Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password encryption: Dropping Crypt::CipherSaber #87

Closed
racke opened this issue Oct 8, 2017 · 4 comments · Fixed by #557
Closed

Password encryption: Dropping Crypt::CipherSaber #87

racke opened this issue Oct 8, 2017 · 4 comments · Fixed by #557
Labels
design question
Milestone
6.2.42

Comments

@racke
Copy link
Contributor

racke commented Oct 8, 2017

The old documentation says:

Authentication is based on passwords stored in the database table user_table; if the appropriate Crypt::CipherSaber is installed, passwords are encrypted in the database using reversible encryption based on RC4. Otherwise, they are stored in clear text. In both cases, reminding of passwords is possible.

But when I'm looking at my databases, I see only MD5 encryption. Note: I'm using Debian packages, but they
have a dependency on Crypt::CipherSaber.
@racke racke added the question label Oct 8, 2017
@ikedas
Copy link
Member

ikedas commented Oct 9, 2017

According to OChangelog, MD5 password hash was introduced on Sympa 6.0 (311cae8), and RC4 password encription was deprecated on Sympa 6.2 (a16fd3e).

Currently, RC4 is used only for encryption/decription of HTTP session cookie.

@ikedas ikedas added the design label Dec 2, 2017
@ikedas
Copy link
Member

ikedas commented Dec 2, 2017

  • After all, Crypt::CipherSaber is no longer used to encrypt passwords.
  • And I doubt if encryption of cookie values will make HTTP session more secure: Each randomized value can be reusable in the period of cookie_refresh.

So I suppose Crypt::CipherSaber would be better to be removed. If there is no objection, I'll submit a PR.

@ikedas
Copy link
Member

ikedas commented Mar 20, 2018
edited
Loading

6.2.26 introduced bcrypt password hash, then MD5 hash may be obsoleted: See also PR #225, #238.

On the other hand, password encrypted by RC4 is still supported. Thus I propose:

Proposal dropping Crypt::CipherSaber

  1. Deprecation of RC4:
    • Password storage encrypted by RC4 would be deprecated.
    • Such passwords may be decrypted and hashed during upgrading process.
  2. As well, giving up encryption of session ID in HTTP cookie: It hardly enhances security.
  3. Finally, dropping a dependency module Crypt::Ciphersaber.

@ikedas ikedas mentioned this issue Feb 24, 2019
Merged
@ikedas
Copy link
Member

ikedas commented Feb 24, 2019

PR above will drop Crypt::CipherSaber.

@ikedas ikedas changed the title Password encryption Password encryption: Dropping Crypt::CipherSaber Mar 2, 2019
ikedas added a commit that referenced this issue Mar 2, 2019
@ikedas
Merge pull request #557 from ikedas/deprecate_ciphersaber by ikedas
66680ad 
Deprecate CipherSaber RC4 encryption (#87)
@ikedas ikedas added this to the 6.2.42 milestone Mar 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
design question
Projects
None yet
Milestone
6.2.42
Development

Successfully merging a pull request may close this issue.

Deprecate CipherSaber RC4 encryption (#87) ikedas/sympa
2 participants
@racke @ikedas