Page 1 of 1
Numerical formula from a string?
Posted: Fri Nov 20, 2009 8:38 am
by steve_the_canuck
Hi,
I'd like to create a generic function for performing a simple hash using a formula.
I currently have a function like this to do specific simple hash generations:
public static function getHash($value)
{
return dechex($value*800122+9);
}
Ideally I'd like it to be like this:
public static function function getHash($value, $formula)
{
return dechex($value.$formula);
}
I've used the string concat operator here but by no means is this the way it would need to be coded. I'm trying to simply convey that the formula is something I'd like to be a variable.
Is there a way of doing what I've shown above? I have tried a few variations and I cannot get it to work.
Thanks,
Steve
Re: Numerical formula from a string?
Posted: Fri Nov 20, 2009 9:04 am
by Mark Baker
You either need to use the dreaded eval() (dreaded because it's intrinsically dangerous unless you have 100% control over the data being evalled) or a formula parser. How sophisticated are your formulae?
Re: Numerical formula from a string?
Posted: Fri Nov 20, 2009 9:12 am
by steve_the_canuck
Mark Baker wrote:You either need to use the dreaded eval() (dreaded because it's intrinsically dangerous unless you have 100% control over the data being evalled) or a formula parser. How sophisticated are your formulae?
They are currently only as sophisticated as the example (x*200000+3), etc. I basically use it to obfuscate ID's of database rows when they are needed for display in a URL or on a page.
Steve
Re: Numerical formula from a string?
Posted: Fri Nov 20, 2009 9:38 am
by jayshields
steve_the_canuck wrote:I basically use it to obfuscate ID's of database rows when they are needed for display in a URL or on a page.
Why would you ever need to obfuscate the ID of a database row?
Re: Numerical formula from a string?
Posted: Fri Nov 20, 2009 9:57 am
by steve_the_canuck
jayshields wrote:steve_the_canuck wrote:I basically use it to obfuscate ID's of database rows when they are needed for display in a URL or on a page.
Why would you ever need to obfuscate the ID of a database row?
Revealing the internal ID's used in your database can give potential hackers something to latch onto. It's also achieves better separation between the user tier and the data/business tier of the application from a design perspective.
Re: Numerical formula from a string?
Posted: Fri Nov 20, 2009 10:34 am
by iankent
steve_the_canuck wrote:Revealing the internal ID's used in your database can give potential hackers something to latch onto. It's also achieves better separation between the user tier and the data/business tier of the application from a design perspective.
Not really. You can safely give out the ID as long as you have some way of verifying that value when accepting it back from the user. Plus, just giving the ID in the url doesn't mean you have to give away the column or table name, and almost guaranteed every website will use a numerical ID somewhere, so it doesn't really give much away.
edit: as a perfect example, phpbb regularly uses just a userid to identify users, and this is given out to all other users in the member list pages. aside from that, the whole phpbb table structure and code is available for all to see. has it made phpbb less secure? no, it just means their code is up to scratch!
And re separation, doesn't it just make things difficult if you ever need to trace problems through your application, or look through any log files, or manually query the databases? Sticking to a numerical ID will be far easier, and give better performance on your database!
Re: Numerical formula from a string?
Posted: Fri Nov 20, 2009 9:27 pm
by steve_the_canuck
iankent wrote:steve_the_canuck wrote:Revealing the internal ID's used in your database can give potential hackers something to latch onto. It's also achieves better separation between the user tier and the data/business tier of the application from a design perspective.
Not really. You can safely give out the ID as long as you have some way of verifying that value when accepting it back from the user. Plus, just giving the ID in the url doesn't mean you have to give away the column or table name, and almost guaranteed every website will use a numerical ID somewhere, so it doesn't really give much away.
edit: as a perfect example, phpbb regularly uses just a userid to identify users, and this is given out to all other users in the member list pages. aside from that, the whole phpbb table structure and code is available for all to see. has it made phpbb less secure? no, it just means their code is up to scratch!
And re separation, doesn't it just make things difficult if you ever need to trace problems through your application, or look through any log files, or manually query the databases? Sticking to a numerical ID will be far easier, and give better performance on your database!
You can make a case that it's ok for revealing internal ID's. You have to judge the security concerns of your own app and what would be the consequences if someone just plugged in an "inappropriate" ID. Obfuscation is just another technique to make it more difficult to guess. With obfuscation - people with knowledge of hashing techniques might be able to figure out what you're doing, but without it, almost anyone with any computer savvy can figure it out.
This is exactly what happened to hotmail a few years back. They had a mailbox ID in their URL and sure enough they had forgotten to do a proper security check of who was accessing a mailbox. An obfuscated ID would have helped them in this case, it would have limited exposure because really it was very easy to just plug in any number you wanted.
Can you guarantee there are no holes in your own app that can't be exploited?
In terms of your point about separation - it's not much more difficult really. It took me about an hour or two to retrofit about 20K lines of code to use obfuscation. It does present some inconvenience, but again it's pretty minor.
But I'm risk adverse about this stuff. I guess that's what happens after designing fraud detection systems for banks.
Cheers,
Steve
Re: Numerical formula from a string?
Posted: Sat Nov 21, 2009 12:55 am
by requinix
Wait... So you're saying that revealing internal ID numbers is a security risk?
What about, oh I don't know,
practically everything on the web? They're all doing it wrong?
Code: Select all
http://forums.devnetwork.net/posting.php?mode=reply&[color=blue]f=1[/color]&[color=blue]t=109225[/color]
http://rss.cnn.com/~r/rss/cnn_tech/~3/[color=blue]m_HeT892QDo[/color]/index.html
http://yro.slashdot.org/story/09/11/21/[color=blue]0354209[/color]/RFID-Fingerprints-To-Fight-Tag-Cloning
http://www.msnbc.msn.com/id/[color=blue]34075908[/color]/ns/us_news-washington_post/
And I'm just getting started.
Obfuscation is not security. If you're concerned that someone "just plugged in an inappropriate ID" then it means your application is insecure. Web security point #1: anything and everything that isn't directly generated by your code is inherently unsafe. If you don't check that the requested resource should be viewed by the user then that's your fault.
Re: Numerical formula from a string?
Posted: Sat Nov 21, 2009 2:04 am
by Apollo
steve_the_canuck wrote:They are currently only as sophisticated as the example (x*200000+3), etc. I basically use it to obfuscate ID's of database rows when they are needed for display in a URL or on a page.
First of all I agree with the above reactions. Obfuscation is
not security. Rather than hiding or obfuscating your IDs, you're better off by simply making your code safe against injection or otherwise manual tempering.
Having said that, I'd still like to answer your question, cause a scenario like this may occur in different forms and circumstances. You could do something like this:
Code: Select all
function getHash( $value, $formula )
{
switch($formula['method'])
{
case 1: return dechex( $value*$formula['multiplier'] + $formula['delta'] );
default: return 0;
}
}
$myMethod = array( 'method'=>1 , 'multiplier'=>200000 , 'delta'=>3 );
$hash = getHash( $id , $myMethod );
// $hash is now $id*200000+3
If you come up with other hashing algo's later on, you can add a case 2: formula and put whatever parameters you require in the array. Completely safe, yet dynamic and keeps all possibilities open.
Of course, an OOP approach would be more appropriate here, as the idea of customizing (and possibly later on enhancing) your hashing algorithm typically smells like 'overriding functions'.
Code: Select all
class HashMethod // base class with dummy hashing
{
public function getHash( $value ) { return 0; }
};
function DoHashing( $value, $hashMethod ) // this uses a HashMethod instance to perform hashing
{
return $hashMethod->getHash($value);
}
// now implement your own hashing by inheriting from HashMethod
class MyHashMethod extends HashMethod
{
public $multiplier,$delta;
function __construct( $m, $d )
{
$this->multiplier = $m;
$this->delta = $d;
}
public function getHash( $value ) { return dechex( $value*$this->multiplier + $this->delta ); }
};
$myHashing = new MyHashMethod(200000,3);
$hash = DoHashing($id,$myHashing);
// $hash is now $id*200000+3
I'm sure you get the idea.
Re: Numerical formula from a string?
Posted: Sat Nov 21, 2009 9:43 am
by steve_the_canuck
tasairis wrote:Wait... So you're saying that revealing internal ID numbers is a security risk?
What about, oh I don't know,
practically everything on the web? They're all doing it wrong?
Code: Select all
posting.php?mode=reply&[color=blue]f=1[/color]&[color=blue]t=109225[/color]
http://rss.cnn.com/~r/rss/cnn_tech/~3/[color=blue]m_HeT892QDo[/color]/index.html
http://yro.slashdot.org/story/09/11/21/[color=blue]0354209[/color]/RFID-Fingerprints-To-Fight-Tag-Cloning
http://www.msnbc.msn.com/id/[color=blue]34075908[/color]/ns/us_news-washington_post/
And I'm just getting started.
Obfuscation is not security. If you're concerned that someone "just plugged in an inappropriate ID" then it means your application is insecure. Web security point #1: anything and everything that isn't directly generated by your code is inherently unsafe. If you don't check that the requested resource should be viewed by the user then that's your fault.
As I said, it depends on what you're doing. You are quoting a bunch of news sites and forums. In a case like that, I wouldn't care if the internal ID's were exposed and in fact I might encourage it.
What if I was to put in a URL like this:
Code: Select all
http://www.myrewards123.com/customer/12 ... /view.html
There are a number of security considerations here. What if I am to send the URL to technical support, or put it in an email, or it is simply contained in my browser history for someone to access? There is a security risk in each case. Suddenly information about my account is listed in the URL. Is 90505550 the account number or an internal database ID? In either case, then that's more valuable information that could be used.
It goes without saying the code should check that only an authorized user should be able to view the URL. I have numerous checks in my applications. But still, checks are sometimes missed and I would say obfuscation doesn't hurt in these cases too because it's the most basic level of potential misuse of information.
My general rule is - obfuscate if the data "belongs" to someone and is not intended for public use, and if there is any potential for misuse.
Steve
Re: Numerical formula from a string?
Posted: Sat Nov 21, 2009 9:53 am
by iankent
steve_the_canuck wrote:My general rule is - obfuscate if the data "belongs" to someone and is not intended for public use, and if there is any potential for misuse.
Steve
If somebody intends to misuse then obfusication does nothing to help. If the data belongs to somebody and not intended for public use, then create additional data that means nothing that is for public use, i.e. an internal database id instead of the customer id. that way there is no useful link between the original data and the public data like there is with an obfusicated string.
the hotmail issue is a non-issue really. as you say, they forgot to do some basic security checks, so that was their fault. and my code probably isn't 100% perfect, but whose is. still, using obfusication is not a safe alternative to replacing the private data altogether. all you'd need to do is add additonal id columns to your tables and output those instead
Re: Numerical formula from a string?
Posted: Sat Nov 21, 2009 10:20 am
by steve_the_canuck
iankent wrote:
If somebody intends to misuse then obfusication does nothing to help. If the data belongs to somebody and not intended for public use, then create additional data that means nothing that is for public use, i.e. an internal database id instead of the customer id. that way there is no useful link between the original data and the public data like there is with an obfusicated string.
the hotmail issue is a non-issue really. as you say, they forgot to do some basic security checks, so that was their fault. and my code probably isn't 100% perfect, but whose is. still, using obfusication is not a safe alternative to replacing the private data altogether. all you'd need to do is add additonal id columns to your tables and output those instead
That depends - you can use quite a bit more sophistication in your obfuscation. You can make the URL's generated be time dependent, where you change the hash every 5 or 10 minutes. That really reduces the window of opportunity for misuse.
Yes, you could simply output your database ID as an additional column for simple hash algorithms. But I feel this entire line of reasoning is based on thinking like a programmer. Consider that you have to go through the step of figuring out the mapping/hash algorithm, knowing what the hexadecimal number system is - that is probably less than 1% of my user base. On the other hand, if I do nothing, I leave it wide open to anyone who wants to start typing in numbers - I am an easier target.
There's a kid I know who I have been trying to dissuade from hacking for a while now. But he actually targets other hackers who don't realize he's hacking them. There are varying degrees of stupidity in the hacking world. For sure there are the hackers that will find their way into my application, guess my obfuscation techniques, etc. But I think for every one of those there are just looking for easy prey.
Steve