New old vulnerability: Firefox password manager uses outdated SHA-1 for 9 years

AdBlock Plus creator Vladimir Palant (Wladimir Palant) discovered a vulnerability in the Firefox browser and the Thunderbird mail client, allowing you to pick up their master password by brute force. The source of the problem is the SHA-1 hash mechanism used.

More details about the vulnerability below.

/ photo Z Jason CC

The essence of the problem

In his blog, Palant describes the operation of the sftkdb_passwordToKey () function , which converts a user's password into an encryption key by hashing a string containing salt and the master password itself . As a hash algorithm, SHA-1 is used.

The problem is that in Firefox and Thunderbird the function is used only once, although generally accepted practice in the industry involves at least 10 thousand iterations. LastPass, for example, uses 100k.
Modern GPUs calculate SHA-1 hashes extremely well. for example One Nvidia GTX 1080 graphics card computes 8.5 billion SHA-1 hashes per second. According to a Microsoft study , the password complexity of an ordinary user is about 40 bits. It turns out that to select it you need about 2 39 attempts - this means that the selection of a password of medium complexity will take about a minute.

Not the first bug report

This vulnerability was reported to Mozilla by Justin Dolske nine years ago, having issued a corresponding bug report. Justin drew the attention of developers that such a small number of iterations of the hash function poses a threat to the security of browser users. However, for some reason, the problem remained unsolved.

The irony is that SHA-1 was still part of the browser even after Mozilla stopped supporting sites with certificates using this hashing algorithm in October 2016 .

The main reason was the possibility of collision - a phenomenon in which two different blocks of information after hashing are identical. This made it possible to replace real certificates with fabricated ones. The experts announced the possibility of a “collision attack” back in 2012, predicting that by 2021 there would be enough resources for its implementation by ordinary computing systems used in research institutes.

And in early 2017, Google announced the first successful collision attack. As a result of the experiment, the Google team was able to get two identical hashes for two different PDF documents. To launch an attack, engineers first created a PDF prefix. , and then used Google’s massive technical resources to calculate collisions. In total, the company produced 9 quintillion calculations of SHA-1.

In connection with the successful replication of the collision attack, Google recommended that information security specialists start using the more secure SHA-256 and SHA-3 hashing algorithms as soon as possible.

/ photo Z Jason CC

Potential Solution

The response to the Mozilla forum came only after Vladimir Palant “resurrected” Justin Dolske’s bug report 9 years ago. In response, the developers noted that the vulnerability would be fixed with the release of Lockbox - a new component for the password manager. While the utility is available as a separate extension, it depends on the Firefox Accounts password manager.

However, Palant himself proposed to developers to start using the Argon2 hash algorithm, which uses multiple memory passes. Argon2 was declared the winner of the Password Hashing Competition in 2015, the participants of which developed a new password hashing function.

Argon2 first hashes the password using the Blake2b hash function . The hash result is written into memory blocks, which are converted using the compression function G (it receives two 8192-bit blocks as an input, and produces a 1024-bit block), and as a result, a key is generated.

The function is optimized for x86 architecture and utilizes the features of cache and memory organization in Intel and AMD processors. At the same time, Argon2 allows you to configure the number of iterations, the size of the result, the secret key, etc.

PS Materials on the topic of information security from the First blog about corporate IaaS: