Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-35254

PARSEC plugin should allow DBAs to specify number of iterations

Details

    Description

      Currently it is not possible with the PARSEC plugin to define the number of iterations to be used when generating the key corresponding to the password.

      To ensure proper security for users long term, the PARSEC plugin should allow specifying the number of iterations. Additionally, the default should be something more secure. According to wikipedia currently:

      In 2023, OWASP recommended to use 600,000 iterations for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512. Algorithmic representation of the iterative process of the Password-Based Key Derivation Function 2.

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-32618 PARSEC Authentication Plugin

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            cvicentiu Vicențiu Ciorbaru added a comment -

            serg FYI

            cvicentiu Vicențiu Ciorbaru added a comment - serg FYI
            nikitamalyavin Nikita Malyavin added a comment -

            cvicentiu, let me put a wider context on current status of research groups' recommendations.

            OWASP formulation for the recommendation is currently following:

            • If FIPS-140 compliance is required, use PBKDF2 with a work factor of 600,000 or more and set with an internal hash function of HMAC-SHA-256.

            At the same time, after several suggestions to increase the number of recommended iterations to 600000 for SHA-256, the new version of NIST has removed the exact numbers completely:

            The major decision in SP 800-132 was the selection of the iteration count. NIST initially considered setting the minimum value to 1000. Later, NIST decided to recommend the iteration count to be as large as possible, without providing a minimum value. This decision was made considering various capabilities of target environments.

            nikitamalyavin Nikita Malyavin added a comment - cvicentiu , let me put a wider context on current status of research groups' recommendations. OWASP formulation for the recommendation is currently following: If FIPS-140 compliance is required, use PBKDF2 with a work factor of 600,000 or more and set with an internal hash function of HMAC-SHA-256. At the same time, after several suggestions to increase the number of recommended iterations to 600000 for SHA-256, the new version of NIST has removed the exact numbers completely: The major decision in SP 800-132 was the selection of the iteration count. NIST initially considered setting the minimum value to 1000. Later, NIST decided to recommend the iteration count to be as large as possible, without providing a minimum value. This decision was made considering various capabilities of target environments.

            People

              nikitamalyavin Nikita Malyavin
              cvicentiu Vicențiu Ciorbaru
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.