DoS with long password

[Sc00bz]

If you enter a long password it will take significantly longer. This runs in O(pwLen * rounds) time instead of in O(pwLen + rounds) time.

Ideally you'd want to do a cached HMAC for a 2x speed increase (on normal sized passwords):

var cachedCtx = createHmac(digest, password)

...

-var T = createHmac(digest, password).update(block1).digest()
+var T = "cachedCtx.clone()".update(block1).digest()

...

-U = createHmac(digest, password).update(U).digest()
+U = "cachedCtx.clone()".update(U).digest()

Their are some problems with the "create-hmac" package and once those are fixed cached HMAC will be the best way to go. See browserify/createHmac#27. Also I do not know the proper way to clone an object in Node.js. Thus the quotes around cachedCtx.clone().

[calvinmetcalf]

ok so the fist big issue is that you can't actually clone node crypto objects like this, but there is a reason we aren't actually using createHmac here and it's becasue it has a bunch of overhead related to streaming object creation that we didn't want which means that we probably can fix this in the library.

that being said looking at how we use the hmac and how the hmac works are you sure that applies here ?

[Sc00bz]

Sorry I removed the reference to the lines of code https://github.com/crypto-browserify/pbkdf2/blob/master/lib/sync.js#L36-L40

[calvinmetcalf]

ah so funny enough that will never actually use the create-hmac library because that only runs in node so it probably wont help

…

On Fri, Oct 12, 2018 at 7:39 PM Steve Thomas ***@***.***> wrote: Sorry I removed the reference to the lines of code https://github.com/crypto-browserify/pbkdf2/blob/master/lib/sync.js#L36-L40 — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#82 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABE4n8FhzQU8Fbz9ZvkW3AzZacOKF6mNks5ukSgsgaJpZM4XZdfa> .

[calvinmetcalf]

This library is pretty complex as it handles several different scenarios:

• in node.js but an old one that doesn't support some of the newer features
• the browser in synchronous mode or in browser that doesn't support webcypto
• the browser asynchronously via web crypto

so it's not necessarily obvious at first glance what code path will be taken it what environment but I believe I actually tested this back in the day and it was faster to create a node.js hmac object then to use a non streaming one because the node.js one would use a native hmac function while in the browser it wouldn't.

[webmaster128]

Unfortunately, the Hmac class does not have the copy method as the Hash class:

But what could be pulled out of the loop is this key normalization https://github.com/crypto-browserify/pbkdf2/blob/v3.1.0/lib/sync-browser.js#L26-L30, such that the native hmac always gets the correct key length.