[RFC] More secure hashing

These requests for comments/change have lead to an implemented feature that has been successfully merged into the 3.1/Ascraeus branch. Everything listed in this forum will be available in phpBB 3.1.
Post Reply
User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: [RFC] Update encryption standards

Post by imkingdavid » Sat Feb 04, 2012 2:01 pm

visionviper wrote:As I am sure all of you know, phpBB still heavily relies on md5 for password encryption.
I'd like to see where... phpBB tossed out md5 encryption since we moved from 2.0 to 3.0. Now, like Oleg said, we use phpass.

EDIT: I stand corrected; apparently phpass uses md5 at least to some extent.
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

User avatar
callumacrae
Infrastructure Team
Infrastructure Team
Posts: 1046
Joined: Tue Apr 27, 2010 9:37 am
Location: England
Contact:

Re: [RFC] Update encryption standards

Post by callumacrae » Sat Feb 04, 2012 3:38 pm

phpBB does not use md5 for passwords: http://pastebin.com/vTFBfvHu

Even so, MD5 is not "broken", and is not "secure", it is just faster and so easier to brute force. On the other hand, it is faster, and so uses less server resources.

http://webdevrefinery.com/forums/topic/ ... ing-myths/
Made by developers, for developers!
My blog

visionviper
Registered User
Posts: 6
Joined: Sat Feb 04, 2012 4:26 am

Re: [RFC] Update encryption standards

Post by visionviper » Sat Feb 04, 2012 5:35 pm

Oleg wrote:Passwords are hashed, not encrypted.

We also I believe use phpass for password hashing, therefore the first step would be to check what hashes phpass supports nowadays.
Ok, so they are hashed with md5. Either way, it would be nice to see some actual encryption use for the passwords. By moving to an encryption like AES or Twofish there could also eventually be a feature to have an entire board encrypted. It will certainly not be a feature most use, but anyone without dedicated servers can't just set up database that is just automatically encrypted like you can with setting up a Microsoft SQL database or maybe even MySQL (I remember reading they were eventually going to support it).

I believe that phpBB should try and use the strongest method available (I'm not talking going all 256-bit on it), and then allow the admin to choose what they want to use. If they want to use a looped-salting-md5 hashing method then they can. If they want to use AES 128-bit then they can.
callumacrae wrote: Even so, MD5 is not "broken", and is not "secure", it is just faster and so easier to brute force.
I'm sorry, but I am going to side with US-CERT over a web developer on webdev. US-CERT says it's broken so in my eyes, it's broken - no matter how you use it.


Maybe it's just because I am very security minded when it comes to online things. I know cracked password isn't as bad as someone getting your credit/debit card details, but there is a reason credit card/ssn/etc information is required to be encrypted, not just hashed and salted with md5 or sha.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1736
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: [RFC] Update encryption standards

Post by DavidIQ » Sat Feb 04, 2012 7:12 pm

As has already been said, phpBB has not used md5 hashing in years, since the version 2 days. Passwords are hashed AND salted.

I also do not agree that administrators should be able to change the encryption method. That will just cause a lot of support headaches and has the potential for administrators to hose their forums either in part or completely.
Image

Oleg
Posts: 1150
Joined: Tue Feb 23, 2010 2:38 am
Contact:

Re: [RFC] Update encryption standards

Post by Oleg » Sat Feb 04, 2012 7:52 pm

visionviper wrote: Either way, it would be nice to see some actual encryption use for the passwords.
If you mean that we should store passwords in a way that allows recovering plain text, the answer is no. (This has nothing to do with full board encryption.)

I believe we do use md5 (salted).

If we are going to change hashing algorithm, we should sneak some unusual characters into the data being hashed for the benefit of rainbow tables. Something from the 1-32 control char range and 128-255 which is not valid utf-8.

visionviper
Registered User
Posts: 6
Joined: Sat Feb 04, 2012 4:26 am

Re: [RFC] Update encryption standards

Post by visionviper » Sat Feb 04, 2012 8:03 pm

Will you guys consider moving to something that isn't susceptible to collision attacks or pre-image attacks? SHA-2 can be used for hashing and it doesn't suffer from collision or pre-image attacks. Even moving to SHA-1 would be better than using md5.

phpBB could be set up to choose the best hashing method available and use that, instead of always using md5 even when better hashing methods are available.

User avatar
callumacrae
Infrastructure Team
Infrastructure Team
Posts: 1046
Joined: Tue Apr 27, 2010 9:37 am
Location: England
Contact:

Re: [RFC] Update encryption standards

Post by callumacrae » Sat Feb 04, 2012 10:46 pm

visionviper wrote:Even moving to SHA-1 would be better than using md5.
Why is that so "even"? SHA1 is definitely secure (although by the definition of secure, MD5 is secure as it hasn't been broken yet).


These tests aren't fair as I only ran them once, but to crack the hash of "callum$phpBB`" using a popular rainbow tables program utilising all six cores took ~3 hours when the hash was generated using MD5, and ~4 using SHA1. I think you've just been reading articles wrong again - the key word in the US-CERT article is "considered".

The only argument against MD5 also applies to both SHA1 and SHA2; they are both general purpose hashing algorithms, and not necessarily designed for password hashing.


Anyway, phpBB doesn't use MD5 ANYWAY for hashing. Please post an example.
Made by developers, for developers!
My blog

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC] Update encryption standards

Post by igorw » Sun Feb 05, 2012 12:35 am

phpass is based on md5, but uses multiple iterations and salting to make the hashes stronger.

We cannot really upgrade to anything stronger before we require PHP 5.3. Starting with PHP 5.3.0, there is a guarantee that crypt() is available. 5.3.2 fixes a serious bug and adds support for more algorithms.

Once we require PHP 5.3 (honestly I don't mind doing this for 3.1, PHP 5.2 just does not make sense at this point), we can use blowfish.

visionviper
Registered User
Posts: 6
Joined: Sat Feb 04, 2012 4:26 am

Re: [RFC] Update encryption standards

Post by visionviper » Sun Feb 05, 2012 12:44 am

callumacrae wrote:
visionviper wrote:Even moving to SHA-1 would be better than using md5.
Why is that so "even"? SHA1 is definitely secure (although by the definition of secure, MD5 is secure as it hasn't been broken yet).


These tests aren't fair as I only ran them once, but to crack the hash of "callum$phpBB`" using a popular rainbow tables program utilising all six cores took ~3 hours when the hash was generated using MD5, and ~4 using SHA1. I think you've just been reading articles wrong again - the key word in the US-CERT article is "considered".

The only argument against MD5 also applies to both SHA1 and SHA2; they are both general purpose hashing algorithms, and not necessarily designed for password hashing.


Anyway, phpBB doesn't use MD5 ANYWAY for hashing. Please post an example.
SHA-1 does't have a known pre-image attack against it, while md5 does. As far as an example of md5 in phpBB:

Code: Select all

function phpbb_hash($password)
{
	$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

	$random_state = unique_id();
	$random = '';
	$count = 6;

	if (($fh = @fopen('/dev/urandom', 'rb')))
	{
		$random = fread($fh, $count);
		fclose($fh);
	}

	if (strlen($random) < $count)
	{
		$random = '';

		for ($i = 0; $i < $count; $i += 16)
		{
			$random_state = md5(unique_id() . $random_state);
			$random .= pack('H*', md5($random_state));
		}
		$random = substr($random, 0, $count);
	}

	$hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);

	if (strlen($hash) == 34)
	{
		return $hash;
	}

	return md5($password);
}

function phpbb_check_hash($password, $hash)
{
	$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
	if (strlen($hash) == 34)
	{
		return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
	}

	return (md5($password) === $hash) ? true : false;
}
Every time something needs to be hashed, md5 is used. As stated earlier by others and acknowledged by me, I know it isn't straight md5 and that salting is involved. But if you are going to use something for hashing passwords, wouldn't you want to use something with less demonstrated vulnerabilities?

SHA-1 is vulnerable to collision attacks, but it's quite a few orders of magnitude more difficult (2^21 for md5, 2^51 for SHA-1). SHA-1 at least doesn't have a known pre-image attack. SHA-2 doesn't have any known collision or pre-image attacks.

Implementing code to have phpBB use the strongest (read: least vulnerable) hashing method would be very simple to do. So why not?
igorw wrote:phpass is based on md5, but uses multiple iterations and salting to make the hashes stronger.

We cannot really upgrade to anything stronger before we require PHP 5.3. Starting with PHP 5.3.0, there is a guarantee that crypt() is available. 5.3.2 fixes a serious bug and adds support for more algorithms.

Once we require PHP 5.3 (honestly I don't mind doing this for 3.1, PHP 5.2 just does not make sense at this point), we can use blowfish.
I think SHA-1 is completely supported in 4.3 and higher. I do see what you mean about 5.3 though since SHA-2 should be fully available for use.

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC] Update encryption standards

Post by igorw » Sun Feb 05, 2012 12:53 am

visionviper wrote:I think SHA-1 is completely supported in 4.3 and higher. I do see what you mean about 5.3 though since SHA-2 should be fully available for use.
Sure, changing the hashing to use something else would be trivial. However, since we need to keep compatibility with existing hashes, it's not as trivial as you may think. As soon as we add a wide range of possible algorithms, things can get quite messy.

Post Reply