[Bug 40349] New: Use pbkdf instead of the default openssl1 for Crypt::CBC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40349 Bug ID: 40349 Summary: Use pbkdf instead of the default openssl1 for Crypt::CBC Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: jonathan.druart@gmail.com QA Contact: testopia@bugs.koha-community.org 02:28:36 koha_1 | WARNING: The key derivation method "opensslv1" is deprecated. Using -pbkdf=>'pbkdf2' would be better. 02:28:36 koha_1 | Pass -nodeprecate=>1 to inhibit this message. 02:28:36 koha_1 | at /kohadevbox/koha/Koha/Patron.pm line 3216.
From the doc https://metacpan.org/pod/Crypt::CBC
-pbkdf The passphrase-based key derivation function used to derive the encryption key and initialization vector from the provided passphrase. For backward compatibility, Crypt::CBC will default to "opensslv1", but it is recommended to use the standard "pbkdf2"algorithm instead. If you wish to interoperate with OpenSSL, be aware that different versions of the software support a series of derivation functions. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40349 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |40348 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40348 [Bug 40348] api/v1/two_factor_auth.t generates warnings -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40349 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@openfifth.c | |o.uk Assignee|koha-bugs@lists.koha-commun |dcook@prosentient.com.au |ity.org | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40349 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- Sounds good. Of course, it means that we'll have to re-encrypt all the database contents. But that could be a blessing in disguise! At the moment, we just *know* which fields are encrypted based on the code, and how they're encrypted, and we have a single "encryption_key" in koha-conf.xml. But the more time goes on the harder this is going to get to manage. We should update the database schema to store JSON metadata alongside the encrypted values. This is a normal practice these days. I'd suggest things like "kid" (or key_id), "algorithm" (e.g. AES-256-CBC in the case of Koha::Encryption currently), "pbkdf" (e.g. opensslv1 or pbkdf2), "iterations" (e.g. 10,000 - current default value of Crypt::CBC). In theory, we'd want IV and salt as well, but Crypt::CBC stores them as headers in the ciphertext/encrypted value, so we probably don't need to worry about those yet. Instead of "algorithm", we could break it down into "cipher" (e.g. AES), "keysize" (e.g. 256 bits which is a default value from Crypt::Cipher::AES), and "mode" (e.g. CBC). I'd then say we should add an attribute to "encryption_key" in koha-conf.xml. Since we don't currently programmatically update koha-conf.xml, I'd say we just store a value of "default" for kid for existing data. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40349 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- Once we've updated the database schema to reflect the reality of the encryption options being used, we can then do scripted re-encryptions of the data. By storing key ID, we also create the opportunity to rotate encryption keys and add the ability to use separate keys for separate tasks. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40349 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=34976 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40349 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=32078 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40349 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #1)
We should update the database schema to store JSON metadata alongside the encrypted values.
Recently, I've been involved in a number of Keycloak system upgrades which have involved re-hashing of passwords, and storing the crypto options next to the values is how they're able to do it. It's also how I was able to work out some bugs in their re-hashing process heh. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40349 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|dcook@prosentient.com.au |koha-bugs@lists.koha-commun | |ity.org CC| |dcook@prosentient.com.au --- Comment #4 from David Cook <dcook@prosentient.com.au> --- Noticed that I've been set as the assignee but I don't think that I'll have time to work on it at this time. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40349 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=34697 CC| |m.de.rooy@rijksmuseum.nl --- Comment #5 from Jonathan Druart <jonathan.druart@gmail.com> --- *** Bug 34697 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40349 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |martin.renvoize@openfifth.c |ity.org |o.uk -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40349 Bug 40349 depends on bug 40348, which changed state. Bug 40348 Summary: api/v1/two_factor_auth.t generates warnings https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40348 What |Removed |Added ---------------------------------------------------------------------------- Status|Needs documenting |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org