+nxBGh/WRwE3XOpK8iicEtwA1detrhBwJUDGKuOo=. Do you know of any lookup tables that contain a pre-calculated hash of values like that?

@scottbrady91 As a lead in Identity and Access control it is your position that you should not salt hashes that are used for authentication?

For from it. But I'm failing to see how your concerns address Brock's previous statements:

A salt is to thwart dictionary-style attacks. Given that we're using high entropy secrets, a salt isn't really necessary.

A 128 bit entropy secret hashed once should be sufficient. If you have anything to show this is not sufficient, please share. Also, you can always use a larger key space.

Many pre-computed databases of common hash functions exist that allow for an attacker to simply lookup a hash to know the pre-hashed string. E.g. Rainbow tables

The size of said database would be large:

Look at this way: Suppose you could somehow get this algorithm to run a quintillion times faster, so it finishes in under a year. Your output file is going to be 2¹²⁸ × 16 = 2¹³² bytes in size. That's around 10²⁷ terabytes. One terabyte of SSD storage weighs around 100 grams. The mass of the earth is 10²⁴ kilograms. Therefore, before you run this program, you will need to acquire 100 earth-sized planets and convert them all to SSDs.

from: https://blogs.msdn.microsoft.com/oldnewthing/20131029-00/?p=2803/

Salting is to address collisions in the secret, and is useful when the secret is human created (not machine created).

I hear you guys, I guess I was coming from the perspective of a salt could help people that do not know better but probably the better thing is just making more clear in the documentation how to generate a proper secret. One quick Q what function were you recommending above in CryptoRandom.cs as the link is old? Thanks much

It's the CryptoRandom class in IdentityModel.

Adding Salt property in the client object will make Databases that store passwords/secrets compliant. Not supporting this functionality creates a lot of compliance issues.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.