Fast SHA-2 Authentication with Apache, is it even possible?

Question

Okay, I spent the last couple of days researching this, and I can't believe Apache's natively supported hashing functions are that outdated.

I discovered a couple of ways to do this, which are mod_perl and mod_authnz_external, both of which are too slow, because apache runs that whenever any object inside a protected directory is called. That means that a user may have to be authenticated hundreds of times in a single session.

Has anyone ever managed to get Apache to use something that's more secure than MD5 and SHA-1 without moving authentication away from Apache? Salted SHA-2 would be a real bonus.

Thanks!

Answer 1

If you're on a GNU/Linux system with a version of glibc2 released in the last 5 or so years, you can modify htpasswd's crypt() implementation to prepend "$6$" to the salt, and then it'd be as simple as:

 # htpasswd -d -c .htpasswd someusername

When the salt starts with "$6$", glibc2 will use salted SHA-512, with the up to 16 characters after that being the salt, in the range [a-zA-Z0-9./].

See man 3 crypt.

I'm not aware of any patch to support this, but it should be a simple one.

EDIT: I'd also like to mention that one round of even salted SHA-512 is breakable if your attacker is determined enough. I'd recommend, and am using in most things I've been able to edit, 128000 rounds of PBKDF2 with HMAC-SHA512, but this would be a very extensive edit, unless you want to link htpasswd against openssl, which has a PKCS5_PBKDF2_HMAC() function.

EDIT 2: Also, using openssl to do strong hashing isn't hard, if you're interested:

abraxas ~ # cat pbkdf2.c 

#include <string.h>
#include <stdio.h>
#include <openssl/evp.h>
#include <openssl/sha.h>

#define PBKDF2_SALT_PREFIX          "$pbkdf2sha512$"
#define PBKDF2_SALT_PREFIX_LENGTH   strlen(PBKDF2_SALT_PREFIX)
#define PBKDF2_PRF_ALGORITHM        EVP_sha512()
#define PBKDF2_DIGEST_LENGTH        SHA512_DIGEST_LENGTH
#define PBKDF2_SALT_LENGTH          32
#define PBKDF2_RESULT_LENGTH        PBKDF2_SALT_PREFIX_LENGTH + (2 * PBKDF2_DIGEST_LENGTH) + PBKDF2_SALT_LENGTH + 2
#define PBKDF2_ROUNDS               128000

void hash_password(const char* pass, const unsigned char* salt, char* result)
{
    unsigned int i;
    static unsigned char digest[PBKDF2_DIGEST_LENGTH];
    memcpy(result, PBKDF2_SALT_PREFIX, PBKDF2_SALT_PREFIX_LENGTH);
    memcpy(result + PBKDF2_SALT_PREFIX_LENGTH, salt, PBKDF2_SALT_LENGTH);
    result[PBKDF2_SALT_PREFIX_LENGTH + PBKDF2_SALT_LENGTH] = '$';
    PKCS5_PBKDF2_HMAC(pass, strlen(pass), salt, PBKDF2_SALT_LENGTH, PBKDF2_ROUNDS, PBKDF2_PRF_ALGORITHM, PBKDF2_DIGEST_LENGTH, digest);
    for (i = 0; i < sizeof(digest); i++)
        sprintf(result + PBKDF2_SALT_PREFIX_LENGTH + PBKDF2_SALT_LENGTH + 1 + (i * 2), "%02x", 255 & digest[i]);
}

int main(void)
{
    char result[PBKDF2_RESULT_LENGTH];
    char pass[] = "password";
    unsigned char salt[] = "178556d2988b6f833f239cd69bc07ed3";
    printf("Computing PBKDF2(HMAC-SHA512, '%s', '%s', %d, %d) ...\n", pass, salt, PBKDF2_ROUNDS, PBKDF2_DIGEST_LENGTH);
    memset(result, 0, PBKDF2_RESULT_LENGTH);
    hash_password(pass, salt, result);
    printf("Result: %s\n", result);
    return 0;
}

abraxas ~ # gcc -Wall -Wextra -O3 -lssl pbkdf2.c -o pbkdf2
abraxas ~ # time ./pbkdf2 

Computing PBKDF2(HMAC-SHA512, 'password', '178556d2988b6f833f239cd69bc07ed3', 128000, 64) ...
Result: $pbkdf2sha512$178556d2988b6f833f239cd69bc07ed3$3acb79896ce3e623c3fac32f91d4421fe360fcdacfb96ee3460902beac26807d28aca4ed01394de2ea37b363ab86ba448286eaf21e1d5b316149c0b9886741a7

real    0m0.320s
user    0m0.319s
sys 0m0.001s

abraxas ~ #