Nesting bcrypt + PHPass for improving the security of password storage in legacy software?

Question

I've been tasked with improving the security of the password storage of a site which currently uses Openwall's PHPass. All the hashes will be converted at once, i. e. we don't want to wait for the user to log in to re-hash their password.

To achieve this I thought we could use bcrypt over the existing PHPass hashes, this way: bcrypt(phpass(password))

But we need an important intermediate step: just like bcrypt, PHPass has its own salt embedded into the hash, so we have to "carry" that salt into bcrypt if we want the operation to be repeatable when verifying the hashes.

Luckily, PHPass' salt size is smaller (6 bytes) than bcrypt's (16 bytes), so we can "share" the first 6 bytes of the salt and adding 10 additional random bytes for bcrypt.

Imagine something like this in pseudo-PHP:

$password = 'somestring123';

$hash = phpass($password)

// $hash is now '$H$9Uvsrbh2Wxo3SebfGb4xVtODMmD2K70',
// where 'Uvsrbh2W' is an encoded, random salt of 6 'raw' bytes

$raw_salt = decode(substr($hash, 4, 8));

$hash = bcrypt_with_custom_salt($hash, $raw_salt . random_bytes(10));

// $hash is now '$2y$12$Uvsrbh2WzN9HrapVpnmu2OYOdJ2jnjHt2LTwIYQPJe.BUJQKezKuO'
// whose salt uses the first 6 bytes we had in phpass,
// so that we can repeat the process when veryfing the password
// since we have all the salts available in only one hash

Barring any implementation bugs and assuming the random sources are cryptographically secure, is this a theoretically secure way to use bcrypt in a legacy context? From my understanding the result should be as secure (if not more...?) as just doing bcrypt(password), but I'm not an expert and I might be missing some obscure detail.

Answer 1

I was initially going to close this as a duplicate of "why-is-hashing-a-password-with-multiple-hash-functions-useless" however you have a slightly more complex case in that you already have a database of hashed passwords.

If you consider your existing mechanism of hashing to be insufficient than you need to migrate to a better solution. That means you need to be able to discriminate between the old and new representation, run the verification mechanisms in parallel and convert the clear text from the old representation to the new. And the only time you get the clear text is when somebody logs in.

Although PHPPass is rather long in the tooth, it does use blowfish (and bcrypt is based on blowfish). So maybe you're not improving the security quite as much as you think.

Answer 2

I would tend to say that if you are moving away from phpass that you would want to remove it from your code base as much as possible. I might suggest that you first replace all phpasses with the bcrypted version of them, then replace your phpass hash with the bcrypt hash the next time a user logs in. In order to support users who are logging in for the first time since the switch, you should also check to see if the phpass matches.

So something like the following. Obviously I'm using pseudo code as the function is not called "bcrypt".

if bcrypt(phpass($supplied_password)) == $storred_password;
    $storred_password = bcrypt($supplied_password);
    login();
if bcrypt($supplied_password) == $storred_password;
    login();

In this scenario, you are slowly migrating to the new password scheme, but the old one is still supported.

If there is any vulnerability in phpass like a memory leak or something crazy, you are not using it at all in most of your passwords as users login.

Answer 3

The one-time wrapping of PHPass in bcrypt should indeed provide significant additional offline bruteforce resistance. As I commented above, using default work factors, hashcat can crack PHPass fallback md5crypt-style PHPass about 500 times faster than bcrypt.

Reusing the inner PHPass salt for use with the outer bcrypt seems reasonable. (It certainly seems better than a static salt!) Your legacy bcrypt salts will not be quite random -- but only non-random relative to the inner PHPass hash that is not yet known to the attacker.

Since each bcrypt and PHPass are still randomly salted relative to all other hashes of their type, the distribution of salts still provides the broad resistance to bruteforce that salts are supposed to.

I can't think of a way that knowing the PHPass salt in advance would provide any additional advantage to the attacker. And even if it does provide a slight advantage, it will almost certainly be outweighed by the higher cost of cracking bcrypt.

Answer 4

What you are doing is essentially a key expansion. But phpPass already does this (as does bcrypt), so what you're really doing from a security standpoint is (slightly) increasing security by adding one more round, nothing more.

There might be some implementation vulnerabilities in phpPass that might lead to key disclosure (for example not sanitizing memory buffers), but chances of exploitation seem small.

All in all I'd say that you do not decrease security, even if you probably don't increase it significantly.

Even so, some way of migrating the database could be worth pursuing. For example adding a field to the user table to hold a pure bcrypt hash (or NULL). If it is NULL, the phpPass algorithm is used, and if the password validates, the bcrypt field is generated. You can monitor the percentage of bcrypt-filled hash fields to see how the migration is going on. And you can zero the phpPass hash of some test migrated users to verify that everything is working when standing on bcrypt alone (if the system is cleanly designed this is superfluous, but it's still good to to be able to show a Happy Day Scenario to the CEO - a table with code coverages doesn't cut it as much).