security: provide controls and automation to upgrade password hash complexities

[knz]

This issue is a followup to https://github.com/cockroachlabs/managed-service/pull/7408
and this comment

Requested by @aaron-crl and @bdarnell

Description of problem

Currently the password code fixes the bcrypt cost to 10 used when generating/storing new password hashes server-side.
The scram PR #74301 follows this model and hardcodes 4096 as the pkbf2 iteration count.

Both values are very low and have become inadequate as of 2022.
They are meant to be increased over time has hardware performance increases.

@bdarnell recalls a heuristic that the bcrypt cost should be increased by 1 each year; and that for pkbf2 / sha256, folk were already using 64000 iterations a few years ago.

CockroachDB should provide some mechanism to evolve the cost function over time

Design ideas

A simple design could be to provide a cluster setting that controls the cost used for new passwords.
For long-lived CockroachDB deployments, we could ship increases to the default value of the cluster setting in patch releases.

A question then arises of what to do with existing passwords, created with a previous (lower) iteration count.

For this, we can observe that increasing the iteration count is an associative operation: iter(iter(H, x), y) = iter(H, x+y)
This means that we can increase the iteration count for an already-computed hash by simply further iterating the hash function on the hash that's stored already.

This helps us define an automatic upgrade for existing passwords: a process that iterates over system.users.hashedPassword and further hashes up to the value indicated by the current target cost.

Design constraint: fixed iteration counts

We have offered operators the ability to pre-hash passwords and store pre-computed hashes.

We should assume that operators are interested to control the cost function. For example, in the CC control plane we generate hashes with a lower iteration count, because we control the entropy of the generated password (see https://github.com/cockroachlabs/managed-service/pull/7408).

When the operator controls the iteration count, we do not wish to automatically update it inside CockroachDB.

Design sketch

• a cluster setting sets the desired target cost.
• the default value of that cluster setting is increased in patch releases over time.
• when a new password is generated from plaintext server-side, we use the cluster setting to select the cost.
• we start storing, in the system.users.hashedPassword column using the format prefix, a bit that indicates whether the cost was auto-selected by crdb or was manually set by an operator.
• (optionally, see comments below) we modify the CC control plane (extending this PR) to use that bit to force the cost function to remain fixed.
• periodically, we scan system.users and upgrade the non-fixed hashes to the configured target cost in the cluster setting.

Epic CRDB-5349

[knz]

@bdarnell @jeffswenson can you check the issue description, in particular the "design sketch" section, to see if that aligns with your thinking?

[knz]

As to the prefixes.
I propose the following:

Hash format	Description
$2a$... (no prefix)	Bcrypt, non-fixed cost (can be auto-upgraded) - ensures backward-compat with prev crdb versions
CRDB-BCRYPT$2a$...	Bcrypt, fixed cost
SCRAM-SHA-256$...	SCRAM, fixed cost
CRDB-SCRAM-SHA-256$...	SCRAM, non-fixed cost (can be auto-upgraded)

Rationale for the choice:

1. choosing that the no-prefix variant becomes non-fixed ensures that passwords generated in previous versions of crdb can be automatically upgraded.
2. we then need a prefix for the fixed-cost variant of bcrypt. Here, I choose CRDB-BCRYPT$ so that the CC infra code from PR 7408 can remain unchanged.
3. choosing that the SCRAM-SHA-256 prefix becomes fixed stems from the observation that this is a standard PostgreSQL prefix, and we should assume that pg clients that upload a hash explicitly wish to control the cost themselves.
4. then, we need a different prefix for the non-fixed scram variant, to be used when CockroachDB stores new passwords provided as plaintext. I choose CRDB-SCRAM-SHA-256 arbitrarily. (Bikeshed welcome here)

@jeffswenson what do you think?

[knz]

@bdarnell I am detecting a potential obstacle to auto-upgrading the cost function for SCRAM credentials (not bcrypt).
Indeed, the code looks like this:

  saltedPassword ≔ pbkdf2.Key([]byte(c.password), []byte(kf.Salt), kf.Iters, h.Size(), SHA256)
  clientKey ≔ computeHMAC(SHA256, saltedPassword, []byte("Client Key"))

  return derivedKeys{
    StoredKey: computeHash(SHA256, clientKey),
    ServerKey: computeHMAC(SHA256, saltedPassword, []byte("Server Key")),
  }

I can see two obstacles:

• it does not look like the pbkdf2.Key function is associative on the iter argument (source code)
• even if it was, we're storing a HMAC and hash of the derived key, not the key itself, so that's also not associative.

Can we "salvage" this, in the non-fixed cost case, by storing more data alongside the hash that'd be sufficient to re-generate StoredKey and ServerKey with a higher iter count?

[knz]

@bdarnell all of the above was working under the assumption that the bcrypt cost could be increased without a copy of the cleartext password. It appears this might not be true? Consider:
https://cs.opensource.google/go/x/crypto/+/e495a2d5:bcrypt/bcrypt.go;drc=089bfa5675191fd96a44247682f76ebca03d7916;l=187

It looks like there are non-commutative additional operations after the blowfish setup that's dependent on the cost?

[bdarnell]

we should assume that pg clients that upload a hash explicitly wish to control the cost themselves.

That's only true sometimes. As you say in #74301, setting passwords via a hash is preferable for security because it means the server never sees the cleartext. So some users who set pre-hashed passwords would prefer them to be upgraded over time to stronger hashes, while others are deliberately choosing a specific iteration count and don't want it to be changed.

working under the assumption that the bcrypt cost could be increased without a copy of the cleartext password. It appears this might not be true?

Yeah, I don't think bcrypt permits this kind of blind complexity increase because it's structured as an encryption after an expensive key derivation instead of simply an iterated hash. But we wouldn't do automatic cost increases in bcrypt anyway. What matters is scram.

I am detecting a potential obstacle to auto-upgrading the cost function for SCRAM credentials...Can we "salvage" this, in the non-fixed cost case, by storing more data alongside the hash that'd be sufficient to re-generate StoredKey and ServerKey with a higher iter count?

Storing additional information may weaken the security of the system. Maybe there's some way to do it safely, but it's getting into "designing your own crypto" territory and we don't want to do that. If it's not a simple "hash the stored value 10000 more times" then let's stay away.

So it looks like we can't offer automatic upgrades for scram passwords; our one opportunity for automatic upgrades would be the bcrypt-to-scram move (which we can do on next login). That's OK with me. The consequence of this is that we need to choose our iteration count to be future-proof for at least several years, and perhaps document a best practice of periodic password resets to pick up changes to the password hash work factor. The scope of this issue would then shrink to adding a cluster setting to make the work factor configurable. (And we don't need to introduce a distinct prefix for fixed vs upgradable work factors for scram).

[knz]

@aaron-crl can you advise what would be a good future-proof iter count for SCRAM-SHA-256?

[jeffswenson]

The design sketch looks good to me.

I am worried about modifying the hash difficulty of passwords generated after https://github.com/cockroachlabs/managed-service/pull/7408 goes live. If we automatically upgrade $2a$ prefixes, we would increase the difficulty of passwords randomly generated by Cockroach Cloud.

We will either need to backport the CRDB-BCRYPT storage prefix before enabling the pre-hashing, or we will need to write a migration that rewrites the $2a$04$ prefix to CRDB-BCRYPT$2a$04$.

[aaron-crl]

We will either need to backport the CRDB-BCRYPT storage prefix before enabling the pre-hashing, or we will need to write a migration that rewrites the $2a$04$ prefix to CRDB-BCRYPT$2a$04$.

Great call out! I don't have strong feelings on this and will defer to my Server team counterparts.

@aaron-crl can you advise what would be a good future-proof iter count for SCRAM-SHA-256?

TL;DR: Because these are user supplied passwords we get more by adding entropy requirements to reduce dictionary efficacy than we do adding iterations. We should pick iterations to align with the maximum delay we are willing to accept for auth and seek protection against low entropy passwords in other ways.

Alternatively, pick a price we want to associated with cracking one of our hashes and adjust to that.

My gut is to not stray below 100,000 iterations and shoot for 250,000 if we are willing to introduce that connection delay today.

--- Crunchy Bits ---

Looks like cracking GPUs are hitting around 4.1BH/s on HMAC-SHA-256 or 4.1 * 10 ^ 9 / s. https://gist.github.com/Chick3nman/e4fcee00cb6d82874dace72106d73fef

We'd want guess time to be as high as can reasonably be afforded since these are user supplied passwords and we can make few assertions about their entropy.

My workstation is hitting about 0.9 seconds at 1M iterations with the below test code:

package main

import (
	"golang.org/x/crypto/pbkdf2"
	"crypto/sha256"
	"time"
	"fmt"
)

func hashPassword(passwd, salt string, itercount int) string {
 	start := time.Now()
	_ = pbkdf2.Key([]byte(passwd), []byte(salt), itercount, 50, sha256.New)
    elapsed := time.Since(start)
	return fmt.Sprintf("%s", elapsed)
}

func main() {
	counts := []int{10000, 50000, 100000, 500000, 1000000}
	for _, c := range counts {
		fmt.Printf("%8d: %s\n", c, hashPassword("mysecret", "mysalt", c));
	}
}

$  go run pbkdf2.go 
   10000: 11.374427ms
   50000: 54.435223ms
  100000: 103.028869ms
  500000: 459.179551ms
 1000000: 937.139197ms

We've relied on a tuned bcrypt cost of 250ms per check historically which would put us at around 250,000 iterations today if we want parity.

An offline attack against 250,000 iterations would render 16,400 guesses per second on a single GPU.

Assuming only lowercase alphabet characters (26), that renders the following exhaustive crack times on a single GPU:
6 characters (26^6/(16400/s)) = 5.2 hours
7 characters (26^7/(16400/s)) = 136.2 hours
8 characters (26^8/(16400/s)) = 3,537 hours
9 characters (26^9/(16400/s)) = 91,963 hours

Dividing these by 2.5 to examine 100,000 iterations doesn't change much in the face of a GPU attack as the iterations are a linear cost add for PBKDF2 and one can simply increase the number of applied GPUs for a proportionate reduction in the wall clock time.

Presuming hash cracking efficiency doubles every 18 months, 250,000 iterations would be equivalent to 100,000 in about 30 months for added context.

GPU/hour runs around $0.50 today based on a quick survey so that would put the 8 character password with 250,000 iterations at approx. $1,768 to crack today. (~$707 at 100,000 iterations).

Pragmatically none of this protects against dictionary words but I'd be reasonably happy to make a scrambled eight character lower case alphabet password still cost $1,000+ to crack.

[knz]

Ok here is my thinking:

• we're going to document in the product (and the docs site) what the tradeoff is:
  • if the operator is auto-generating passwords, then let that have good entropy and then the operator can set a lower hash cost to get lower latency
  • if end-users are selecting their own passwords, then we're going to advise our "recommended" cost, e.g. 100000 iterations for scram
• inside the product, we'll use the conservative cost as the default value for the configurable setting
• in cc console, we can be more clever to optimize for latency

what do y'all think?

[knz]

I did a little investigation with the current bcrypt password hashes inside CockroachDB:

func TestBCryptLatency(t *testing.T) {
        defer leaktest.AfterTest(t)()
        ctx := context.Background()

        hashed, _ := HashPassword(ctx, "hello world")

        tm := time.NewTimer(time.Second * 5)
        defer tm.Stop()
        count := 0
loop:
        for {
                select {
                case <-tm.C:
                        break loop
                default:
                }
                _ = CompareHashAndPassword(ctx, hashed, "bla")
                count++
        }

        hps := float32(count) / 5.
        lat := 1. / hps
        t.Errorf("hashes per second: %.2f\nlatency hash: %.2fms", hps, lat*1000.)
}

Running this with the bcrypt default cost of 10 gives me the following output:

     hashes per second: 16.40
     latency hash: 60.98ms

obtained on AMD 3950X 3.7GHz

Am I right to understand that this default bcrypt cost of 10 is actually not quite bad as a default config in CockroachDB?

Here are some more numbers:

• with cost 11, hashes per second: 7.33 latency hash: 136.36ms
• with cost 12, hashes per second: 4.33 latency hash: 230.77ms

IMHO, going to cost 11 now would bring the SQL login latency into dangerous "noticeably slow" range.