Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:20061
Return-Path: <sesser@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 18967 invoked by uid 1010); 16 Nov 2005 10:39:10 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 18952 invoked from network); 16 Nov 2005 10:39:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Nov 2005 10:39:10 -0000
X-Host-Fingerprint: 81.169.145.163 natpreptil.rzone.de Solaris 8 (1)
Received: from ([81.169.145.163:37421] helo=natpreptil.rzone.de)
	by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP
	id 50/71-07637-D4C0B734 for <internals@lists.php.net>; Wed, 16 Nov 2005 05:39:10 -0500
Received: from [192.168.1.77] (p508747AA.dip.t-dialin.net [80.135.71.170])
	by post.webmailer.de (8.13.1/8.13.1) with ESMTP id jAGAd25I008203;
	Wed, 16 Nov 2005 11:39:03 +0100 (MET)
Message-ID: <437B0C46.3080809@php.net>
Date: Wed, 16 Nov 2005 11:39:02 +0100
User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Jochem Maas <jochem@iamjochem.com>
CC: Stefan Esser <sesser@hardened-php.net>, internals@lists.php.net
References: <20051115221143.GA28082@hardened-php.net> <437B08C8.20804@iamjochem.com>
In-Reply-To: <437B08C8.20804@iamjochem.com>
X-Enigmail-Version: 0.93.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] PHP 5.1.0 - sha256() and sha256_file() support
From: sesser@php.net (Stefan Esser)

Hello,

> assuming this is true then the built in session handler is pretty
> vulnerable right now no?
> one only has the choice of md5 or sha1 for the hashing mechanism of
> the session handlers id
> as far as I can see ... if php gets a sha256 in the core it would
> possibly be a good thing
> to make that available as an option for session.hash_function?

I did not want to cause some "panic". MD5 and SHA1 are not completely
broken yet. I think people usually only call a hash function completely
broken when preimage attacks are possible. This means for a given
startvector you can create some input to get a desired endvector. During
the last year there have been various reports about much faster attacks
in normal collision generation, which means the time needed to you just
try to find 2 collisions. (you never know how fast it will be possible
in 1 year from now)

The session handler on the other hand is not really vulnerable to this,
even if there are preimage attacks. In the session handler MD5/SHA1 are
merely used to convert a random number into some other format. Even if
there are preimage attacks on MD5 and SHA1 the "security" of the session
handler relies on not guessable random numbers.
(However it would not be much work to use sha256 in the session
extension as another option once it is in core)

Stefan