[Cryptech-Commits] [sw/libhal] 03/03: Lower PBKDF2 password iterations and add delay on bad PIN.

[git at cryptech.is]

This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch ksng
in repository sw/libhal.

commit 9c9f26fa04882cdc1ddb01410688f4d2651782af
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Wed Apr 26 20:01:01 2017 -0400

    Lower PBKDF2 password iterations and add delay on bad PIN.
    
    Consistent user complaints about HSM login taking too long.
    Underlying issue has both superficial and fundamental causes.
    
    Superficial: Our PBKDF2 implementation is slow.  We could almost
    certainly make it faster by taking advantage of partial
    pre-calculation (see notes in code) and by reenabling use of FPGA hash
    cores when when checking passwords (which mgiht require linking the
    bootloader against a separate libhal build to avoid chicken-and-egg
    problem of needing FPGA to log into console to configure FPGA).
    
    Fundamental: The PBKDF2 iteration counts we used to use (10,000
    minimum, 20,000 default) are in line with current NIST
    recommendations.  The new, faster values (1,000 and 2,000,
    respectively) are not, or, rather, they're in line with what NIST
    recommended a decade ago.  Well, OK, maybe the Coretex M4 is so slow
    that it's living in the past, but still.  The fundamental issue is
    that anybody who can capture the encoded PIN can mount an offline
    dictionary attack on it, so we'd like to make that expensive.
    
    But the users are unhappy with the current behavior, so this change
    falls back to the ancient technique of adding a delay (currently five
    seconds, configurable at compile time) after a bad PIN, which makes it
    painful to use the login function as an oracle but does nothing about
    the offline dictionary attack problem.
    
    Feh.
    
    Note that users can still choose a higher iteration count, by setting
    the iteration count via the console.  It's just not the default out of
    the box anymore.
---
 hal_internal.h              |  7 ++++++-
 last_gasp_pin_internal.h    |  6 +++---
 rpc_misc.c                  | 16 +++++++++++++---
 utils/last_gasp_default_pin |  2 +-
 4 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/hal_internal.h b/hal_internal.h
index 56d0936..36f24d4 100644
--- a/hal_internal.h
+++ b/hal_internal.h
@@ -99,9 +99,14 @@ extern void hal_ks_lock(void);
 extern void hal_ks_unlock(void);
 
 /*
- * Logging.
+ * Thread sleep.  Currently used only for bad-PIN delays.
  */
 
+extern void hal_sleep(const unsigned seconds);
+
+/*
+ * Logging.
+ */
 
 typedef enum {
   HAL_LOG_DEBUG, HAL_LOG_INFO, HAL_LOG_WARN, HAL_LOG_ERROR, HAL_LOG_SILENT
diff --git a/last_gasp_pin_internal.h b/last_gasp_pin_internal.h
index bbcac76..901f797 100644
--- a/last_gasp_pin_internal.h
+++ b/last_gasp_pin_internal.h
@@ -3,7 +3,7 @@
  */
 
 static const hal_ks_pin_t hal_last_gasp_pin = {
-  10000,
-  {0x06, 0xe2, 0x10, 0x7b, 0xb8, 0x40, 0xb5, 0x90, 0x33, 0xc8, 0xdb, 0xcc, 0xde, 0x3e, 0xb0, 0x33, 0x2b, 0x7c, 0x60, 0x7c, 0xb4, 0x52, 0xb1, 0x43, 0xa2, 0x20, 0x71, 0xdd, 0xbc, 0x95, 0x92, 0x04, 0xe6, 0x51, 0x90, 0xda, 0x6e, 0x2b, 0x6d, 0x8c, 0xb8, 0x63, 0x8d, 0x59, 0xad, 0xc5, 0xae, 0x6c, 0xf5, 0x7c, 0x75, 0x5e, 0x38, 0x72, 0x06, 0xc5, 0xa9, 0x3b, 0xaa, 0xe9, 0x64, 0x6e, 0xb1, 0x1a},
-  {0x40, 0x49, 0xe4, 0xb6, 0x18, 0x0e, 0xe2, 0xbf, 0x3b, 0x22, 0xc8, 0xfe, 0xeb, 0xef, 0x09, 0x81}
+  1000,
+  {0xd5, 0xde, 0xe9, 0x9f, 0x0c, 0xd0, 0xc1, 0x72, 0xfe, 0xe1, 0x8e, 0xe2, 0xad, 0x94, 0x9e, 0x9a, 0xb2, 0x11, 0x14, 0xe4, 0xa4, 0x04, 0xf0, 0x98, 0xd1, 0x44, 0x22, 0x8a, 0x7c, 0x23, 0x5d, 0xdb, 0xe4, 0x29, 0xa6, 0x95, 0x4b, 0xbb, 0x34, 0xf7, 0x16, 0x8b, 0x3f, 0x67, 0x65, 0xc9, 0xa2, 0x2b, 0xcc, 0x5a, 0x25, 0xa7, 0xef, 0xd5, 0x2e, 0x99, 0x75, 0xc8, 0x0f, 0xd9, 0xff, 0x76, 0xf6, 0x1c},
+  {0x34, 0x3f, 0x18, 0x36, 0x94, 0xeb, 0xda, 0xb6, 0x5a, 0x5c, 0xbe, 0xc7, 0x61, 0xa0, 0x43, 0x5f}
 };
diff --git a/rpc_misc.c b/rpc_misc.c
index cf5e4a0..3f466bb 100644
--- a/rpc_misc.c
+++ b/rpc_misc.c
@@ -78,15 +78,23 @@ typedef struct {
 } client_slot_t;
 
 #ifndef HAL_PIN_MINIMUM_ITERATIONS
-#define HAL_PIN_MINIMUM_ITERATIONS 10000
+#define HAL_PIN_MINIMUM_ITERATIONS 1000
 #endif
 
 #ifndef HAL_PIN_DEFAULT_ITERATIONS
-#define HAL_PIN_DEFAULT_ITERATIONS 20000
+#define HAL_PIN_DEFAULT_ITERATIONS 2000
 #endif
 
 static uint32_t hal_pin_default_iterations = HAL_PIN_DEFAULT_ITERATIONS;
 
+/*
+ * Seconds to delay when given a bad PIN.
+ */
+
+#ifndef HAL_PIN_DELAY_ON_FAILURE
+#define HAL_PIN_DELAY_ON_FAILURE 5
+#endif
+
 #ifndef HAL_STATIC_CLIENT_STATE_BLOCKS
 #define HAL_STATIC_CLIENT_STATE_BLOCKS	10
 #endif
@@ -155,8 +163,10 @@ static hal_error_t login(const hal_client_handle_t client,
   for (int i = 0; i < sizeof(buf); i++)
     diff |= buf[i] ^ p->pin[i];
 
-  if (diff != 0)
+  if (diff != 0) {
+    hal_sleep(HAL_PIN_DELAY_ON_FAILURE);
     return HAL_ERROR_PIN_INCORRECT;
+  }
 
   client_slot_t *slot = find_handle(client);
 
diff --git a/utils/last_gasp_default_pin b/utils/last_gasp_default_pin
index 50d822f..8a91b8a 100755
--- a/utils/last_gasp_default_pin
+++ b/utils/last_gasp_default_pin
@@ -54,7 +54,7 @@ parser.add_argument("-p", "--pin",
                     help    = "PIN plaintext before PBKDF2 processing")
 parser.add_argument("-i", "--iterations",
                     type    = int,
-                    default = 10000,
+                    default = 1000,
                     help    = "PBKDF2 iteration count")
 parser.add_argument("-d", "--derived-key-length",
                     type    = int,