Watch Out about SSL and Also md5(). Use sha1() Instead

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
volomike
Forum Regular
Posts: 633
Joined: Wed Jan 16, 2008 9:04 am
Location: Myrtle Beach, South Carolina, USA

Watch Out about SSL and Also md5(). Use sha1() Instead

Post by volomike »

Read this...

http://hackaday.com/2008/12/30/25c3-hac ... -200-ps3s/

So basically, some guys in China have figured out how to make two separate files have the same md5 hash. Okay, that blows usage of md5() in PHP. Next, some other guys recently used that technique on a larger scale and were able to mimic Verisign certs for websites without having to pay Verisign. (Gosh, almost makes you want to go off and make one for all your sites, doesn't it?) Yeah, and that's a problem because now a guy with some advanced equipment in a van outside a wireless cafe can spoof PayPal or a bank site, even making it have an authentic Verisign cert that isn't authentic.

So, the advice is to use sha1() instead of md5() in PHP, but then we're likely to see improvements on SSL come forward out of this. I just hope it won't slow down the Internet, and that no one gets hacked while the Internet committees are working on the security improvements.

Oh, and as a side note, the RIAA is using the md5() algorithm in their court cases against illegal file sharers. They are impounding the evidence, performing an md5() hash check on all system files, and if they find a match and see that this was evidently shared from the same IP and that the person had a file sharing program on their PC, they are claiming the user broke the law. Well, now one can use this info I have here about md5() to show that finding an md5() file match is not proof alone that the file on the hard drive was not the one shared by that IP at that prior time.
User avatar
Peter Anselmo
Forum Commoner
Posts: 58
Joined: Wed Feb 27, 2008 7:22 pm

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Post by Peter Anselmo »

I like the Wall of PS3's. Let's give a cheer to the Sony & Microsoft's business model that gives us computer hardware below cost.

It's a familiar cycle with encryption:

New stronger encryption introduced -> Computers get faster -> Encryption is broken -> New stronger encryption introduced...
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Post by alex.barylski »

PayPal or a bank site, even making it have an authentic Verisign cert that isn't authentic.
I Googled out of curiosity and found this: http://news.cnet.com/8301-1009_3-101296 ... riesArea.1

Yikes. I won't be doing any online banking for a while :P
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Post by kaisellgren »

Finally.

I was waiting for this to happen. MD5 was broken ever since '04, so it took roughly 5 years to exploit MD5 for 'valid' certificates.

In my opinion, moving from MD5 to SHA-1 is not a good choice.
User avatar
volomike
Forum Regular
Posts: 633
Joined: Wed Jan 16, 2008 9:04 am
Location: Myrtle Beach, South Carolina, USA

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Post by volomike »

kaisellgren wrote:In my opinion, moving from MD5 to SHA-1 is not a good choice.
I'm actually not that familiar with the pluses and minuses of sha1() vs. md5() except sha1() generates a longer result than the other and sha1() hasn't been hacked yet that I'm aware of.

So, fill me in if you could, please.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Post by kaisellgren »

volomike wrote:
kaisellgren wrote:In my opinion, moving from MD5 to SHA-1 is not a good choice.
I'm actually not that familiar with the pluses and minuses of sha1() vs. md5() except sha1() generates a longer result than the other and sha1() hasn't been hacked yet that I'm aware of.

So, fill me in if you could, please.
I am very aware of performance drop when using higher level hashes like SHA-3, RSA 2048bit or something else, because I have tested it myself on a busy site.

Still, servers are getting better and better, same applies to personal computers. We should jump over SHA-1 at once.

I am so excited in powerful yet cheap servers nowadays, SSDs are coming also soon :D theres already one host using them in production level.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Post by Mordred »

The same chinese team who found problems with MD5 have also found problems with SHA-1 (not the same ones IIRC). That's why SHA-2 are currently recommended for use (SHA-256 in particular) and there is another public competition for a new hash function out there (Go go Bruce Schneier ;) )

As for the SHA-2 functions being slower, I'll loosely quote Schneier, that we have enough fast and insecure systems out there.
User avatar
volomike
Forum Regular
Posts: 633
Joined: Wed Jan 16, 2008 9:04 am
Location: Myrtle Beach, South Carolina, USA

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Post by volomike »

Here's how to do sha2() since PHP doesn't have it:

on versions of PHP earlier than 5.1.2...
public static function sha2($s) {
return base64_encode(bin2hex(mhash(MHASH_SHA256,$s)));
}
on versions of PHP after that...
public static function sha2($s) {
return hash('sha256', $s);
}

SOURCES:
http://us3.php.net/manual/en/function.sha1.php#71213
http://www.php.net/manual/en/ref.hash.php

To see the full range of hash algorithms you might have, check out:

print_r(hash_algos());

On my PHP on Ubuntu 8.0.4.1 workstation, I get:

Array ( [0] => md2 [1] => md4 [2] => md5 [3] => sha1 [4] => sha256 [5] => sha384 [6] => sha512 [7] => ripemd128 [8] => ripemd160 [9] => ripemd256 [10] => ripemd320 [11] => whirlpool [12] => tiger128,3 [13] => tiger160,3 [14] => tiger192,3 [15] => tiger128,4 [16] => tiger160,4 [17] => tiger192,4 [18] => snefru [19] => gost [20] => adler32 [21] => crc32 [22] => crc32b [23] => haval128,3 [24] => haval160,3 [25] => haval192,3 [26] => haval224,3 [27] => haval256,3 [28] => haval128,4 [29] => haval160,4 [30] => haval192,4 [31] => haval224,4 [32] => haval256,4 [33] => haval128,5 [34] => haval160,5 [35] => haval192,5 [36] => haval224,5 [37] => haval256,5 )

...and then there's also mcrypt(), but that's if you want to create something you can encrypt and unencrypt. Instead, the hash is a one-way thing where you encrypt with no way back, and use that to compare against an already known value.

BTW, on my Ubuntu workstation, it says I have this available for me from mcrypt after doing print_r(mcrypt_list_algorithms());.

Array ( [0] => cast-128 [1] => gost [2] => rijndael-128 [3] => twofish [4] => arcfour [5] => cast-256 [6] => loki97 [7] => rijndael-192 [8] => saferplus [9] => wake [10] => blowfish-compat [11] => des [12] => rijndael-256 [13] => serpent [14] => xtea [15] => blowfish [16] => enigma [17] => rc2 [18] => tripledes )

One can also use crc32 and tack on that value somehow as a parse-able prefix or suffix so that you have a double check to ensure one didn't disturb the hash improperly.

So, a lot to think about. I mean, for me, I like shorter strings, so I might be inclined to add some known random value slots in the prefix or suffix, such as the first 5 numbers are bogus and random. And then I might add a crc32 (parse-ably placed, of course) so that I could check the integrity of the hash coming into me. This ensures that I have the smallest hash possible. By using that technique, you might be able to keep using md5().
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Post by kaisellgren »

Mordred wrote:The same chinese team who found problems with MD5 have also found problems with SHA-1 (not the same ones IIRC). That's why SHA-2 are currently recommended for use (SHA-256 in particular) and there is another public competition for a new hash function out there (Go go Bruce Schneier ;) )

As for the SHA-2 functions being slower, I'll loosely quote Schneier, that we have enough fast and insecure systems out there.
I'm rooting for him (Bruce).

Skein is the name of the hash by the way.
Post Reply