J3.x

現存的網站中的兩階段驗證(2FA)驗證碼產生器建議

From Joomla! Documentation

This page is a translated version of the page J3.x:Changes to the 2FA token generation recommendations for existing sites and the translation is 74% complete.
Other languages:
Deutsch • ‎English • ‎español • ‎français • ‎italiano • ‎中文(台灣)‎ • ‎中文(繁體)‎

這個頁面包含了伴隨 Joomla! 3.9.25 發佈的安全修補,關於 2FA 設定。以下有影響分析以及在現存網站上建議的作法。

回報的錯誤

安全研究員 Hanno Böck 聯繫了 Jooma! 安全性小組(Joomla! Security Strike Team, JSST) ,並告知了這次更新 (3.9.25) 修正了兩項安全議題。

受影響的版本

一般訊息

這會影響 Joomla! 版本:: 3.2.0 - 3.9.24

什麼造成的

從 Joomla 3.2.0 開始,Joomla 核心加入了 2FA / TOTP 支援。 而到 3.9.25 之前這這個機制有兩項輕度安全風險:

  • 在產生 2FA secret 過程中,使用了不安全的 rand() function
  • 使用了長度不足的 2FA secret,根據 RFC 4226 應該要有20 byte,而不僅是 10 byte

問題如何修改

從 Joomla 3.9.25 起, Joomla 核心被更新為:

  • 使用安全的 random function (random_int; backported to older PHP version by the library paragonie/random_compat)
  • 相較於之前的 10 byte 舊版,使用 20 bytes 來產生 2FA secret

這個議題也協同 Akeeba Ltd ,因為他們是原始 FOF codebase to the core貢獻者。

這會影響我的網站嗎

As stated in the initial report provided by Hanno Böck he said regarding the usage of the insecure rand function:

[...] I consider the practical risk of this to be low. In order to attack this an attacker would have to know the approximate time when the person created his TOTP secret. PHP internally mixes in microseconds twice, so one could maybe reduce the possible options for the key to a few million, which is still very impractical for a real attack. [...]


And for the usage of 10 vs 20 bytes he said the following:

[...] The code by default uses 10 bytes for the secret. 10 bytes is 80 bits. The risk here is low. 80 bits is still outside of any practical attack. Nevertheless I think security requirements (and even recommendations) of the RFC should be followed, so I recommend changing this to 20 bytes (aka 160 bits). [...]


Based on that information the JSST came to the conclusion to obviously implement the changes as note above but this does explicit not mean that practically all 2FA tokes generated prior the patch have to be regenerated as they still work as expected and are still secure form a practical standpoint. It should also be obvious that the changes made here only affect secrets generated after this change.