Hashing functions in Firefox OS

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Hashing functions in Firefox OS

Stéphanie Ouillon
Hi,

I'm in the Firefox OS Security team and I'm starting working on adding
support for stronger passwords in the Firefox OS lockscreen (bug 877541)
[1].
At the moment, only a 4-digit password can be configured and we want to
improve that for FxOS 1.4 (March 2014).

Some time ago, David Dahl provided on a patch for having hashing
functions in Gecko: it's a JSM living next to the SettingsManager for
FxOS [2]. Supported algorithms are sha256, sha384 and sha512.

But having a set of hashing functions that could be called from anywhere
would definitely be best.

My question is:

Could/should it be implemented in the Javascript crypto API? I am not
really familiar with the state of progress of that API. At the time it
was discussed, it wasn't conceivable.

Or is it better to keep it as a module in Gecko, as David started doing,
and build a kind of "mozHash" webAPI?


Thanks!

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=877541
[2] https://bug877541.bugzilla.mozilla.org/attachment.cgi?id=779450


Stéphanie
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Hashing functions in Firefox OS

Kai Engert-4
On Di, 2013-12-17 at 16:02 +0100, Stéphanie Ouillon wrote:
> I'm in the Firefox OS Security team and I'm starting working on adding
> support for stronger passwords in the Firefox OS lockscreen (bug 877541)
> [1].
> At the moment, only a 4-digit password can be configured and we want to
> improve that for FxOS 1.4 (March 2014).
>
> Some time ago, David Dahl provided on a patch for having hashing
> functions in Gecko: it's a JSM living next to the SettingsManager for
> FxOS [2]. Supported algorithms are sha256, sha384 and sha512.

It's not clear why you need something new.

I'd assume your device locking code is privileged code.
Can't you use nsICryptoHash?

Kai


--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Hashing functions in Firefox OS

Frederik Braun
On 15.01.2014 14:32, Kai Engert wrote:
> It's not clear why you need something new.
>
> I'd assume your device locking code is privileged code.
> Can't you use nsICryptoHash?

There is no privileged JS in FxOS as there is in Firefox Desktop :)
All code must be an open web API.

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Hashing functions in Firefox OS

Kurt Roeckx
In reply to this post by Stéphanie Ouillon
On 2013-12-17 16:02, Stéphanie Ouillon wrote:

> Hi,
>
> I'm in the Firefox OS Security team and I'm starting working on adding
> support for stronger passwords in the Firefox OS lockscreen (bug 877541)
> [1].
> At the moment, only a 4-digit password can be configured and we want to
> improve that for FxOS 1.4 (March 2014).
>
> Some time ago, David Dahl provided on a patch for having hashing
> functions in Gecko: it's a JSM living next to the SettingsManager for
> FxOS [2]. Supported algorithms are sha256, sha384 and sha512.
>
> But having a set of hashing functions that could be called from anywhere
> would definitely be best.

I'm confused what passwords have to do with hashes.  Do you want to
store hash(pass)?  This is a bad idea, please use something that is
designed to store passwords instead like bcrypt, scrypt or PBKDF2.


Kurt

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Hashing functions in Firefox OS

Garrett Robinson
On 01/15/2014 08:33 AM, Kurt Roeckx wrote:

> On 2013-12-17 16:02, Stéphanie Ouillon wrote:
>> Hi,
>>
>> I'm in the Firefox OS Security team and I'm starting working on adding
>> support for stronger passwords in the Firefox OS lockscreen (bug 877541)
>> [1].
>> At the moment, only a 4-digit password can be configured and we want to
>> improve that for FxOS 1.4 (March 2014).
>>
>> Some time ago, David Dahl provided on a patch for having hashing
>> functions in Gecko: it's a JSM living next to the SettingsManager for
>> FxOS [2]. Supported algorithms are sha256, sha384 and sha512.
>>
>> But having a set of hashing functions that could be called from anywhere
>> would definitely be best.
>
> I'm confused what passwords have to do with hashes.  Do you want to
> store hash(pass)?  This is a bad idea, please use something that is
> designed to store passwords instead like bcrypt, scrypt or PBKDF2.

Excellent point. (I assumed they wanted access to the underlying hash
functions so they could build PBKDF2 or similar). PBKDF2 is implemented
in CryptoUtils.js [0], along with some other convenience functions. I
don't think this is exposed as the kind of API OP is looking for, but
perhaps it could be.

[0]
http://dxr.mozilla.org/mozilla-central/source/services/crypto/modules/utils.js

Another option would be to use JS implementations of password hashing
functions (or Emscripten-compiled native versions of the same, which
should get near-native performance, especially important for slow hash
functions). For example:

* https://github.com/tonyg/js-scrypt (Emscripten-compiled)
* https://code.google.com/p/crypto-js/ (includes PBKDF2)

>
> Kurt
>
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Hashing functions in Firefox OS

Stéphanie Ouillon
Hi,

On 01/15/2014 06:40 PM, Garrett Robinson wrote:

> On 01/15/2014 08:33 AM, Kurt Roeckx wrote:
>> On 2013-12-17 16:02, Stéphanie Ouillon wrote:
>>
>> I'm confused what passwords have to do with hashes.  Do you want
>> to store hash(pass)?  This is a bad idea, please use something
>> that is designed to store passwords instead like bcrypt, scrypt
>> or PBKDF2.
>
> Excellent point. (I assumed they wanted access to the underlying
> hash functions so they could build PBKDF2 or similar). PBKDF2 is
> implemented in CryptoUtils.js [0], along with some other
> convenience functions. I don't think this is exposed as the kind of
> API OP is looking for, but perhaps it could be.
>
> [0]
> http://dxr.mozilla.org/mozilla-central/source/services/crypto/modules/utils.js
>
>  Another option would be to use JS implementations of password
> hashing functions (or Emscripten-compiled native versions of the
> same, which should get near-native performance, especially
> important for slow hash functions). For example:
>
> * https://github.com/tonyg/js-scrypt (Emscripten-compiled) *
> https://code.google.com/p/crypto-js/ (includes PBKDF2)

I'm not sure why the people who worked before me on this started to
think about hashing. From my understanding, the point was to hash the
password, and compare hashes when unlocking the screen. So there was
no encryption involved.  There might be a performance concern or maybe
the crypto stuff in FxOS wasn't mature enough at the time, I don't
really know.

Christiane Ruetten recently released a FxOS Crypto Concept draft [1].
Using the CryptoUtils module and PBKDF2 would make absolute sense. For
that, the functions still need to be exposed as a web API. According
the architecture taking place in FxOS, I guess this API would be part
of the Crypto Worker (which has nothing to do with WebCrypto's
WorkerCrypto).


[1]
https://docs.google.com/a/mozilla.com/document/d/13dnmH4OsJc0ItMa0Z21VJcYJBK6kIb1om4B-DJk7N2E/edit#
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Hashing functions in Firefox OS

Paul Theriault
In reply to this post by Kai Engert-4
Device locking is managed in Gaia system app currently, not in gecko. So I believe we either need a hashing support of some kind exposed to content, or we need to an API which control devices locking.

Maybe dev-b2g is a better place for that discussion, but can anyone answer Stephanie's original questions? Anyone working on this? Any considerations if we just start working on this?

On Jan 16, 2014, at 12:32 AM, Kai Engert wrote:

> On Di, 2013-12-17 at 16:02 +0100, Stéphanie Ouillon wrote:
>> I'm in the Firefox OS Security team and I'm starting working on adding
>> support for stronger passwords in the Firefox OS lockscreen (bug 877541)
>> [1].
>> At the moment, only a 4-digit password can be configured and we want to
>> improve that for FxOS 1.4 (March 2014).
>>
>> Some time ago, David Dahl provided on a patch for having hashing
>> functions in Gecko: it's a JSM living next to the SettingsManager for
>> FxOS [2]. Supported algorithms are sha256, sha384 and sha512.
>
> It's not clear why you need something new.
>
> I'd assume your device locking code is privileged code.
> Can't you use nsICryptoHash?
>
> Kai
>
>

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Hashing functions in Firefox OS

Paul Theriault
Er ignore me, at least my second comments about replying to stephanie. I didn't realize I wasn't subscribed.

On Jan 17, 2014, at 10:01 AM, Paul Theriault wrote:

> Device locking is managed in Gaia system app currently, not in gecko. So I believe we either need a hashing support of some kind exposed to content, or we need to an API which control devices locking.
>
> Maybe dev-b2g is a better place for that discussion, but can anyone answer Stephanie's original questions? Anyone working on this? Any considerations if we just start working on this?
>
> On Jan 16, 2014, at 12:32 AM, Kai Engert wrote:
>
>> On Di, 2013-12-17 at 16:02 +0100, Stéphanie Ouillon wrote:
>>> I'm in the Firefox OS Security team and I'm starting working on adding
>>> support for stronger passwords in the Firefox OS lockscreen (bug 877541)
>>> [1].
>>> At the moment, only a 4-digit password can be configured and we want to
>>> improve that for FxOS 1.4 (March 2014).
>>>
>>> Some time ago, David Dahl provided on a patch for having hashing
>>> functions in Gecko: it's a JSM living next to the SettingsManager for
>>> FxOS [2]. Supported algorithms are sha256, sha384 and sha512.
>>
>> It's not clear why you need something new.
>>
>> I'd assume your device locking code is privileged code.
>> Can't you use nsICryptoHash?
>>
>> Kai
>>
>>
>

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto