[RFC] More secure hashing

These requests for comments/change have lead to an implemented feature that has been successfully merged into the 3.1/Ascraeus branch. Everything listed in this forum will be available in phpBB 3.1.
Post Reply
User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

[RFC] More secure hashing

Post by igorw » Fri Jun 25, 2010 4:57 pm

phpBB 3.0 uses a slightly modified variant of the phpass hashing "framework". This depends on the MD5 hashing algorithm. It is widely known that algorithm is vulnerable to collision and other attacks. The first ones already having been discovered 15 years ago [1].

The phpass homepage reads:
A cut-down and reworked version of phpass (supporting the portable hashes only and requiring PHP 5+) has been integrated into development versions of Drupal leading to the upcoming Drupal 7 release (CVS commit 1, commit 2) after a lengthy discussion and many proposed patches against various development versions of Drupal. There's a notion of upgraded hashes - these are phpass portable hashes of md5() hashes (which were used by older versions of Drupal), with the final hash encodings prefixed with a "U" (for "upgraded"). A more recent lengthy discussion has resulted in Drupal 7 (still not released) switching from MD5 to SHA-512 for the underlying cryptographic primitive in phpass' "portable" hashes (making them less portable) while preserving "read-only" support for the MD5-based portable hashes. This change was made purely for "political" reasons. Drupal 7's SHA-512 based phpass-like hash encoding strings use "$S$" as the hash type identifier.
Proposal

I would like to suggest improving the current hashing in a fully backwards-compatible way.

Instead of using MD5, I suggest using SHA-512, like the drupal folks. The hash function is part of PHP since 5.1.2. Take a look at their implementation.

I also really like the way they use hash type identifiers to mark outdated hashes. Instead of maintaining a user_pass_convert field for outdated hashes I'd suggest to use the same format they do. Here's the types of identifiers that would be needed:
  • $P$ and $H$ - standard phpass
  • $S$ - sha512 phpass, same as drupal 7, I'll call it phpass2
  • $U$ - phpass2(md5(password)), used by drupal 7, not needed for phpBB because there is no upgrade path from 2.0 => 3.1
  • $V$ - phpass(md5(password)), the same as user_pass_convert = 1
  • $W$ - phpass2(phpass(password)), upgrade path from 3.0 => 3.1
  • $X$ - phpass2(phpass(md5(password)), upgrade path from 3.0 => 3.1, but with user_pass_convert = 1
(Please double check this to make sure it's correct)

Since all of this is encapsulated within phpbb_hash and phpbb_check_hash it should be pretty easy to implement. In addition to those two files, upgrade and login scripts will need to be adjusted too. The upgrade script needs to update the phpBB 3.0 hashes for 3.1 and the login script needs to check for these "upgraded" hashes replace them with a brand new full hash.

[1] http://en.wikipedia.org/wiki/MD5#Collis ... rabilities
Last edited by igorw on Mon Jun 28, 2010 10:48 pm, edited 1 time in total.

User avatar
naderman
Product Manager
Product Manager
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC] More secure hashing

Post by naderman » Fri Jun 25, 2010 8:56 pm

I'm definately in favour of getting rid of that extra field which is ambiguous at best.

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC] More secure hashing

Post by igorw » Mon Jun 28, 2010 10:49 pm

Added this section with some more implementation details:
Since all of this is encapsulated within phpbb_hash and phpbb_check_hash it should be pretty easy to implement. In addition to those two files, upgrade and login scripts will need to be adjusted too. The upgrade script needs to update the phpBB 3.0 hashes for 3.1 and the login script needs to check for these "upgraded" hashes replace them with a brand new full hash.

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC] More secure hashing

Post by igorw » Tue Jul 06, 2010 4:59 pm

Looks like it's slightly more complicated. The phpass has an embedded salt which needs to be preserved. Currently it's something like: "$H$" + HASH + SALT + "$"

If you just re-hash HASH + SALT you lose the salt, making checking the new hash impossible. So it would need to have to store it as something similar to this: "$W$" + HASH_OF_OLD_HASH + OLD_SALT + NEW_SALT + "$", in order to preserve the hashes.

To do this properly there should be a generalized spec (for migrations), maybe we can work with the drupal and phpass guys to have an official "phpass2" and a shared (preferably OO-based) implementation. For the drupal guys it's currently easy because they do not have an upgrade path involving salts.

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC] More secure hashing

Post by igorw » Sat Jul 17, 2010 6:49 pm

I have talked to both the drupal people and Alexander aka Solar Designer, the creator of phpass.
Solar Designer wrote:Hi Igor,
I am Igor Wiedler (aka eviL<3) from the phpBB community. As you already know, phpBB3 includes phpass. With the drupal 7 efforts for using a more advanced hashing algorithm (SHA-256 or SHA-512) we have also started discussing this for a future phpBB release.
Yeah, I guess that's another reason why Drupal's move was a bad one:
others may follow. :-(
phpass supports PHP3 and PHP4, because of this legacy however, it is limited to using sha1/md5.
...and that's quite fine. By now, I certainly regret ever mentioning
this in a source code comment as a limitation. It's so negligible of a
limitation compared to, say, SHA-256 that it shouldn't have been mentioned.
What I actually had in mind when writing the comment was that the code
had to be limited to a non-password-hashing-intended cryptographic
primitive, which results in PHP code overhead being too significant
(I mean the ratio of CPU time spent in the crypto code vs. the overhead).
Things are the same in this respect for SHA-256 and SHA-512.
PHP 5.2.0 was released almost 4 years ago. Many projects are now pushing to get PHP 5.2.0 support on hosts. This also means support for better hashing algorithms.
Well, SHA-256 and SHA-512 are not any better for this purpose.

Truly better algorithms are available starting with PHP 5.3.0 -
CRYPT_BLOWFISH, which phpass readily supports (and prefers), is
guaranteed to be available on that version. If you go further to
5.3.2+, you're guaranteed to also have CRYPT_SHA512, which is about the
same as CRYPT_BLOWFISH for security, but some people may prefer it for
political reasons (which I disagree with, though).

Simply switching the phpass "portable hashes" code to use SHA-512
instead of MD5 for the crypto primitive does not get you anywhere near
CRYPT_SHA512. You're still stuck at the same level of security that you
currently achieve with the MD5-based phpass code.

So I see absolutely no technical reason to go for that. The Drupal
folks were plain wrong and/or they were doing this for non-technical
and non-security reasons.

So my advice is that you refrain from making a change until you can
require PHP 5.3.0+ (then go for CRYPT_BLOWFISH) or 5.3.2+ (then go for
CRYPT_SHA512). These would actually significantly improve security -
for reasons completely unrelated to the crypto primitive change.
It's the greater code efficiency (no inefficient PHP-code loop) which
will help make password stretching significantly more effective.
With drupal and phpBB3 there would be two big projects doing a "phpass" upgrade. It would be much better if these changes could go directly into phpass, maybe some sort of phpass2 or phpass-ng.
Well, if I cannot prevent these changes from being made - and I've
already failed in the case of Drupal - then maybe leading the effort is
a viable option - just to mitigate the damage. But I am not eager to
jump into it.
One of the challenges we are facing at phpBB is hash upgrades. Upgrading a md5 hash is easy. But for our existing phpass hashes we also need to store the phpass salt. Having a generic solution to this problem would be beneficial to other projects as well.
Upgrading the existing phpass MD5-based hashes to similar hashes based
on SHA-512 is similarly almost pointless.

Now, if you ever go for CRYPT_BLOWFISH or CRYPT_SHA512, then I'd agree -
replace/upgrade the older "portable" hashes as users log in. We could
also invent some upgrade mechanism not tied to user logins, but it will
have many drawbacks.
I would be interested in working with you and the drupal people (and anyone else interested) to have a solid (preferably but not necessarily OO) standard implementation for SHA-512 based phpass and upgrades/migrations from MD5 and phpass to phpass-ng (or whatever it would be called).
Understood. Thank you for contacting me about this.

Do you feel this is completely unavoidable for phpBB, or is there a good
chance you'd be willing to "jump over" this breakage and only start
making changes when you can require 5.3.0+?

If this is unavoidable, then maybe I'll consider getting involved...

I assume you've read this thread? -

http://drupal.org/node/723802

and the relevant pieces of this article? -

http://www.openwall.com/articles/PHP-Users-Passwords

Thanks again,

Alexander
From this response I'd say it's probably a better idea to postpone changing phpass and put it into phpBB4, with a requirement of PHP 5.3.0 or 5.3.2. We can always consider backporting it to phpBB3.x once PHP 5.3 is widely deployed. And to keep these hashes truly portable, we should use the standard implementation of phpass (ideally using CRYPT_SHA512) once it is available.

User avatar
A_Jelly_Doughnut
Registered User
Posts: 1780
Joined: Wed Jun 04, 2003 4:23 pm

Re: [RFC] More secure hashing

Post by A_Jelly_Doughnut » Sat Jul 17, 2010 8:29 pm

evil<3 wrote:From this response I'd say it's probably a better idea to postpone changing phpass and put it into phpBB4, with a requirement of PHP 5.3.0 or 5.3.2. We can always consider backporting it to phpBB3.x once PHP 5.3 is widely deployed. And to keep these hashes truly portable, we should use the standard implementation of phpass (ideally using CRYPT_SHA512) once it is available.
I also see no reason to change it at this time.
A_Jelly_Doughnut

User avatar
naderman
Product Manager
Product Manager
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC] More secure hashing

Post by naderman » Sun Jul 18, 2010 4:23 am

I agree that there is probably no point in changing things at all for 3.1. I would definately prefer to have an external library properly used over some patched version of it in the middle of one of our files, but maybe leaving it as is makes most sense for now.

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC] More secure hashing

Post by bantu » Sun Jul 18, 2010 4:01 pm

Yeah, sounds like it would be better to postpone this. It doesn't have to be phpBB4 though, there might be a phpBB 3.2.x which could then require PHP 5.3.0.

visionviper
Registered User
Posts: 6
Joined: Sat Feb 04, 2012 4:26 am

[RFC] Update password hashing algorithm

Post by visionviper » Sat Feb 04, 2012 4:44 am

Note: topic title changed from "Update encryption standards" to reflect the discussion that seems to be taking place more accurately.

As I am sure all of you know, phpBB still heavily relies on md5 for password encryption. In the beginning of 2009 US-CERT posted a vulnerability notice about md5. Included in the descriptions of vulnerabilities it's stated:
US-CERT wrote:Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.
It's time to get phpBB off of using md5 and using stronger encryption standards. What I am proposing is this: When phpBB is installed (or upgraded) it takes a look to see if mcrypt is installed and what encryption is supported. It will then pick the best available (such as AES or Twofish) and uses that.

I would love to personally work on this and see it included. I've been working on a mod that updates the encryption for phpBB (and I'm confident it will finally pass validation). I think security is very important and I want to help make phpBB more secure.

Oleg
Posts: 1150
Joined: Tue Feb 23, 2010 2:38 am
Contact:

Re: [RFC] Update encryption standards

Post by Oleg » Sat Feb 04, 2012 10:22 am

Passwords are hashed, not encrypted.

We also I believe use phpass for password hashing, therefore the first step would be to check what hashes phpass supports nowadays.

Post Reply