Page MenuHomePhabricator
Create Task
Maniphest T12509

Plan the path forward from HMAC-SHA1
Open, NormalPublic
Actions

Description

A SHA1 collision was widely disclosed recently.

Our only use of plain SHA1 was removed in D17619, but we still make use of HMAC-SHA1 via PhabricatorHash::digest(). This isn't currently broken, and HMAC is designed to resist collisions, but it would be good to move away from it. However, doing so involves some considerations:

  • Do ~all installs have SHA256, or are we going to run into issues where SHA256 isn't available?
  • The security.hmac-key option is currently kind of a pile of garbage. In practice, it's just a hard-coded value for every Phabricator install. It would be much better to make this value unique per-install during setup. Ideally, we'd generate keys into some table and use a different, randomly generated key for each class of hash.
  • We should probably rename PhabricatorHash::digest() to oldBadDigest() or similar, rather than suffer the curse of digest2pro_improved().
  • We have ~40 callsites and these need to be individually audited and upgraded. Many probably present no security risk on SHA1, and many are ephemeral or can be transitioned easily, but some will be a pain to dig out.
  • The introduction of D17625 puts some time pressure on this: we save a migration if we sneak a fancyNewDigest() in before anyone uploads any files to installs with the new integrity check code. Otherwise we need to keep code to validate the old hashes around.

Revisions and Commits

rP Phabricator
D19946rP1f4cf23455d7 Remove "phabricator.csrf-key" and upgrade CSRF hashing to SHA256
D19945rP93e6dc1c1d69 Upgrade object reply addresses to SHA256 and remove "phabricator.mail-key"
D19941rPafa69eedd1a5 Remove an old digest in Celerity code and some obsolete configuration options
D19884rP080fb1985f29 Upgrade an old "weakDigest()" inside TOTP synchronization code
D18908rP21e415299f26 Mark all existing password hashes as "legacy" and start upgrading digest formats
D17632rP3d816e94dfbe Rename "PhabricatorHash::digest()" to "weakDigest()"
D17631rP3a3626834e60 Replace Remarkup calls to `PhabricatorHash::digest()` with SHA256
D17630rPd450a088906e Support HMAC+SHA256 with automatic key generation and management

Related Objects
Search...

Event Timeline

epriestley created this task.Apr 5 2017, 8:20 PM
Herald added subscribers: cburroughs, andypuettmann, eadler, revi. · View Herald TranscriptApr 5 2017, 8:20 PM
epriestley added a comment.Apr 5 2017, 8:26 PM

I'm maybe going to try to do this in the short term:

  • Write the integrity-check-management scripts in T12470.
  • Rename digest() to weakDigest().
  • Introduce a new table in the Auth database for HMAC keys, deprecating security.hmac-key with the intent to eventually remove it.
  • The new method will have a signature like PhabricatorHash::digest($material, $role), where $role is a lookup to a random secret key in the HMAC table that we read through the ImmutableCache.
  • Use the new stuff for integrity checks.

Then we can audit and replace the old stuff at our leisure.

siepkes added a subscriber: siepkes.Apr 6 2017, 12:53 PM

Piece of info (you guys might already be aware of it) which might be of interest when implementing this; SHA512 is often faster then SHA256 on x64. See for example: https://crypto.stackexchange.com/questions/26336/sha512-faster-than-sha256

epriestley added a comment.Apr 6 2017, 1:05 PM

I get these rough per-hash costs locally (Macbook Pro), with a 64-byte key:

Input SizeHMAC-SHA256HMAC-SHA512
1KB6us4us
4MB20,000us13,000us

I think these costs are both way beneath the level of line noise for all applications we use hashing for.

epriestley added a comment.Apr 6 2017, 2:01 PM

(That said, the hash cost may become very relevant when we eventually ship "Phabricator Valuable Golden Coin Money", our blockchain-based virtual currency.)

epriestley added a revision: D17630: Support HMAC+SHA256 with automatic key generation and management.Apr 6 2017, 4:38 PM
epriestley added a revision: D17631: Replace Remarkup calls to `PhabricatorHash::digest()` with SHA256.Apr 6 2017, 5:03 PM
epriestley added a revision: D17632: Rename "PhabricatorHash::digest()" to "weakDigest()".Apr 6 2017, 5:10 PM
epriestley added a commit: rPd450a088906e: Support HMAC+SHA256 with automatic key generation and management.Apr 6 2017, 10:43 PM
epriestley added a commit: rP3a3626834e60: Replace Remarkup calls to `PhabricatorHash::digest()` with SHA256.
epriestley added a commit: rP3d816e94dfbe: Rename "PhabricatorHash::digest()" to "weakDigest()".
epriestley mentioned this in T12515: Upgrading: File Integrity Hashing and SHA1.Apr 6 2017, 11:24 PM
joshuaspence added a subscriber: joshuaspence.Apr 12 2017, 11:45 AM
epriestley added a revision: D18908: Mark all existing password hashes as "legacy" and start upgrading digest formats.Jan 22 2018, 2:16 AM
epriestley added a commit: rP21e415299f26: Mark all existing password hashes as "legacy" and start upgrading digest formats.Jan 23 2018, 10:01 PM
epriestley mentioned this in T13225: Complete session digest migration from SHA1 to SHA256.Dec 13 2018, 6:42 PM
epriestley added a revision: D19884: Upgrade an old "weakDigest()" inside TOTP synchronization code.Dec 13 2018, 8:19 PM
epriestley added a commit: rP080fb1985f29: Upgrade an old "weakDigest()" inside TOTP synchronization code.Dec 14 2018, 12:16 AM
epriestley added a revision: D19941: Remove an old digest in Celerity code and some obsolete configuration options.Jan 2 2019, 4:56 AM
epriestley added a revision: D19945: Upgrade object reply addresses to SHA256 and remove "phabricator.mail-key".Jan 3 2019, 1:18 PM
epriestley mentioned this in T6994: Write a general "Security guidelines" document.Jan 3 2019, 1:21 PM
epriestley added a comment.Jan 3 2019, 1:25 PM

In moving forward here, we're generally moving from manually-configured HMAC keys to automatic ones. This is generally good: it's simpler (less configuration); and I believe almost no one configured the old ones, so installs now actually get unique HMAC keys; and the new keys have more entropy, too.

In some cases, there was theoretical value in changing these keys as a security response. For example, if you leaked some "Reply-To" addresses, you could change phabricator.mail-key to invalidate all the old addresses. I believe essentially no one has ever done this, but we could be exceptionally robust here by doing this:

  • Add an abstract class PhabricatorNamedHMACDigest { ... }.
  • Subclass it into final class PhabricatorMailObjectAddressNamedHMACDigest { const HMAC = 'mail.object-address-key'; ... }.
  • Have some methods like getAnExplanationOfWhatThisKeyIs() and describeWhyYouWouldWantToRegenerateThisKey().
  • Provide bin/hmac list to show current keys and explain what they are, and bin/hmac regenerate <key> to regenerate a particular key.

This is a bit of work and pretty low-value, but maybe not totally unreasonable. It doesn't add much complexity, but does feel fairly YAGNI.

The low-budget version of hmac regenerate <key> is DELETE FROM phabricator_auth.auth_hmackey WHERE .... This will automatically regenerate the missing key the next time it is used.

epriestley added a revision: D19946: Remove "phabricator.csrf-key" and upgrade CSRF hashing to SHA256.Jan 3 2019, 2:08 PM
amckinley added a subscriber: amckinley.Jan 3 2019, 7:29 PM
epriestley added a commit: rPafa69eedd1a5: Remove an old digest in Celerity code and some obsolete configuration options.Jan 4 2019, 9:43 PM
epriestley added a commit: rP93e6dc1c1d69: Upgrade object reply addresses to SHA256 and remove "phabricator.mail-key".Jan 4 2019, 9:47 PM
epriestley added a commit: rP1f4cf23455d7: Remove "phabricator.csrf-key" and upgrade CSRF hashing to SHA256.Jan 4 2019, 9:49 PM
epriestley mentioned this in 2019 Week 1 (Very Early January).Jan 5 2019, 12:51 AM
epriestley mentioned this in T13630: Move Phacility provisioning to Piledriver.Nov 20 2021, 9:02 PM
Phabricator · Built by Phacility