Sessionless Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Sessionless Security

Post by Mordred »

VladSun wrote: It still suffers from the "empty challenge string" issue.
...
I.e. the MITM gets the SH256 of "hashedpassword:lowercaseusername:" - still offline "dehashing" attack is possible. There is no time window limit for doing this.
And when the MITM has successfully "dehashed" the "hashedpassword:lowercaseusername:" he can respond with a correct challenge-response string to any server sent challenge string.
My mistake was that I thought he was sending hash(password + challenge). If that were the case, one could do rainbow table attacks on the unsalted password.
With the current setup the empty challenge leads to:
hash(username + hash(password)), which is still a "personally salted" password which cannot be attacked with precomputational methods, it will have to be bruteforced.

Continuing this line of though, since Mallory sits in the middle and has the challenge value (even if he cannot control it, i.e. a read-only MITM scenario) he has:
hash(username + hash(password) + challenge)
Since he knows the username and challenge, the task is essentially the same as before - bruteforcing a "personally salted" password. Being able to manipulate the challenge doesn't change anything.

So in this case Mallory wouldn't have any advantage over having a write-able MITM attack, that's why I said I was wrong in my original scenario (which was much more severe because of the precomputated attack possibility)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Sessionless Security

Post by VladSun »

Oh, OK. My bad :)
Thanks, Mordred.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Sessionless Security

Post by VladSun »

Chalks wrote:... HMAC is (sort of... expect another thread in a day or two).
viewtopic.php?f=34&t=69781

And a HMAC function:

Code: Select all

function hmac($algo, $data, $passwd)
{
/* md5 and sha1 only */
$algo = strtolower($algo);
$p = array('md5'=>'H32','sha1'=>'H40');
 
if(strlen($passwd) > 64) $passwd=pack($p[$algo], $algo($passwd));
if(strlen($passwd) < 64) $passwd=str_pad($passwd, 64, chr(0));
 
$ipad = substr($passwd, 0, 64) ^ str_repeat(chr(0x36), 64);
$opad = substr($passwd, 0, 64) ^ str_repeat(chr(0x5C), 64);
 
return($algo($opad.pack($p[$algo], $algo($ipad.$data))));
}
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Re: Sessionless Security

Post by Maugrim_The_Reaper »

I guess I need to check my tutorial in more depth and address any risks associated with it. Unfortunately the damn thing is getting old in the tooth. The last similar system I used did create a small javascript library for checking, double checking and validating all incoming challenges. I almost DH'd the whole thing but then Firefox would crash probably :).

Just to note the C/R system on the browser is a refuge of last resort :). It should only be used where https is not possible with a browser. It's clearly a second class citizen.

Also, in case it's ever suggested, online web services should never ever use this approach. The accepted non-browser solution is to implement the Diffie Hellman algorithm (just make sure ext/gmp is installed) - for which purpose I've released PEAR's Crypt_DiffieHellman and Zend's Crypt_DiffieHellman (in the ZF Incubator) - to generate a MITM proof shared secret. Thereafter you can sign all messages using HMAC with the shared secret as a salt (and make sure the salt becomes invalid after a specific timeframe). Even then - https is preferable (not to mention more private!).

If anyone wants to update the tutorial themselves give me a shout. More than willing to post in a revised version.
Post Reply