Uploaded image for project: 'Apache Cassandra'
  1. Apache Cassandra
  2. CASSANDRA-19817

PasswordAuthenticator accepts passwords with matching prefixes exceeding bcrypt length limit

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Triage Needed
    • Normal
    • Resolution: Unresolved
    • None
    • Messaging/Client
    • None
    • All

    Description

      Cassandra allows roles to be created with passwords longer than the bcrypt length limit of 72 bytes[1]. All passwords sharing a 72-byte prefix have the same bcrypt hash, so users can authenticate with passwords that do not exactly match a role's configured password.
       
      Users expect authentication to only happen when there is an exact match between a role's configured password and the password provided by an agent authenticating against that role.

      I have a few elements to propose:
      1. Cassandra rejects creation of passwords (via CREATE ROLE or ALTER ROLE) that exceed the 72-byte limit
      2. Cassandra logs a server-side warning (not ClientWarn) when a role's password exceeds the length limit, recommending a password change, with NoSpamLogger

      Thanks to Stefan Miklosovic for investigating this with me.

      As for proof, here's a failing test:

      import org.mindrot.jbcrypt.BCrypt;
public class PasswordCollisionTest
{
   @Test
   public void testLongPassword() throws Exception
   
{        String longpassword = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";        String salt = BCrypt.gensalt();        String longhashed = BCrypt.hashpw(longpassword, salt);        Assert.assertTrue(BCrypt.checkpw(longpassword, longhashed));        String longerpassword = longpassword + "bbb";        String longerhashed = BCrypt.hashpw(longerpassword, salt);        Assert.assertNotEquals(longerhashed, longhashed);    }
}

       

      Here's a similar test as an end-user would experience it, against recent trunk (fe30e227bdedf13f890e242d2646598398ba8bed):

      $ ./bin/cqlsh -u cassandra -p cassandra
Connected to Test Cluster at 127.0.0.1:9042
[cqlsh 6.0.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5] 
Use HELP for help.
cassandra@cqlsh> CREATE ROLE longpassword WITH PASSWORD = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' AND LOGIN = true;
cassandra@cqlsh> exit;
$ ./bin/cqlsh -u longpassword -p aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Connected to Test Cluster at 127.0.0.1:9042
[cqlsh 6.0.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5] 
Use HELP for help.
longpassword@cqlsh> exit;
$ ./bin/cqlsh -u longpassword -p aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbb
Connected to Test Cluster at 127.0.0.1:9042
[cqlsh 6.0.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5] 
Use HELP for help.
longpassword@cqlsh> exit;

       

      [1]https://en.wikipedia.org/wiki/Bcrypt#Maximum_password_length

      Attachments

        Activity

          People

            Unassigned Unassigned
            aratnofsky Abe Ratnofsky
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: