Opinions needed

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
crc
Forum Newbie
Posts: 5
Joined: Thu Jan 13, 2005 10:31 pm

Opinions needed

Post by crc »

Given the following, please give feedback, all welcome.

----------------
Database that holds user information (ie. id, username, password etc..).
When the users log on to site a random 32 character string is generated, then ran through md5.

The original 32 character hash is stored in the database. The 32 character hash with the user id appended to the end of it is placed in a cookie and stored on the user's system.

After this happens the login page refreshes(any security problems with meta refreshes?), finds the set cookie which redirects the user to the index page.

When the index page and all sub pages (member section) find the cookie they seperate the cookie value into the original hash and the user id. Then, attempts to verify the hash with the hash stored in the database.

The cookies last as long as the session. So a new hash is generated every time the user logs in.

I would like some feedback as far as security is concerned. Also, how much do you think this will effect server performance? As the hash's are checked everytime a user refreshes the page, or goes to another part of the member section.

Any better idea's, with the exception of sessions?

Thank you everyone.

, crc
crc
Forum Newbie
Posts: 5
Joined: Thu Jan 13, 2005 10:31 pm

Post by crc »

My bad, posted in wrong section :roll:
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

maybe im missing something, but how is that any better than a session?

if a session id is able to be stolen from the user somehow, so can your special hash.

and for situations where its not stolen, i dont see anything significantly superior than to just adding additional entropy to a regular session id.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

md5 and sha1 are both very fast hashes, so the time spent isn't much an issue. You may have some problems with the cookies being detected if cookies are off or other circumstances..

Moved to Security.
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

The user id ought to be in the hash - also expiry time if you want to protect that from tampering.

Code: Select all

$mac = md5($expire . '+' . $user . '+' . $private_string);
$cookie_value = $expire . '+' . $user . '+' . $mac;
When you get a cookie back hash the submitted values for $expire and $user along with your private string, then compare that to the submitted $mac value. If the cookie has been tampered, and $expire or $user have changed, they won't match.
Last edited by McGruff on Sun Aug 07, 2005 3:38 am, edited 1 time in total.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

MD5 is not necessarily secure - SHA has, so far, not been compromised. Recent article on Slashdot:
Slashdot wrote:Effugas writes "I've completed an applied security analysis (pdf) of MD5 given Xiaoyun Wang et al's collision attack (covered here and here). From an applied perspective, the attack itself is pretty limited -- essentially, we can create 'doppelganger' blocks (my term) anywhere inside a file that may be swapped out, one for another, without altering the final MD5 hash. This lets us create any number of binary-inequal files with the same md5sum. But MD5 uses an appendable cascade construction -- in other words, if you happen to find yourself with two files that MD5 to the same hash, an arbitrary payload can be applied to both files and they'll still have the same hash. Wang released the two files needed (but not the collision finder itself). A tool, Stripwire, demonstrates the use of colliding datasets to create two executable packages with wildly different behavior but the same MD5 hash. The faults discovered are problematic but not yet fatal; developers (particularly of P2P software) who claim they'd like advance notice that their systems will fail should take note."
Source: http://developers.slashdot.org/develope ... =172&tid=8
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Seems pretty straightforward. One thing you didn't mention is a timeout. The way it seems, I could login and walk away - leaving my window open. While that would be my own dang problem, you might want to put in some timeout functionality to protect users from themselves.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

Something else to consider, and this will help resolve the timeout issue. Basically, before the user does anything that is "critical", force them to re-enter their password. For example, they can be logged in, but when they finally go to make a purchase, you ask them for a password again.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

patrikG wrote:MD5 is not necessarily secure - SHA has, so far, not been compromised. Recent article on Slashdot:
Slashdot wrote:Effugas writes "I've completed an applied security analysis (pdf) of MD5 given Xiaoyun Wang et al's collision attack (covered here and here). From an applied perspective, the attack itself is pretty limited -- essentially, we can create 'doppelganger' blocks (my term) anywhere inside a file that may be swapped out, one for another, without altering the final MD5 hash. This lets us create any number of binary-inequal files with the same md5sum. But MD5 uses an appendable cascade construction -- in other words, if you happen to find yourself with two files that MD5 to the same hash, an arbitrary payload can be applied to both files and they'll still have the same hash. Wang released the two files needed (but not the collision finder itself). A tool, Stripwire, demonstrates the use of colliding datasets to create two executable packages with wildly different behavior but the same MD5 hash. The faults discovered are problematic but not yet fatal; developers (particularly of P2P software) who claim they'd like advance notice that their systems will fail should take note."

Unless you are protecting the CIA database I would still consider Md5 safe.
Even more so if you include a private string. The chance that a forged user credential is like the passcode is very close to 0

For any web application I can think of this is secure enough. The hijacking part and the timeout problem is way more important.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

patrikG wrote:MD5 is not necessarily secure - SHA has, so far, not been compromised. Recent article on Slashdot:
Slashdot wrote:Effugas writes "I've completed an applied security analysis (pdf) of MD5 given Xiaoyun Wang et al's collision attack (covered here and here). From an applied perspective, the attack itself is pretty limited -- essentially, we can create 'doppelganger' blocks (my term) anywhere inside a file that may be swapped out, one for another, without altering the final MD5 hash. This lets us create any number of binary-inequal files with the same md5sum. But MD5 uses an appendable cascade construction -- in other words, if you happen to find yourself with two files that MD5 to the same hash, an arbitrary payload can be applied to both files and they'll still have the same hash. Wang released the two files needed (but not the collision finder itself). A tool, Stripwire, demonstrates the use of colliding datasets to create two executable packages with wildly different behavior but the same MD5 hash. The faults discovered are problematic but not yet fatal; developers (particularly of P2P software) who claim they'd like advance notice that their systems will fail should take note."

Unless you are protecting the CIA database I would still consider Md5 safe.
Even more so if you include a private string. The chance that a forged user credential is like the passcode is very close to 0

For any web application I can think of this is secure enough. The hijacking part and the timeout problem is way more important.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

AGISB wrote:
patrikG wrote:MD5 is not necessarily secure - SHA has, so far, not been compromised. Recent article on Slashdot:
Slashdot wrote:Effugas writes "I've completed an applied security analysis (pdf) of MD5 given Xiaoyun Wang et al's collision attack (covered here and here). From an applied perspective, the attack itself is pretty limited -- essentially, we can create 'doppelganger' blocks (my term) anywhere inside a file that may be swapped out, one for another, without altering the final MD5 hash. This lets us create any number of binary-inequal files with the same md5sum. But MD5 uses an appendable cascade construction -- in other words, if you happen to find yourself with two files that MD5 to the same hash, an arbitrary payload can be applied to both files and they'll still have the same hash. Wang released the two files needed (but not the collision finder itself). A tool, Stripwire, demonstrates the use of colliding datasets to create two executable packages with wildly different behavior but the same MD5 hash. The faults discovered are problematic but not yet fatal; developers (particularly of P2P software) who claim they'd like advance notice that their systems will fail should take note."

Unless you are protecting the CIA database I would still consider Md5 safe.
Even more so if you include a private string. The chance that a forged user credential is like the passcode is very close to 0

For any web application I can think of this is secure enough. The hijacking part and the timeout problem is way more important.
Naturally, security is always a compromise and I agree that timeout etc. is more important than MD5, but implementing SHA doesn't take more effort than MD5 and is more secure and that is the issue at hand.
Post Reply