Change protocol version (3 -> 4) : PKDBF2 is renamed in PBKDF2. This also avoid mismatch with new encryption system

This commit is contained in:
Grégory Soutadé 2017-04-17 20:39:53 +02:00
parent 29e2c8337c
commit 65ca3a3d3d
6 changed files with 14 additions and 12 deletions

View File

@ -59,7 +59,7 @@ function load_database()
return $db; return $db;
} }
$PROTOCOL_VERSION = 3; $PROTOCOL_VERSION = 4;
$db = load_database(); $db = load_database();
@ -68,8 +68,10 @@ $res = "";
$statement = $db->prepare("SELECT password FROM gpass WHERE login=:login"); $statement = $db->prepare("SELECT password FROM gpass WHERE login=:login");
echo "protocol=gpass-$PROTOCOL_VERSION\n"; echo "protocol=gpass-$PROTOCOL_VERSION\n";
if ($PKDBF2_LEVEL != 1000) if ($PBKDF2_LEVEL != 1000)
echo "pkdbf2_level=$PKDBF2_LEVEL\n"; {
echo "pbkdf2_level=$PBKDF2_LEVEL\n";
}
for ($i=0; $i<$MAX_PASSWORDS_PER_REQUEST && isset($_POST["k$i"]); $i++) for ($i=0; $i<$MAX_PASSWORDS_PER_REQUEST && isset($_POST["k$i"]); $i++)
{ {

View File

@ -29,7 +29,7 @@ $VIEW_CIPHERED_PASSWORDS=true;
$ADMIN_MODE=true; $ADMIN_MODE=true;
/* /*
Number of iterations for PKDBF2 algorithm. Number of iterations for PBKDF2 algorithm.
Minimum recommended level is 1000, but you can increase Minimum recommended level is 1000, but you can increase
this value to have a better security (need more computation this value to have a better security (need more computation
power). power).
@ -37,7 +37,7 @@ $ADMIN_MODE=true;
!! Warning !! This impact master keys. So if you change !! Warning !! This impact master keys. So if you change
this value with existings masterkeys, they will unusable ! this value with existings masterkeys, they will unusable !
*/ */
$PKDBF2_LEVEL=1000; $BKDF2_LEVEL=1000;
/* /*
This is a security feature : It protects from database dump This is a security feature : It protects from database dump
@ -45,7 +45,7 @@ $PKDBF2_LEVEL=1000;
When get all entries, instead of returning logins/passwords, When get all entries, instead of returning logins/passwords,
it returns "shadow logins". These are random values. it returns "shadow logins". These are random values.
Shadow logins must be encrypted using masterkey and salt Shadow logins must be encrypted using masterkey and salt
(to generate a unique PKDBF2 derivation) that result in an access tokens. (to generate a unique PBKDF2 derivation) that result in an access tokens.
With this access token, user has the right to get With this access token, user has the right to get
encrypted login/password values and remove them. encrypted login/password values and remove them.
It's a kind of challenge. It's a kind of challenge.

View File

@ -24,7 +24,7 @@
Password is salted (3 random characters) and encrypted Password is salted (3 random characters) and encrypted
All is encrypted with AES256 and key : PKDBF2(hmac_sha256, master key, url, 1000) All is encrypted with AES256 and key : PBKDF2(hmac_sha256, master key, url, 1000)
*/ */
$MAX_ENTRY_LEN = 512; $MAX_ENTRY_LEN = 512;
$USERS_PATH = "./users/"; $USERS_PATH = "./users/";

View File

@ -78,14 +78,14 @@ else
<link rel="stylesheet" type="text/css" href="resources/gpass.css" /> <link rel="stylesheet" type="text/css" href="resources/gpass.css" />
<script language="javascript"> <script language="javascript">
<?php <?php
echo "pkdbf2_level=$PKDBF2_LEVEL; use_shadow_logins=$USE_SHADOW_LOGINS;\n"; echo "pbkdf2_level=$PBKDF2_LEVEL; use_shadow_logins=$USE_SHADOW_LOGINS;\n";
echo "CLEAR_TIME=$CLEAR_TIME; // Clear master key after 15 minutes\n"; echo "CLEAR_TIME=$CLEAR_TIME; // Clear master key after 15 minutes\n";
?> ?>
</script> </script>
<script src="resources/jsaes.js"></script> <script src="resources/jsaes.js"></script>
<script src="resources/jssha256.js"></script> <script src="resources/jssha256.js"></script>
<script src="resources/hmac.js"></script> <script src="resources/hmac.js"></script>
<script src="resources/pkdbf2.js"></script> <script src="resources/pbkdf2.js"></script>
<script src="resources/gpass.js"></script> <script src="resources/gpass.js"></script>
<script src="resources/pwdmeter.js"></script> <script src="resources/pwdmeter.js"></script>
<title>gPass : global Password</title> <title>gPass : global Password</title>

View File

@ -122,7 +122,7 @@ function a2hex(str) {
function derive_mkey(user, mkey) function derive_mkey(user, mkey)
{ {
url = url_domain(document.URL) + "/" + user; url = url_domain(document.URL) + "/" + user;
mkey = a2hex(pkdbf2(mkey, url, pkdbf2_level, 256/8)); mkey = a2hex(pbkdf2(mkey, url, pbkdf2_level, 256/8));
return mkey; return mkey;
} }
@ -226,7 +226,7 @@ function PasswordEntry (ciphered_login, ciphered_password, salt, shadow_login) {
this.shadow_login_to_access_token = function(masterkey) this.shadow_login_to_access_token = function(masterkey)
{ {
var aes = new AES(); var aes = new AES();
var key = pkdbf2(hex2a(masterkey), hex2a(this.salt), pkdbf2_level, 256/8); var key = pbkdf2(hex2a(masterkey), hex2a(this.salt), pbkdf2_level, 256/8);
var a_key = aes.init(hex2a(key)); var a_key = aes.init(hex2a(key));
this.access_token = aes.encryptLongString(hex2a(this.shadow_login), a_key); this.access_token = aes.encryptLongString(hex2a(this.shadow_login), a_key);
this.access_token = a2hex(this.access_token); this.access_token = a2hex(this.access_token);

View File

@ -17,7 +17,7 @@
along with gPass. If not, see <http://www.gnu.org/licenses/>. along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/ */
function pkdbf2 (password, salt, iterations, outlen) { function pbkdf2 (password, salt, iterations, outlen) {
var result = ""; var result = "";
var temp = ""; var temp = "";
var temp2 = ""; var temp2 = "";