Enforce 160-bit HOTP secret length and verify OTP secret length on login. #6222
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status
Ready for review - note that this was already reviewed in #6191, but the PR base was not updated before merging.
Description of Changes
Fixes #6189 .
is_hotp
checkbox is selected on the New User form.Change Secret
admin page.The motivation behind said 80-bit minimum is that there may still be 80-bit OTP secrets associated with journalist accounts using TOTP in production instances, as the 160-bit TOTP requirement was recently added and not applied retroactively. The minimum should be set to 160-bit at some future date, once it's reasonable to assume that the majority of users have re-rolled their OTP secret - or once 80-bit secrets are no longer considered viable security-wise.
Testing
(all tests can be performed in a dev environment. A Yubikey and associated HOTP secret would be best for testing, but CLI commands to generate HOTP tokens like
oathtool -c <counter> --hotp "<hex secret here>"
will also work. (in most cases below<counter>
will be0
, but increment this field every time you use the same hotp secret. )Adding new users
make dev
against this branch and log in to the JI atlocalhost:8081
with an admin-level accountis using a Yubikey
unchecked) - specify a username and click Add Useris using a Yubiky
checkbox. Then click Add UserThe "otp_secret" field is required when "is_hotp" is set.
is displayedHOTP Secret
field and click Add UserThe "otp_secret" field is required when "is_hotp" is set.
is displayedHOTP Secret
field and click Add UserInvalid HOTP secret format: please only submit letters A-F and numbers 0-9.
is displayed<num>
hex chars with less than 40 non-space chars) in theHOTP Secret
field and click Add UserThe HOTP secrets are 40 characters long - you have entered <num>.
is displayedHOTP Secret
field and click Add UserEditing existing users
As an admin user, log onto the JI, go to the Admin page, and click the edit button beside a user other than the admin user.
Click Reset Mobile App Credentials and click OK.
Go back to the Admin page and click the edit button beside the user again
Click Reset Security Key Credentials and click OK.
Repeat the above checks for the logged-in user's account and confirm that they pass.
Logging in as a user with an invalid OTP secret
docker exec -it securedrop-dev-0 sqlite3 /var/lib/securedrop/db.sqlite
select username, otp_secret from journalists where is_hotp=1
- and change their otp secret to a valid ascii-encoded but less-than-16-char string, ie.GARBAGE
withupdate journalists set otp_secret='GARBAGE' where username='<your user here>'
oathtool -b --hotp "GARBAGE"
JHCOGO7VCER3EJ4L
) secret and confirm that the user can log inDeployment
No deployment-sensitive changes were introduced in this
Checklist
If you made changes to the server application code:
make lint
) and tests (make test
) pass in the development containerIf you made changes to
securedrop-admin
:make -C admin test
) pass in the admin development containerIf you made changes to the system configuration:
If you added or removed a file deployed with the application:
If you made non-trivial code changes:
Choose one of the following: