In a recent security advisory, Okta disclosed a vulnerability in their AD/LDAP Delegated Authentication system that existed between July and October 2024. The community's technical analysis reveals deeper insights into the architectural decisions that led to this security issue.
The Technical Root Cause
The vulnerability stems from Okta's implementation of cache key generation using BCrypt. The system concatenated userId, username, and password to create cache keys, but BCrypt's 72-byte limitation proved problematic. When usernames exceeded 52 characters, the password portion could be truncated from the cache key, potentially allowing authentication with just a username using a previously stored cache key.
Design Anti-Patterns Identified
Security experts in the community have highlighted several architectural concerns with Okta's approach. The primary issues include:
- Using BCrypt, a password-hashing algorithm, for cache key generation
- Combining identifiers (userId, username) with secrets (password) in a single hash
- Not accounting for BCrypt's known length limitations
- Improper delimiter handling in the concatenation process
Better Implementation Approaches
The community suggests several alternative approaches that could have prevented this vulnerability:
- Separating password storage from cache key generation
- Using HMAC or dedicated Key Derivation Functions (KDFs) like HKDF for cache key generation
- Implementing proper field length prefixing instead of delimiters
- Separately hashing individual fields before concatenation
Cache Implementation Considerations
The vulnerability's exploitation required specific conditions: either the AD/LDAP agent being unreachable or high traffic situations forcing cache hits. This highlights the delicate balance between performance optimization and security in authentication systems. The community emphasizes that cache invalidation through password changes was likely a key consideration in the original design, though the implementation proved flawed.
Impact and Resolution
Okta has addressed the vulnerability by switching from BCrypt to PBKDF2 for cryptographic operations. Organizations using Okta's AD/LDAP Delegated Authentication should investigate their system logs for potential exploitation between July 23rd and October 30th, 2024, particularly if they have users with usernames of 52 characters or longer.
Industry Response
The security community has expressed concern about Okta's disclosure timing, with the announcement coming late on a Friday afternoon. This has sparked discussion about transparency in security disclosures and the need for more standardized disclosure practices in the identity and access management industry.