Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124614 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 9F6AA1A00B7 for ; Fri, 26 Jul 2024 13:25:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1722000448; bh=N59fStgOg7YDNMVC06TpvOG4EWyJmJ0aSGrfcTqtvic=; h=In-Reply-To:References:Date:From:To:Cc:Subject:From; b=HEVlTxACb33VaOwxTkq0KdQ4ZvP/QzMmz3rNjRChSLfRq/YsoSPGtHeS8K72+sP+X jrtaAA9PkS/1+xODN5GIgsZCHUGxV/9yFepsyZMuduqN2h5ABcDWwYK8zpQFz2ePLF f68NSA4et6G1vj71W5BQW2FV/yqrGkA1dtowMNllmhvt+RVG8B31iMqsynbpgmfvIa fAOfYnoBthFMbyrjfBQWhlUhujaYD67BMPHBdP8XfRMJwD87kXw0SJvzfbPXnVWUJL zHE6mcsSo/cmNDv4eYiTeVL4Ykq428h4XqISsv6qmZ15tivvZm39GMQd8K40ziZw1N RWs9Cmm9krkaA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 0BA5718007A for ; Fri, 26 Jul 2024 13:27:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from fout6-smtp.messagingengine.com (fout6-smtp.messagingengine.com [103.168.172.149]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 26 Jul 2024 13:27:27 +0000 (UTC) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailfout.nyi.internal (Postfix) with ESMTP id 914971380180; Fri, 26 Jul 2024 09:25:51 -0400 (EDT) Received: from imap49 ([10.202.2.99]) by compute3.internal (MEProxy); Fri, 26 Jul 2024 09:25:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bottled.codes; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm1; t=1722000351; x= 1722086751; bh=N59fStgOg7YDNMVC06TpvOG4EWyJmJ0aSGrfcTqtvic=; b=b ERGwTNeAb7E+xmRmFcX9WAHEYC/6MIW+Pyh1WpxN3IggifFFbrGgec1KWO2B4InZ 2q2qn+G+1hYZfG6zgTKyYwEEACqCmgwNRW9A7fdxk+YWWs7l4InMmHxGPD4CsCsG 0xs5I5N7Ggy3UbUMfk0rrsuFAhew/4rW4SmeA3S2QQfnx66Id9aUPXvK8B57unOn h6ttkUcIczjkihVFn89DSX3iwcvMwOpMUie9F3I2Jq6P4EuPyo80ndj7UlTN/Su3 hWolkmsAuiUofcuN/1Ma4f68W8jWlFAfU3R/jKYRT6qHy7pHE7itdsx99kFy19dO HzMbiOZudCCoL3l3FhUzw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1722000351; x=1722086751; bh=N59fStgOg7YDNMVC06TpvOG4EWyJ mJ0aSGrfcTqtvic=; b=OyxDfpH67A59AIiKC99FExcFNQsXPaA+xd/hncZYG4wA IVy69/Z/TklOpfYBZxZu4ISjZyfOBMZ5JeHhTj3DTku3lCndTb6DLoS4HhOCeZ0U Mud+CtkDmTPto3CO2HjcVKLVMc7k5TDjOToo72l/n2zlaFX8zocLPJBKQaI5WPWj +gHGD7ih5GKeBhmUNGkI+v2klOHexs4t3BMdR45q1EC3xwt/sW1opEbZwHEdIJtq +pwuCszlx+h8wrp/hvQlqJrBIzCiREtXRJICa79K3545ZJH3gyiUGkOqWxrNNhuD m8pmgs6ls+U+n1pTHXZqXt1ldEqo5Gbpde0F8q9y1Q== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrieehgdeiiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvvefutgesrgdtreerreerjeenucfhrhhomhepfdftohgs ucfnrghnuggvrhhsfdcuoehrohgssegsohhtthhlvggurdgtohguvghsqeenucggtffrrg htthgvrhhnpedvheekteelveetfeevgeekgfffvdeuhfelveehvdetiefggedtfeejheet gffhueenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hrohgssegsohhtthhlvggurdgtohguvghspdhnsggprhgtphhtthhopedt X-ME-Proxy: Feedback-ID: ifab94697:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id 0CD1215A0092; Fri, 26 Jul 2024 09:25:51 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.11.0-alpha0-582-g5a02f8850-fm-20240719.002-g5a02f885 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 Message-ID: In-Reply-To: <3a3de59c-c7c8-4124-b973-def153428290@bastelstu.be> References: <1a88918e-e808-d778-45e1-53797660e093@php.net> <95147d9d-d6e8-4396-bf0b-409c33679f90@bastelstu.be> <6c0baa01-68e5-4d74-bc4e-d6830ab5076d@bastelstu.be> <3a3de59c-c7c8-4124-b973-def153428290@bastelstu.be> Date: Fri, 26 Jul 2024 15:25:28 +0200 To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= , "Peter Stalman" Cc: "Derick Rethans" , "PHP internals" Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4 Content-Type: multipart/alternative; boundary=40e76ce876a748dca6b39dd94d6ca2b2 From: rob@bottled.codes ("Rob Landers") --40e76ce876a748dca6b39dd94d6ca2b2 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable On Fri, Jul 26, 2024, at 15:02, Tim D=C3=BCsterhus wrote: > HI >=20 > On 7/26/24 14:50, Rob Landers wrote: > >>> $_SESSION['token'] =3D md5(uniqid(mt_rand(), true)); > >> > >> *Exactly* the md5-uniqid construction that is called out as unsafe = in > >> the RFC and used in a security context. > >=20 > > In regards to hashing, this is likely fine; for now. There still isn= 't an arbitrary pre-image attack on md5 (that I'm aware of). Can you cre= ate a random file with a matching hash? Yes, in a few seconds, on modern= hardware. But you cannot yet make it have arbitrary contents in our lif= etime. The NSA probably has something like this though, but if so, this = isn't widely known. >=20 > Neither collision-, nor pre-image resistance is relevant here. The=20 > attack vector is a brute force attack / an attacker guessing the token=20 > rather than the token's contents. You do realize that GUID and md5 hashes are the same size? One does not = simply "guess" a GUID or an md5 hash. gravatar used md5 until a couple o= f years ago, and had millions? billions? of emails addresses and zero co= llisions. > > That being said, this is just randomly creating a random id without = leaking it's internal construction, no different than putting an md5 in = a UUID-v8. The real issue here is the use of uniqid() and rand(), making= it quite likely (at scale, at least) that a session id will overlap wit= h another session id. >=20 > The point is that it showcases a fundamental misunderstanding of what=20 > MD5 (or really any other hash algorithm) does for you. The application=20 > of the MD5 does not make the token more random or more unique or=20 > whatever positive adjective you would like to use. It would be equally=20 > strong (or rather weak) if the output of `uniqid(mt_rand(), true)` was=20 > used directly. Yes, it does, but probably not how you think. It would be much weaker to= leak the internal construction (uniqid(mt_rand(), true)) because then s= omeone could literally guess a working id if they knew when the id was g= enerated (depending on the size of mt_rand, rate limits, etc). By wrapping it in an md5, it is literally unguessable how it is construc= ted, but the construction is still crap in this case. >=20 > As per Kerckhoffs's principle, the security of the algorithm must not=20 > rely on the attacker not knowing how it's implemented. Given how=20 > prevalent constructions like the above are, an attacker could make an=20 > educated guess about how it looks like and match their own token again= st=20 > a precomputed table to find out if it matches. In this example, an ID is being constructed. If it needs uniqueness, the= ID is being constructed incorrectly, but if you could argue that a GUID= would fit the bill here, md5 has more "entropy" than a GUIDv4. But due = to how the md5 is constructed, it actually has less entropy. So, I think= we both can agree that the construction is crap. However, the usage of = md5 doesn't matter here. If it really bothers you, craft a GUIDv8 from i= t. But to Kerckhoffs's principle, that is in regards to encryption ... this= is not encryption. =E2=80=94 Rob --40e76ce876a748dca6b39dd94d6ca2b2 Content-Type: text/html;charset=utf-8 Content-Transfer-Encoding: quoted-printable
On Fri, Jul 26,= 2024, at 15:02, Tim D=C3=BCsterhus wrote:
HI

On 7/26/= 24 14:50, Rob Landers wrote:
>>> $_SESSION['token= '] =3D md5(uniqid(mt_rand(), true));
>>
>> *Exactly* the md5-uniqid construction that is called out as u= nsafe in
>> the RFC and used in a security context.<= br>

> In regards to hashing, this = is likely fine; for now. There still isn't an arbitrary pre-image attack= on md5 (that I'm aware of). Can you create a random file with a matchin= g hash? Yes, in a few seconds, on modern hardware. But you cannot yet ma= ke it have arbitrary contents in our lifetime. The NSA probably has some= thing like this though, but if so, this isn't widely known.

Neither collision-, nor pre-image resistance is relevan= t here. The 
attack vector is a brute force attack / = an attacker guessing the token 
rather than the token= 's contents.

You do realize th= at GUID and md5 hashes are the same size? One does not simply "guess" a = GUID or an md5 hash. gravatar used md5 until a couple of years ago, and = had millions? billions? of emails addresses and zero collisions.

>= ; That being said, this is just randomly creating a random id without le= aking it's internal construction, no different than putting an md5 in a = UUID-v8. The real issue here is the use of uniqid() and rand(), making i= t quite likely (at scale, at least) that a session id will overlap with = another session id.

The point is that it sh= owcases a fundamental misunderstanding of what 
MD5 (= or really any other hash algorithm) does for you. The application <= br>
of the MD5 does not make the token more random or more uni= que or 
whatever positive adjective you would like to= use. It would be equally 
strong (or rather weak) if= the output of `uniqid(mt_rand(), true)` was 
used di= rectly.

Yes, it does, but prob= ably not how you think. It would be much weaker to leak the internal con= struction (uniqid(mt_rand(), true)) because then someone could literally= guess a working id if they knew when the id was generated (depending on= the size of mt_rand, rate limits, etc).

By= wrapping it in an md5, it is literally unguessable how it is constructe= d, but the construction is still crap in this case.


A= s per Kerckhoffs's principle, the security of the algorithm must not&nbs= p;
rely on the attacker not knowing how it's implemented. = Given how 
prevalent constructions like the above are= , an attacker could make an 
educated guess about how= it looks like and match their own token against 
a p= recomputed table to find out if it matches.
<= br>
In this example, an ID is being constructed. If it needs u= niqueness, the ID is being constructed incorrectly, but if you could arg= ue that a GUID would fit the bill here, md5 has more "entropy" than a GU= IDv4. But due to how the md5 is constructed, it actually has less entrop= y. So, I think we both can agree that the construction is crap. However,= the usage of md5 doesn't matter here. If it really bothers you, craft a= GUIDv8 from it.

But to Kerckhoffs's p= rinciple, that is in regards to encryption ... this is not encryption.

=E2=80=94 Rob
<= /body> --40e76ce876a748dca6b39dd94d6ca2b2--