Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:92214 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 81319 invoked from network); 12 Apr 2016 08:21:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Apr 2016 08:21:41 -0000 Authentication-Results: pb1.pair.com smtp.mail=mike.php.net@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=mike.php.net@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.51 as permitted sender) X-PHP-List-Original-Sender: mike.php.net@gmail.com X-Host-Fingerprint: 74.125.82.51 mail-wm0-f51.google.com Received: from [74.125.82.51] ([74.125.82.51:33748] helo=mail-wm0-f51.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 90/57-28094-410BC075 for ; Tue, 12 Apr 2016 04:21:40 -0400 Received: by mail-wm0-f51.google.com with SMTP id f198so176820574wme.0 for ; Tue, 12 Apr 2016 01:21:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=e6P2DcyUWImALSLc70VGVb7osXSAolxMjOi+Fh+1POs=; b=hDsOfhe7+/yb+SLpKgm5ACIhTny4SWRzbJC6LE+66kre/6MJmKAR1T5SjvyDomht0f UoNxZdgaNBkTlP5FZrJTQe1PtOqla5bNHI8wbnVgOhjHlPXxKIfwuPzZuOtTfj7178wy J6qYmUzuIzKmngTrFKvUacjWxMm2SghQWLzxBsFxU2a6dz3nlxZJp3ZjT3CUmKwVbnwg r0DBmMPM4Bjsu4vOk1xzNpYDvgD0GjDYaeSTB6AEfEN9FgXS6YR4zZO2MovLRDe0dxVi BrSwBajJL/D3quHFs9e8+yNiltEaeWhdzjCCDN/pfCjGqxJiF22Xwlt9aOSmeM9K9Ib9 MVgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:subject:to:references:cc:from:message-id :date:user-agent:mime-version:in-reply-to; bh=e6P2DcyUWImALSLc70VGVb7osXSAolxMjOi+Fh+1POs=; b=Apw16wsR89Xwi5bhXii3a3GGLd1Vv+6GSN0d0b8DsnnPaTybLIsDRUmJbtg1XyTFGP a2XJ4XMxz5mn24u8VAb3+umyTATLMLp7LjDhK4XucwXGS9SaGI9/VtvlPhM37MTfT6xi xdQ9mwgr3p+c0Gt/IXcQqixRVBmiM0O+pUmqbj2OMIDkV9kkdagpDrYKO11bp7pV3JtJ JkNBj8NBlXZ8jZCrUH4adsO5gANu+oM24dO0FqYL4GC9q93j24v1GJzsxT4zgi00Z0LI 0B+kc4Zv2UnTusCyuot2eEBVkIcIK8kvwMfombT6iEjGf6HPWbjaB/ElBqQyt/qV5juX cCMg== X-Gm-Message-State: AD7BkJJlT5x48AvKljx+ybrlFeLWWislTorR68Qz3Zhy8WpO0d/MESGcv3Er1PpdXx1iow== X-Received: by 10.28.170.137 with SMTP id t131mr22382309wme.74.1460449297487; Tue, 12 Apr 2016 01:21:37 -0700 (PDT) Received: from [192.168.2.120] (89-104-28-113.customer.bnet.at. [89.104.28.113]) by smtp.googlemail.com with ESMTPSA id w202sm21415638wmw.18.2016.04.12.01.21.31 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 12 Apr 2016 01:21:31 -0700 (PDT) Sender: Michael Wallner To: Yasuo Ohgaki , Stanislav Malyshev References: <5706EEF3.3050705@gmail.com> Cc: "internals@lists.php.net" Message-ID: <570CB007.2080503@php.net> Date: Tue, 12 Apr 2016 10:21:27 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Kine6MD3DJPUiqqktlcNOxi8uO64IgguT" Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Session ID without hashing From: mike@php.net (Michael Wallner) --Kine6MD3DJPUiqqktlcNOxi8uO64IgguT Content-Type: multipart/mixed; boundary="IdbBI7LVuom43M2JF013xXihL0LGic0wW" From: Michael Wallner To: Yasuo Ohgaki , Stanislav Malyshev Cc: "internals@lists.php.net" Message-ID: <570CB007.2080503@php.net> Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Session ID without hashing References: <5706EEF3.3050705@gmail.com> In-Reply-To: --IdbBI7LVuom43M2JF013xXihL0LGic0wW Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 08/04/16 04:17, Yasuo Ohgaki wrote: > PRNG like /dev/urandom is supposed to be secure, but fair point. It > may be good idea keeping old hash based session ID just in case > someone find vulnerability. I suppose it's unlikely with modern PRNGs, > though. I've come to think that "unlikely" is still a bad precondition with regards to security... :) >=20 > If we have to care about PRNG state exposure, code may be changed to > read random length from RPNG. This would be good enough mitigation. I > would like to hear from PRNG experts if this is good enough. (or not > needed) >=20 >> Second, I do not see why we need to do maximum >> breakage change if we could just make an identity "hash" function and >> support both cases. "Session generation performance" does not have a l= ot >> of meaning here - I'd be very surprised to see any application that is= >> bound by the speed of generating session IDs. >=20 > w/ Patch: Requests per second: 2278.59 [#/sec] (mean) > w/o Patch: Requests per second: 899.36 [#/sec] (mean) > (This is CLI server and "ab -c 20 -n 100000" result on Core i7 4770s Li= nux) >=20 > I didn't expect this much difference, but this is the result. Since > security experts advise to change session ID relatively high frequency > (few minutes to half an hour), this difference may be noticeable apps > returning cached JSON. I know apps that change session ID on every > request. (This should be done with caution. Otherwise, you may > experience lost sessions a lot due to race conditions) Such apps will > see performance gain. This RPS change is the result of just omitting hashing of the session id?= --=20 Regards, Mike --IdbBI7LVuom43M2JF013xXihL0LGic0wW-- --Kine6MD3DJPUiqqktlcNOxi8uO64IgguT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJXDLAHAAoJEEgOPhSwpMfHNWEH/A5KtxyYRxWo9iNStHUn086K K7Gb/Q4p8dZkrjY+pvgkidA76HQCJEupRnOu0wkLQ/+EfQVLWlZjRA1znxCkIhgM Sm2G1nCmg9PfR6sZGy05Sn/BUCDAVpoc6wgmVRpmLnnOi2T0UxGQJbvxF4/NlqIH xDQs3nPRvHF6kKtHcDeaGgA+oFgAXfjSAGABEQfOeRpRvs4cdf6w+QABRK/6xy+H AZkq04cDZhfS+Bsr932vEMjrvVvGxqsWibj3ZgFItXNoqRPf25UgqALODI75rRCi oYkvN+q9PDT7eM1R1Vu36ynjyn3EUtZ+upnEEV6fMEeyKsrEiYtndKcJ2ZMW69I= =Q3Vv -----END PGP SIGNATURE----- --Kine6MD3DJPUiqqktlcNOxi8uO64IgguT--