unique_id function

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
medick
Registered User
Posts: 4
Joined: Thu Jan 31, 2008 5:24 pm

unique_id function

Post by medick »

Why unique_id function so overdone? It requires to few SQL queries just to get random md5. Why not replace it with more simple combination that doesn't need any DB or I/O resources?

Also it's possible to optimize set_config function - using one REPLACE query instead of few UPDATE and/or INSERT queries.

User avatar
Kellanved
Former Team Member
Posts: 407
Joined: Sun Jul 30, 2006 4:59 pm
Location: Berlin

Re: unique_id function

Post by Kellanved »

a) Because anything else wouldn't be as secure.
b) Doesn't optimize much and would be MySQL-only.

;)
No support via PM.
Trust me, I'm a doctor.

medick
Registered User
Posts: 4
Joined: Thu Jan 31, 2008 5:24 pm

Re: unique_id function

Post by medick »

a) Can you please explain for me why combination like

Code: Select all

return substr(md5(rand().'_'.microtime().'_'.rand()),rand(0,15),16)
is less secure?

b) MySQL is most popular and for big forums there is no words like "Doesn't optimize much". Just a thought.

User avatar
Kellanved
Former Team Member
Posts: 407
Joined: Sun Jul 30, 2006 4:59 pm
Location: Berlin

Re: unique_id function

Post by Kellanved »

a) Because it's just based on the current time. An attacker could have an excellent guess on what the generated value was (about one in 20, according to our experiments).

b) As stated before, it isn't faster and would break compatibility with the other DBMS. We don't support MySQL's weird quirks.
Config values are added only very seldomly; never in normal operation. A REPLACE is more expensive than an UPDATE. Why use a more expensive operation frequently to avoid an extremely unlikely situation that can only happen in not-performance critical situations.
No support via PM.
Trust me, I'm a doctor.

medick
Registered User
Posts: 4
Joined: Thu Jan 31, 2008 5:24 pm

Re: unique_id function

Post by medick »

a) Ok let's forget about time

Code: Select all

return substr(
    md5(
        rand().
        '_'.
        round(
            rand()*rand()/rand(),
            rand(1,4)
        ).
        '_'.
        rand()
    ),
    rand(0,15),
    16
);
There are a lot of deffierent combinations with md5, substr, rand, round that can be implemented and it's based only on random values every time.

2) I think I should agree with you.

User avatar
Kellanved
Former Team Member
Posts: 407
Joined: Sun Jul 30, 2006 4:59 pm
Location: Berlin

Re: unique_id function

Post by Kellanved »

It's still just the time that goes in the function. An attacker using the same seed will get the same result.
No support via PM.
Trust me, I'm a doctor.

medick
Registered User
Posts: 4
Joined: Thu Jan 31, 2008 5:24 pm

Re: unique_id function

Post by medick »

^ There are only rand(), md5(), and substr() functions now. The result doesn't depend on time.

Also you can get hash of getallheaders() or something like this.

User avatar
Kellanved
Former Team Member
Posts: 407
Joined: Sun Jul 30, 2006 4:59 pm
Location: Berlin

Re: unique_id function

Post by Kellanved »

rand depends on the time.
No support via PM.
Trust me, I'm a doctor.

ElbertF
Registered User
Posts: 583
Joined: Fri Dec 03, 2004 4:35 pm
Location: tracing..
Contact:

Re: unique_id function

Post by ElbertF »

And you can easily fake headers.

User avatar
Nicholas the Italian
Registered User
Posts: 659
Joined: Mon Nov 20, 2006 11:19 pm
Location: 46°8' N, 12°13' E
Contact:

Re: unique_id function

Post by Nicholas the Italian »

Not sure what we are exactly talking about, so I might be saying something stupid. But what about using user's IP as part of the seed? The attacker must (should) have a different one.

Post Reply