callumacrae wrote:visionviper wrote:Even moving to SHA-1 would be better than using md5.
Why is that so "even"? SHA1 is definitely secure (although by the definition of secure, MD5 is secure as it hasn't been broken yet).
These tests aren't fair as I only ran them once, but to crack the hash of "callum$phpBB`" using a popular rainbow tables program utilising all six cores took ~3 hours when the hash was generated using MD5, and ~4 using SHA1. I think you've just been reading articles wrong again - the key word in the US-CERT article is "considered".
The only argument against MD5 also applies to both SHA1 and SHA2; they are both general purpose hashing algorithms, and not necessarily designed for password hashing.
Anyway, phpBB doesn't use MD5 ANYWAY for hashing. Please post an example.
SHA-1 does't have a known pre-image attack against it, while md5 does. As far as an example of md5 in phpBB:
Code: Select all
function phpbb_hash($password)
{
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
$random_state = unique_id();
$random = '';
$count = 6;
if (($fh = @fopen('/dev/urandom', 'rb')))
{
$random = fread($fh, $count);
fclose($fh);
}
if (strlen($random) < $count)
{
$random = '';
for ($i = 0; $i < $count; $i += 16)
{
$random_state = md5(unique_id() . $random_state);
$random .= pack('H*', md5($random_state));
}
$random = substr($random, 0, $count);
}
$hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);
if (strlen($hash) == 34)
{
return $hash;
}
return md5($password);
}
function phpbb_check_hash($password, $hash)
{
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
if (strlen($hash) == 34)
{
return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
}
return (md5($password) === $hash) ? true : false;
}
Every time something needs to be hashed, md5 is used. As stated earlier by others and acknowledged by me, I know it isn't straight md5 and that salting is involved. But if you are going to use something for hashing passwords, wouldn't you want to use something with less demonstrated vulnerabilities?
SHA-1 is vulnerable to collision attacks, but it's quite a few orders of magnitude more difficult (2^21 for md5, 2^51 for SHA-1). SHA-1 at least doesn't have a known pre-image attack. SHA-2 doesn't have any known collision or pre-image attacks.
Implementing code to have phpBB use the strongest (read: least vulnerable) hashing method would be very simple to do. So why not?
igorw wrote:phpass is based on md5, but uses multiple iterations and salting to make the hashes stronger.
We cannot really upgrade to anything stronger before we require PHP 5.3. Starting with PHP 5.3.0, there is a guarantee that crypt() is available. 5.3.2 fixes a serious bug and adds support for more algorithms.
Once we require PHP 5.3 (honestly I don't mind doing this for 3.1, PHP 5.2 just does not make sense at this point), we can use blowfish.
I think SHA-1 is completely supported in 4.3 and higher. I do see what you mean about 5.3 though since SHA-2 should be fully available for use.