server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon nextcloud

Increase PBKDF2 iterations to match 2023 OWASP recommendations or use Argon2id

Open inthreedee opened this issue 2 years ago • 3 comments

How to use GitHub

  • Please use the 👍 reaction to show that you are interested into the same feature.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Is your feature request related to a problem? Please describe.

In the aftermath of the Lastpass disaster, OWASP has updated its PBKDF2 recommendations. Current recommendations are as follows:

The work factor for PBKDF2 is implemented through an iteration count, which should set differently based on the internal hashing algorithm used.

  • PBKDF2-HMAC-SHA1: 1,300,000 iterations
  • PBKDF2-HMAC-SHA256: 600,000 iterations
  • PBKDF2-HMAC-SHA512: 210,000 iterations

Looking into Nextcloud's current situation, I've discovered that:

  • The E2E encryption whitepaper states that PBKDF2WithHmacSHA1 is used, but makes no mention of the number of iterations. Investigating the code, I found this, which suggests an iteration count of 1024: https://github.com/nextcloud/desktop/blob/master/src/libsync/clientsideencryption.cpp#L347-L364
QByteArray generatePassword(const QString& wordlist, const QByteArray& salt) {
    qCInfo(lcCse()) << "Start encryption key generation!";

    const int iterationCount = 1024;
    const int keyStrength = 256;
    const int keyLength = keyStrength/8;

    QByteArray secretKey(keyLength, '\0');

    int ret = PKCS5_PBKDF2_HMAC_SHA1(
        wordlist.toLocal8Bit().constData(),     // const char *password,
        wordlist.size(),                        // int password length,
        (const unsigned char *)salt.constData(),// const unsigned char *salt,
        salt.size(),                            // int saltlen,
        iterationCount,                         // int iterations,
        keyLength,                              // int keylen,
        unsignedData(secretKey)                 // unsigned char *out
        );
  • The Server-side encryption whitepaper states PBKDF2 with 100,000 iterations. Investigating the code, I found this, which confirms this and also shows SHA256. https://github.com/nextcloud/server/blob/b9520661406bc514ac16f11aeb85b1980d62f581/apps/encryption/lib/Crypto/Crypt.php#L380-L387

Describe the solution you'd like

Based on the above, Nextcloud's PBKDF2 iterations is inadequate to protect against gpu-based attacks in 2023, with the E2E encryption module appearing especially vulnerable with a dangerously low iteration count.

I'd like to see Nextcloud's encryption updated to match current OWASP recommendations.

  • If open to switching to a more modern key derivation function, Argon2id is the current recommendation.
  • If sticking with PBKDF2:
    • E2E encryption should be updated to use SHA256 for its HMAC with 600,000 iterations
    • Server side encryption should be updated to use 600,000 iterations

Additional context

The main reason the Lastpass breach was such a disaster was because they failed to upgrade everyone's security over the years as the need for higher iteration counts became apparent. To properly solve this issue, all existing users of both encryption modules should have their security automatically upgraded to take advantage of the increased key derivation iterations. This is especially true of E2E encryption users, as noted above.

inthreedee avatar Apr 18 '23 14:04 inthreedee