譯介:Dropbox如何安全存儲你的密碼
How Dropboxsecurely stores your passwords
Devdatta Akhawe, September 21, 2016
It’s universally acknowledged that it’s a bad idea to storeplain-text passwords. If a database containing plain-text passwords iscompromised, user accounts are in immediate danger. For this reason, as earlyas 1976, the industry standardized on storing passwords using secure, one-wayhashing mechanisms (starting with Unix Crypt). Unfortunately, while thisprevents the direct reading of passwords in case of a compromise, all hashingmechanisms necessarily allow attackers to brute force the hash offline, bygoing through lists of possible passwords, hashing them, and comparing theresult. In this context, secure hashing functions like SHA have a critical flawfor password hashing: they are designed to be fast. A modern commodity CPU cangenerate millions of SHA256 hashes per second. Specialized GPU clusters allowfor calculating hashes at a rate of billions per second.
我們都知道不應該明文存儲密碼。如果存有明文密碼的數據庫被攻擊,用戶賬戶將會立刻陷入危險。早在1976年,工業界就開始使用單向hash函數來存儲密碼(從Unix Ctypt開始)。不幸的是, 儘管攻擊者無法直接獲取密碼了,他們還是可以通過計算常見密碼的hash和你的密碼進行比對,從而獲取密碼。有了這種手段,類似SHA的加密算法就有了致命的缺點:這些算法設計的初衷就是計算快。民用GPU可以每秒計算出上百萬個SHA256值,而專業的GPU可以每秒計算出上億條hash。
Over the years, we’ve quietly upgraded our passwordhashing approach multiple times in an ongoing effort to stay ahead of the badguys. In this post, we want to share more details of our current passwordstorage mechanism and our reasoning behind it. Our password storage schemerelies on three different layers of cryptographic protections, as the figurebelow illustrates. For ease of elucidation, in the figure and below we omit anymention of binary encoding (base64).
過去幾年中,我們已經多次升級了我們的hash過程。在這條博文中,我們希望和大家分享一些技術細節,以及它們的原因。如下圖所示,我們的密碼存儲依賴3層密碼學防護系統。爲了敘述方便,我們省略了二進制的轉譯過程。
Multiple layers of protection for passwords
多層的密碼保護
We rely on bcrypt asour core hashing algorithm with a per-user salt and an encryption key (or globalpepper), stored separately. Our approach differs from basicbcrypt in a few significant ways.
我們使用bcrypt作爲核心hash算法,並且給每個用戶分別加了的鹽,使用獨立私鑰(以及全局pepper,見下文)。我們的方案和基本bcrypt有以下幾點不同:
First, the plaintext password is transformed into a hashvalue using SHA512. This addresses two particular issues withbcrypt. Some implementations of bcrypt truncate the input to 72 bytes, whichreduces the entropy of the passwords. Other implementations don’t truncate theinput and are therefore vulnerable to DoS attacks becausethey allow the input of arbitrarily long passwords. By applying SHA, we canquickly convert really long passwords into a fixed length 512 bit value,solving both problems.
首先,使用SHA512算法將密碼明文轉爲hash值。這解決了兩個問題。一是有些bcrypt算法會將輸入裁剪到72字節,而這會限制字節的複雜度;二是太長的密碼會給DoS攻擊提供機會。先將密碼SHA一舉解決了這兩個問題。
Next, this SHA512 hash is hashed again using bcrypt witha cost of 10, and a unique, per-user salt. Unlikecryptographic hash functions like SHA, bcrypt is designed to be slow andhard to speed up via custom hardware and GPUs. A work factor of 10 translatesinto roughly 100ms for all these steps on our servers.
之後,這個hash值使用強度爲10(最高強度,譯註)的bcrypt算法再次進行hash,並且加了單用戶的鹽。和SHA算法不同,bcrypt的算法設計之初就避免了通過專門設計的GPU來加速。在我們的服務器上一般要用100毫秒來進行這個計算。
Finally,the resulting bcrypt hash is encrypted with AES256 using a secret key (common to allhashes) that we refer to as a pepper. The pepper is a defense in depth measure.The pepper value is stored separately in a manner that makes it difficult todiscover by an attacker (i.e. not in a database table). As a result, if onlythe password storage is compromised, the password hashes are encrypted and ofno use to an attacker.
最終,bcrypt的結果再交給AES256加密,獲得pepper(加密用的私鑰)。Pepper是深度的防禦措施。Pepper的值被分別存儲在難以發現的地方(不在數據庫裏面)。這樣,即使最終的密碼存儲泄露了,攻擊者還是得不到密碼的hash。
Why not use {scrypt, argon2} over bcrypt?
爲什麼不用scrypt或者argon2,代替bcrypt呢?
We considered using scrypt, but we hadmore experience using bcrypt. The debate over which algorithm is better isstill open, and most security experts agree that scrypt and bcrypt providesimilar protections.
我們考慮過使用scrypt,但是我們對bcrypt更有經驗。這兩種算法哪種更好目前還沒有定論,安全專家們認爲他們的安全強度是五五開的。
We’re considering argon2 for our next upgrade: when we movedto our current scheme, argon2 hadn’t (yet) won the Password Hashing Competition.Additionally, while we believe argon2 is a fantastic password hashing function,we like that bcrypt has been around since 1999 without any significantvulnerabilities found.
我們正在考慮升級到argon2:在上一次的時候,argon2還沒有贏得密碼哈希大賽。此外,儘管argon2是很好的算法,bcrypt自從1999年來還沒有重大的漏洞。
Why is the global pepper used for encryptioninstead of hashing?
爲什麼使用統一的pepper來對稱加密,而不是用來hash?
Recall that the global pepper is a defense in depthmeasure and we store it separately. But storing it separately also means thatwe have to include the possibility of the pepper (and not the password hashes)being compromised. If we use the global pepper for hashing, we can’t easilyrotate it. Instead, using it for encryption gives us similar security but withthe added ability to rotate. The input to this encryption function israndomized, but we also include a random initialization vector (IV).
我們採用統一的pepper進行對稱加密,並且採取分別存儲。但是我們必須考慮到這種存儲方式下,pepper(而不是密碼hash值)是可能被竊取的。如果我們把這個pepper用於hash,那我們很難更改它。但是用於對稱加密的話,安全強度相似,但很容易更改。儘管AES接收的輸入是隨機的,但是我們同樣使用了隨機的初始向量IV。
Going forward, we’re considering storing the globalpepper in a hardware security module (HSM). At our scale, this is anundertaking with considerable complexity, but would significantly reduce thechances of a pepper compromise. We also plan to increase our bcrypt strength inour next update.
更進一步,我們正自考慮把pepper存儲在一個硬件裏。這帶來的消耗是可以接受的,但是會顯著降低pepper泄露的機率。我們同樣在考慮增加bcrypt的強度。
Moving forward
展望未來
We believe this use of SHA512, plus bcrypt, andAES256 is currently among the strongest and most future-proof methods toprotect passwords. At the same time, we know that attackers are continuouslyevolving—and our defenses will too. Our password hashing procedure is just oneof many measures we use to secure Dropbox. We’ve deployed additional safeguardsagainst online brute-force attacks like rate-limiting password attempts,captchas, and a range of abuse mitigations. Like the diagram above, there aremany layers to maintaining robust security, and we’re actively investing in allof them. We’d love to hear your thoughts.
我們相信通過對SHA512,bcrypt和AES256的綜合使用構建了當前最強的密碼存儲機制。攻擊者的手段在不斷進化——我們的防禦也是如此。對密碼的hash過程只是Dropbox的諸多安全手段之一。我們已經開發出了額外的手段來防禦暴力攻擊手段,比如限制流量,captchas等等. 正如此前展示的那樣,我們有多層的系統來提供穩定的系統,並且我們正在深入研究。我們也很希望知道你們的想法。
