Use HMAC-SHA256 for cache passwords over MD5#877
Open
Firstyear wants to merge 1 commit intocyrusimap:masterfrom
Open
Use HMAC-SHA256 for cache passwords over MD5#877Firstyear wants to merge 1 commit intocyrusimap:masterfrom
Firstyear wants to merge 1 commit intocyrusimap:masterfrom
Conversation
Firstyear
force-pushed
the
20250807-hmac-sha256
branch
from
63b507f to
3fd55b7
Compare
Currently the password cache uses MD5 for password caching in the mmapped cache file. This is not cryptographically secure. This changes the algorithm to HMAC-SHA256. While other password verification algorithms are considered cryptographically superior (such as argon2id) in this case we want to maintain the cache's high performance, while improving the security of cached passwords. To achieve this, the HMAC key itself is ephemeral and only ever stored in memory. This means that per invocation of saslauthd the HMAC key will be randomised. This results in the cache mmap file being effectively useless to an attacker who manages to steal the cache as they lack the HMAC key to attempt to validate or bruteforce any cached password. This also means that if saslauthd crashes, the key material to access the cache is lost, effectively invalidating all records in that cache. If an attacker were able to access the HMAC key in memory, then we can pretty safely assume that the attacker can also access plaintext password material making the need to access the key irrelevant. As a result, this change improves security of cached passwords without a significant loss of performance in the cache's operation. Signed-off-by: William <william@blackhats.net.au>
Firstyear
force-pushed
the
20250807-hmac-sha256
branch
from
3fd55b7 to
6eb8eab
Compare
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently the password cache uses MD5 for password caching in the mmapped cache file. This is not cryptographically secure.
This changes the algorithm to HMAC-SHA256. While other password verification algorithms are considered cryptographically superior (such as argon2id) in this case we want to maintain the cache's high performance, while improving the security of cached passwords.
To achieve this, the HMAC key itself is ephemeral and only ever stored in memory. This means that per invocation of saslauthd the HMAC key will be randomised. This results in the cache mmap file being effectively useless to an attacker who manages to steal the cache as they lack the HMAC key to attempt to validate or bruteforce any cached password.
This also means that if saslauthd crashes, the key material to access the cache is lost, effectively invalidating all records in that cache.
If an attacker were able to access the HMAC key in memory, then we can pretty safely assume that the attacker can also access plaintext password material making the need to access the key irrelevant.
As a result, this change improves security of cached passwords without a significant loss of performance in the cache's operation.