Page 1 of 1

more securitry

Posted: Wed Aug 05, 2015 7:06 pm
by Vegan
I have seen so many hacks with various sites I have been working harder to come up with some new ideas

so I found this PHP function which is not intinsic to try to come up with a better password protection tool

not sure how rock solid this code is, but it seems to be OK, but maybe somebody with more understanding of PHP can comment?

Code: Select all

<?php
/*
 * PBKDF2 key derivation function as defined by RSA's PKCS #5: https://www.ietf.org/rfc/rfc2898.txt
 * $algorithm - The hash algorithm to use. Recommended: SHA256
 * $password - The password.
 * $salt - A salt that is unique to the password.
 * $count - Iteration count. Higher is better, but slower. Recommended: At least 1000.
 * $key_length - The length of the derived key in bytes.
 * $raw_output - If true, the key is returned in raw binary format. Hex encoded otherwise.
 * Returns: A $key_length-byte key derived from the password and salt.
 *
 * Test vectors can be found here: https://www.ietf.org/rfc/rfc6070.txt
 *
 * This implementation of PBKDF2 was originally created by https://defuse.ca
 * With improvements by http://www.variations-of-shadow.com
 */
function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false)
{
    $algorithm = strtolower($algorithm);
    if(!in_array($algorithm, hash_algos(), true))
        trigger_error('PBKDF2 ERROR: Invalid hash algorithm.', E_USER_ERROR);
    if($count <= 0 || $key_length <= 0)
        trigger_error('PBKDF2 ERROR: Invalid parameters.', E_USER_ERROR);

    if (function_exists("hash_pbkdf2")) {
        // The output length is in NIBBLES (4-bits) if $raw_output is false!
        if (!$raw_output) {
            $key_length = $key_length * 2;
        }
        return hash_pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output);
    }

    $hash_length = strlen(hash($algorithm, "", true));
    $block_count = ceil($key_length / $hash_length);

    $output = "";
    for($i = 1; $i <= $block_count; $i++) {
        // $i encoded as 4 bytes, big endian.
        $last = $salt . pack("N", $i);
        // first iteration
        $last = $xorsum = hash_hmac($algorithm, $last, $password, true);
        // perform the other $count - 1 iterations
        for ($j = 1; $j < $count; $j++) {
            $xorsum ^= ($last = hash_hmac($algorithm, $last, $password, true));
        }
        $output .= $xorsum;
    }

    if($raw_output)
        return substr($output, 0, $key_length);
    else
        return bin2hex(substr($output, 0, $key_length));
}
?>

Re: more securitry

Posted: Wed Aug 05, 2015 8:38 pm
by Celauran
What's wrong with good old password_hash?

Re: more securitry

Posted: Fri Aug 07, 2015 1:34 pm
by Vegan
I was looking to get around the problem of all the hacked sites out there, take your pick for who has been broken into

I use a 128-bit password for my web site FTP to prevent unauthorized uploading etc

Re: more securitry

Posted: Fri Aug 07, 2015 2:51 pm
by Christopher
Vegan wrote:I was looking to get around the problem of all the hacked sites out there, take your pick for who has been broken into
I don't see how the problems other sites have relates directly to your site. Use password_hash() with a currently acceptable encryption algorithm and bit size.

Password hashing mainly helps if your site is hacked and the user database is stolen. Well hashed passwords will make it very difficult to determine the password.

Strong passwords help for login accounts.

Otherwise, sites get hacked for reasons that have nothing to do with hash strength.
Vegan wrote:I use a 128-bit password for my web site FTP to prevent unauthorized uploading etc
Don't use FTP -- only SSH and SFTP.

Re: more securitry

Posted: Fri Aug 07, 2015 3:06 pm
by Vegan
Azure uses ftps:// so its already using SSH

but I am expanding my code base to secure assets generally as it seems miscreants are using everything imaginable and more to hack into everything

did you see this?

http://evertpot.com/password-hash-ew/

Re: more securitry

Posted: Fri Aug 07, 2015 5:02 pm
by Christopher
Vegan wrote:Azure uses ftps:// so its already using SSH
Good. You said FTP so I was concerned you were not using encrypted connections.
Vegan wrote:but I am expanding my code base to secure assets generally as it seems miscreants are using everything imaginable and more to hack into everything
Well ... good. But there are lots of different ways to harden web servers running PHP applications. My point was that the password algorithm is a small and fairly simple part of that landscape. The solution is to use the currently recommended algorithms and bit sizes. The recommendations are fairly easy to find.
Vegan wrote:did you see this?

http://evertpot.com/password-hash-ew/
That's the strangest article I have read in a while. The person's thesis:
If code for PHP is required to be written in C to be considered legitimate and dependable, I think we need to admit we have a problem.
The fact that no one is saying that does not stop them from going on and on. The whole thing seems weirdly misguided ...

- They don't seem to understand that all of PHP is written in C. I can't believe they don't know that.

- They call C, one of the most important languages in the world, is an unmanaged language?!

- That PHP functions will be somehow less well tested than functions you write yourself. Given how widely PHP is used, its functions get better testing that all but the most popular userland libraries.

- Does not seem to understand why it is better to write compute intensive functions in C rather than PHP.

- Does not seem to understand the different between PHP and languages like Python and C

- Does not seem to like having anything added to the language.

- Apparently was against the password_*() functions from the beginning. One of the few.

Re: more securitry

Posted: Fri Aug 07, 2015 6:08 pm
by Vegan
All I know is that this chunk of code seems like it had some potential as a tool for dealing break-ins

I am assuming I cannot find all the holes so I am working instead to minimize the losses

this code has a salt as well as an iterative approach that works to made sure that recycled passwords are not a problem

been thinking that to make it very robust to maybe use a 256-bit salt with it? that would mean a birthday hack would still need 128-bit with of brute force which should be safe from swarms of servers

I could make an even bigger salt but I think 256 is robust enough

then with an iterative call, it make the hash even more hardened

Re: more securitry

Posted: Sat Aug 08, 2015 10:07 am
by Christopher
Vegan wrote:All I know is that this chunk of code seems like it had some potential as a tool for dealing break-ins

I am assuming I cannot find all the holes so I am working instead to minimize the losses

this code has a salt as well as an iterative approach that works to made sure that recycled passwords are not a problem

been thinking that to make it very robust to maybe use a 256-bit salt with it? that would mean a birthday hack would still need 128-bit with of brute force which should be safe from swarms of servers

I could make an even bigger salt but I think 256 is robust enough

then with an iterative call, it make the hash even more hardened
There is a PHP function that does the same thing as this function () and has the following caution:
Caution
The PBKDF2 method can be used for hashing passwords for storage. However, it should be noted that password_hash(http://php.net/manual/en/function.hash-pbkdf2.php) or crypt() with CRYPT_BLOWFISH are better suited for password storage.
As I have said, use the current recommendation and update it as the recommendation changes. Not sure why you are fixated on password hashing as it is pretty straightforward and simple.

Re: more securitry

Posted: Sat Aug 08, 2015 1:35 pm
by Vegan
I have read a lot of documentation on password reuse and how to get around the problem as best as I can

Re: more securitry

Posted: Sat Aug 08, 2015 5:32 pm
by Christopher
Maybe I am not understanding how you mean "password reuse" but how are you going to stop people from doing that -- and why? Or do you mean you?

Not relevant ... but relevant ;) : https://xkcd.com/792/

Re: more securitry

Posted: Wed Aug 12, 2015 7:42 am
by Vegan
Humans are the weak link for securing services so i am looking at all kinds of strategies. By securing everything means a miscreant who beaks in will not have any value. Which is the real benefit of the security tool as I see it, making it all worthless sends them running away fast

Re: more securitry

Posted: Thu Aug 20, 2015 7:04 pm
by Vegan
Been doing more work on the security idea, probably best practice with all the break ins to maybe use a 256-bit salt which would enough to frustrate any hacker including the NSA

also using a longer minimum password of at least 8 symbols would help the chosen hash work better too