Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:124612
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 65B2D1A00B7
	for <internals@lists.php.net>; Fri, 26 Jul 2024 13:02:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1721999064; bh=gBF8AE8kVfCyLHt7cIQBMO4uughgIPs0AS8bsABxxW0=;
	h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
	b=UcEaT9VHZxG2dOqL2mnxe8+6tS9l6WHWoW0QVHmfXLf3ml1w6LAx9v53VjohvFboJ
	 SxKojuq/ho6fSvY5b1fFtYodUWZhUDt0NVMxVZin5gb+Q+MOq9gDAyVw2vu40T2ahv
	 F/WI0agaZpLZjMTaQly711saG2/OCpgdMNnBmExxMv/zGwU0NLVDyxrDQQFTK3Jn1G
	 Ikn0AE+a4oLQGE+8NbrI4uEoMKH36okf7f9JwJH4aExAF+6QoY2j5lKBQ8xVtfxctj
	 pLAHUsgWKkD4kJDjDwObSTffcFsDDnVLOuk9gmZREEduDjD53AMyCpFIBkB8k2yOMi
	 rfva8AoDBkIjQ==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 0826D1801E0
	for <internals@lists.php.net>; Fri, 26 Jul 2024 13:04:22 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 26 Jul 2024 13:04:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1721998963;
	bh=onC94+GwOAFWhd3jgCGq25b2LajsiulRYBwYnIkcNPE=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type:from:to:cc:subject:message-id;
	b=SLIUc4QpmqZUqssicAP9S9pqzRqzW/+zV3MTBsw3kLlBP6tdLSmxmiDr78eNqXq/Q
	 VreqIA304CKAyv1UrJIOHPE73R/3y/mlBhmyRXd6EuFbHvq/OeglEXQzMH8hKJa7xw
	 yYREaO4SrGYIP/beVpsxQjE7D201PgwURlV2BBVOY0aobBowWkKNnOkXPnUoaVp1YA
	 xHWELVpn9CqmQuKxpas8mJt7qmnVn9Wx83JxIHgV+tjiRRCSkrAiQdpEgkAyv2i40g
	 YZjOnJKJEg4sCXnp5AWQyL8Tv3AF0JOUXgos2zgHA/EYJrInqbstsH75RfT3gIiUjn
	 BJroK1YZ6UZAg==
Message-ID: <3a3de59c-c7c8-4124-b973-def153428290@bastelstu.be>
Date: Fri, 26 Jul 2024 15:02:42 +0200
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4
To: Rob Landers <rob@bottled.codes>, Peter Stalman <sarkedev@gmail.com>
Cc: Derick Rethans <derick@php.net>, PHP internals <internals@lists.php.net>
References: <USzt7tZZlO1DmAbSTLhD-bqa23FqZn0zk2aah8Ndxgk9c7RY5PefQ8MjbYPUYAzr2_m4Cf-5AI4PuNBTS84rim_FNS6RaT-cWSv714HEvvU=@gpb.moe>
 <1a88918e-e808-d778-45e1-53797660e093@php.net>
 <CAPrKfG5Cw_nU7g7FR+t4C1-YZ8CDsDO_-sRs=yEsHO5kCTZL+A@mail.gmail.com>
 <95147d9d-d6e8-4396-bf0b-409c33679f90@bastelstu.be>
 <CAPrKfG4TijmZ_N9512_Fk9MBUNg=E6PjNTy-bCbV8CAj9_wX8A@mail.gmail.com>
 <6c0baa01-68e5-4d74-bc4e-d6830ab5076d@bastelstu.be>
 <cf0f0b2b-5df8-4b7b-bb03-a705f37d5e4a@app.fastmail.com>
Content-Language: en-US
In-Reply-To: <cf0f0b2b-5df8-4b7b-bb03-a705f37d5e4a@app.fastmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=C3=BCsterhus?=)

HI

On 7/26/24 14:50, Rob Landers wrote:
>>> $_SESSION['token'] = md5(uniqid(mt_rand(), true));
>>
>> *Exactly* the md5-uniqid construction that is called out as unsafe in
>> the RFC and used in a security context.
> 
> In regards to hashing, this is likely fine; for now. There still isn't an arbitrary pre-image attack on md5 (that I'm aware of). Can you create a random file with a matching hash? Yes, in a few seconds, on modern hardware. But you cannot yet make it have arbitrary contents in our lifetime. The NSA probably has something like this though, but if so, this isn't widely known.

Neither collision-, nor pre-image resistance is relevant here. The 
attack vector is a brute force attack / an attacker guessing the token 
rather than the token's contents.

> That being said, this is just randomly creating a random id without leaking it's internal construction, no different than putting an md5 in a UUID-v8. The real issue here is the use of uniqid() and rand(), making it quite likely (at scale, at least) that a session id will overlap with another session id.

The point is that it showcases a fundamental misunderstanding of what 
MD5 (or really any other hash algorithm) does for you. The application 
of the MD5 does not make the token more random or more unique or 
whatever positive adjective you would like to use. It would be equally 
strong (or rather weak) if the output of `uniqid(mt_rand(), true)` was 
used directly.

As per Kerckhoffs's principle, the security of the algorithm must not 
rely on the attacker not knowing how it's implemented. Given how 
prevalent constructions like the above are, an attacker could make an 
educated guess about how it looks like and match their own token against 
a precomputed table to find out if it matches.

Best regards
Tim Düsterhus