more securitry

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Vegan
Forum Regular
Posts: 574
Joined: Fri Sep 05, 2008 3:34 pm
Location: Victoria, BC
Contact:

more securitry

Post by Vegan »

I have seen so many hacks with various sites I have been working harder to come up with some new ideas

so I found this PHP function which is not intinsic to try to come up with a better password protection tool

not sure how rock solid this code is, but it seems to be OK, but maybe somebody with more understanding of PHP can comment?

Code: Select all

<?php
/*
 * PBKDF2 key derivation function as defined by RSA's PKCS #5: https://www.ietf.org/rfc/rfc2898.txt
 * $algorithm - The hash algorithm to use. Recommended: SHA256
 * $password - The password.
 * $salt - A salt that is unique to the password.
 * $count - Iteration count. Higher is better, but slower. Recommended: At least 1000.
 * $key_length - The length of the derived key in bytes.
 * $raw_output - If true, the key is returned in raw binary format. Hex encoded otherwise.
 * Returns: A $key_length-byte key derived from the password and salt.
 *
 * Test vectors can be found here: https://www.ietf.org/rfc/rfc6070.txt
 *
 * This implementation of PBKDF2 was originally created by https://defuse.ca
 * With improvements by http://www.variations-of-shadow.com
 */
function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false)
{
    $algorithm = strtolower($algorithm);
    if(!in_array($algorithm, hash_algos(), true))
        trigger_error('PBKDF2 ERROR: Invalid hash algorithm.', E_USER_ERROR);
    if($count <= 0 || $key_length <= 0)
        trigger_error('PBKDF2 ERROR: Invalid parameters.', E_USER_ERROR);

    if (function_exists("hash_pbkdf2")) {
        // The output length is in NIBBLES (4-bits) if $raw_output is false!
        if (!$raw_output) {
            $key_length = $key_length * 2;
        }
        return hash_pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output);
    }

    $hash_length = strlen(hash($algorithm, "", true));
    $block_count = ceil($key_length / $hash_length);

    $output = "";
    for($i = 1; $i <= $block_count; $i++) {
        // $i encoded as 4 bytes, big endian.
        $last = $salt . pack("N", $i);
        // first iteration
        $last = $xorsum = hash_hmac($algorithm, $last, $password, true);
        // perform the other $count - 1 iterations
        for ($j = 1; $j < $count; $j++) {
            $xorsum ^= ($last = hash_hmac($algorithm, $last, $password, true));
        }
        $output .= $xorsum;
    }

    if($raw_output)
        return substr($output, 0, $key_length);
    else
        return bin2hex(substr($output, 0, $key_length));
}
?>
Hardcore Games™ Legendary is the Only Way to Play™
My site is powered by LAMP
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: more securitry

Post by Celauran »

What's wrong with good old password_hash?
User avatar
Vegan
Forum Regular
Posts: 574
Joined: Fri Sep 05, 2008 3:34 pm
Location: Victoria, BC
Contact:

Re: more securitry

Post by Vegan »

I was looking to get around the problem of all the hacked sites out there, take your pick for who has been broken into

I use a 128-bit password for my web site FTP to prevent unauthorized uploading etc
Hardcore Games™ Legendary is the Only Way to Play™
My site is powered by LAMP
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: more securitry

Post by Christopher »

Vegan wrote:I was looking to get around the problem of all the hacked sites out there, take your pick for who has been broken into
I don't see how the problems other sites have relates directly to your site. Use password_hash() with a currently acceptable encryption algorithm and bit size.

Password hashing mainly helps if your site is hacked and the user database is stolen. Well hashed passwords will make it very difficult to determine the password.

Strong passwords help for login accounts.

Otherwise, sites get hacked for reasons that have nothing to do with hash strength.
Vegan wrote:I use a 128-bit password for my web site FTP to prevent unauthorized uploading etc
Don't use FTP -- only SSH and SFTP.
(#10850)
User avatar
Vegan
Forum Regular
Posts: 574
Joined: Fri Sep 05, 2008 3:34 pm
Location: Victoria, BC
Contact:

Re: more securitry

Post by Vegan »

Azure uses ftps:// so its already using SSH

but I am expanding my code base to secure assets generally as it seems miscreants are using everything imaginable and more to hack into everything

did you see this?

http://evertpot.com/password-hash-ew/
Hardcore Games™ Legendary is the Only Way to Play™
My site is powered by LAMP
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: more securitry

Post by Christopher »

Vegan wrote:Azure uses ftps:// so its already using SSH
Good. You said FTP so I was concerned you were not using encrypted connections.
Vegan wrote:but I am expanding my code base to secure assets generally as it seems miscreants are using everything imaginable and more to hack into everything
Well ... good. But there are lots of different ways to harden web servers running PHP applications. My point was that the password algorithm is a small and fairly simple part of that landscape. The solution is to use the currently recommended algorithms and bit sizes. The recommendations are fairly easy to find.
Vegan wrote:did you see this?

http://evertpot.com/password-hash-ew/
That's the strangest article I have read in a while. The person's thesis:
If code for PHP is required to be written in C to be considered legitimate and dependable, I think we need to admit we have a problem.
The fact that no one is saying that does not stop them from going on and on. The whole thing seems weirdly misguided ...

- They don't seem to understand that all of PHP is written in C. I can't believe they don't know that.

- They call C, one of the most important languages in the world, is an unmanaged language?!

- That PHP functions will be somehow less well tested than functions you write yourself. Given how widely PHP is used, its functions get better testing that all but the most popular userland libraries.

- Does not seem to understand why it is better to write compute intensive functions in C rather than PHP.

- Does not seem to understand the different between PHP and languages like Python and C

- Does not seem to like having anything added to the language.

- Apparently was against the password_*() functions from the beginning. One of the few.
(#10850)
User avatar
Vegan
Forum Regular
Posts: 574
Joined: Fri Sep 05, 2008 3:34 pm
Location: Victoria, BC
Contact:

Re: more securitry

Post by Vegan »

All I know is that this chunk of code seems like it had some potential as a tool for dealing break-ins

I am assuming I cannot find all the holes so I am working instead to minimize the losses

this code has a salt as well as an iterative approach that works to made sure that recycled passwords are not a problem

been thinking that to make it very robust to maybe use a 256-bit salt with it? that would mean a birthday hack would still need 128-bit with of brute force which should be safe from swarms of servers

I could make an even bigger salt but I think 256 is robust enough

then with an iterative call, it make the hash even more hardened
Hardcore Games™ Legendary is the Only Way to Play™
My site is powered by LAMP
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: more securitry

Post by Christopher »

Vegan wrote:All I know is that this chunk of code seems like it had some potential as a tool for dealing break-ins

I am assuming I cannot find all the holes so I am working instead to minimize the losses

this code has a salt as well as an iterative approach that works to made sure that recycled passwords are not a problem

been thinking that to make it very robust to maybe use a 256-bit salt with it? that would mean a birthday hack would still need 128-bit with of brute force which should be safe from swarms of servers

I could make an even bigger salt but I think 256 is robust enough

then with an iterative call, it make the hash even more hardened
There is a PHP function that does the same thing as this function () and has the following caution:
Caution
The PBKDF2 method can be used for hashing passwords for storage. However, it should be noted that password_hash(http://php.net/manual/en/function.hash-pbkdf2.php) or crypt() with CRYPT_BLOWFISH are better suited for password storage.
As I have said, use the current recommendation and update it as the recommendation changes. Not sure why you are fixated on password hashing as it is pretty straightforward and simple.
(#10850)
User avatar
Vegan
Forum Regular
Posts: 574
Joined: Fri Sep 05, 2008 3:34 pm
Location: Victoria, BC
Contact:

Re: more securitry

Post by Vegan »

I have read a lot of documentation on password reuse and how to get around the problem as best as I can
Hardcore Games™ Legendary is the Only Way to Play™
My site is powered by LAMP
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: more securitry

Post by Christopher »

Maybe I am not understanding how you mean "password reuse" but how are you going to stop people from doing that -- and why? Or do you mean you?

Not relevant ... but relevant ;) : https://xkcd.com/792/
(#10850)
User avatar
Vegan
Forum Regular
Posts: 574
Joined: Fri Sep 05, 2008 3:34 pm
Location: Victoria, BC
Contact:

Re: more securitry

Post by Vegan »

Humans are the weak link for securing services so i am looking at all kinds of strategies. By securing everything means a miscreant who beaks in will not have any value. Which is the real benefit of the security tool as I see it, making it all worthless sends them running away fast
Hardcore Games™ Legendary is the Only Way to Play™
My site is powered by LAMP
User avatar
Vegan
Forum Regular
Posts: 574
Joined: Fri Sep 05, 2008 3:34 pm
Location: Victoria, BC
Contact:

Re: more securitry

Post by Vegan »

Been doing more work on the security idea, probably best practice with all the break ins to maybe use a 256-bit salt which would enough to frustrate any hacker including the NSA

also using a longer minimum password of at least 8 symbols would help the chosen hash work better too
Hardcore Games™ Legendary is the Only Way to Play™
My site is powered by LAMP
Post Reply