Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72705
Return-Path: <narf@devilix.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 87452 invoked from network); 20 Feb 2014 13:03:53 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Feb 2014 13:03:53 -0000
Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.213.68 as permitted sender)
X-PHP-List-Original-Sender: narf@devilix.net
X-Host-Fingerprint: 209.85.213.68 mail-yh0-f68.google.com  
Received: from [209.85.213.68] ([209.85.213.68:44962] helo=mail-yh0-f68.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 77/04-00813-83DF5035 for <internals@lists.php.net>; Thu, 20 Feb 2014 08:03:53 -0500
Received: by mail-yh0-f68.google.com with SMTP id a41so242193yho.11
        for <internals@lists.php.net>; Thu, 20 Feb 2014 05:03:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=gCFTWtQz/1bv/QJ9GdeUd3QOmI3vo2bo5qI/vdM1H4I=;
        b=vMXnkWmQQWdogvDXu1QjuUhegN6Qo09rEqWn+6eet6nmUcj1ak9bpTT6nazf4/Yd3q
         jN3VMVPNWFCWrRZds4XlsU8AeN2YDejXi2lVre5jb2D/4o8YMnPrx8NRuVlCrX7HJxSj
         ALexN4axZXmcnhdYmisPETgXSR6J1PqTp9k5Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:content-type;
        bh=gCFTWtQz/1bv/QJ9GdeUd3QOmI3vo2bo5qI/vdM1H4I=;
        b=dqJ+hGaGLzh0BnCipnFquh54ElY4VojHCxyL8hw+BTk5XDS65T480iu3D1r1Z9YAI9
         RKCduw5+X0nD96vNt+T8dQIbwTCaC0r/9S6atrwq0yXiPQHTbg5fn5pINc6zdJUf61O9
         w3/TXrItoWibkVjX/Ucrw/gAwXy4WfsyrFyfNvIk1AOXtXv+3w7dU9dY9ROpZHk0zo58
         REybFROgC75G2l8ylQUyaePN1pZXNp/jm4A28aD+X3kkTMPtztzFCxVmkdkTG5LaSZLE
         g57Qzy+PNbSGgZfipk9BsBrC8Jlgq3yVyF0MAZ6xRkAMPHWAMEGMTCflLFF11gcvHNC0
         jNyA==
X-Gm-Message-State: ALoCoQlbKu8UrUVZ/xHnWLcee3MiyzBtKcJZDuFPZsRDvDYJhl/Xbq+kO7LmNjd/RYEi5sG1sN3S
MIME-Version: 1.0
X-Received: by 10.236.17.34 with SMTP id i22mr2853879yhi.110.1392901430039;
 Thu, 20 Feb 2014 05:03:50 -0800 (PST)
Received: by 10.170.188.139 with HTTP; Thu, 20 Feb 2014 05:03:49 -0800 (PST)
In-Reply-To: <CAGa2bXbeGGFHJe8t7=9yDpuODWRq9+eVSeQ339j=1gzd4x9wGA@mail.gmail.com>
References: <CAPhkiZxqmUVR3MhdMUBUuKxxkXndoTdoffbfuQ0oGc5JMvQ8dg@mail.gmail.com>
	<CAGa2bXbBnPQHqBUxe=S3HZtvQHQLdomEM4CEF3F+O0mf4oaktA@mail.gmail.com>
	<CAPhkiZx2sFqDmvdAsxOqqcrN6P09HW7MzFOA0cZbZ_2ruN4izw@mail.gmail.com>
	<CAGa2bXZbiTk_a=aJJY4iUPPaNQbv0yhyU2t6dXv2hAo0atiTdA@mail.gmail.com>
	<5302ABF6.60407@sugarcrm.com>
	<CAGa2bXbeGGFHJe8t7=9yDpuODWRq9+eVSeQ339j=1gzd4x9wGA@mail.gmail.com>
Date: Thu, 20 Feb 2014 15:03:49 +0200
Message-ID: <CAPhkiZx_sff8AcucRpHxb=f2w2DxKHt7SrOjQ1oTomrSa0oo-Q@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [VOTE] Secure Session Module Options/Internal by Default
From: narf@devilix.net (Andrey Andreev)

Hi again,

> Length check is trivial, then why not check  and discard by module instead of accepting invalid session ID and let users check and discard?

It is trivial, but also arguably useful. The reasoning for any
addition should be "what's the benefit" instead of "it's trivial, so
why not".

> There is threat and it could be removed with length check.
> Let's have the check and forget about timing attack!

Consider this scenario:

 - Attacker accesses the site without sending a session cookie
 - Site responds, giving them a newly generated session ID (this is
where length becomes public).
 - Attacker doesn't care about your length check, because instead of
sending <first char(s)>, they can now send str_pad(<first char(s)>,
<received session ID length>, '0')

Anybody with the knowledge and resources to perform a successful
timing attack will bypass the length check without even knowing that
there is one. Bottom line is, length check will NOT prevent a timing
attack.
Also, you didn't actually answer to my other comments, this is what I said:

>> This still doesn't explain how it would work.

Rephrasing: the RFC barely describes what id_length does and the name
itself isn't descriptive.

>> And why is it necessary as a setting instead of auto-detecting it? The
>> valid length should be easy to calculate.

Rephrasing: Don't make it a setting. Decide the (exact) length based
on the hash_function and hash_bits_per_character settings. You simply
don't need this to be configurable, and exposing it as an ini setting
can only cause issues for inexperienced users who change it.

Stas raised the same concern:

> I could see it as an internal check - defensive coding and all - where length is pre-calculated and checked internally. This is fine - but as a user setting that inevitably will be set wrong and cause trouble - I just don't see the point.

> The reason why I proposed this as user setting is user may have prefixed session ID. If this is the case, internally set minimum length could be useless.

Why is it that you use this prefix as an argument for everything? This
isn't even a feature supported by PHP, it's a possible userland
implementation.

>> Why would they send short ID if they could send full-length ID and
>> easily defeat your checks?
>>
>
>3 reasons.
> - Hash used by session may fallback to SHA-1 from SHA-256

What?! Why would that happen?

> - User may set hash to SHA-1 or md5 by mistake or intentionally

Again, the length should be decided based on the setting. How the user
configures it is not your problem.

On Tue, Feb 18, 2014 at 8:46 PM, Zeev Suraski <zeev@zend.com> wrote:

> This was previously discussed but I have to agree with Andrey (and maybe
> even go beyond what he said) - the hash_bits change doesn't belong in this
> RFC.  First, it has no security implications and it's not entirely clear
> from the RFC.  Second, I don't feel that the implications of that change are
> clear, beyond some mention that "this could not be an issue for almost all
> apps", which personally I don't think is accurate - but either way, we need
> some better analysis here.

After the lengthy discussion, I think the real problem is the lack of
clarity about this in the RFC.
If the hash_function is changed to one producing a longer length
string, then increasing hash_bits_per_character would complement that
change to somehow maintain BC.

For example, a custom session save handler using a database will most
likely have a varchar(40) field for the session_id. Switching to
sha256 and not changing hash_bits_per_character or the field's maximum
length will cause trouble.

IMO, this just needs to be properly described in the RFC.

Btw, the "Backward Incompatible Changes" section currently says
use_SCRIPT_mode instead of 'strict' - needs a fix as well. :)

Cheers,
Andrey.