Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:92240
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 60419 invoked from network); 13 Apr 2016 03:12:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Apr 2016 03:12:59 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.194 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.220.194 mail-qk0-f194.google.com  
Received: from [209.85.220.194] ([209.85.220.194:35397] helo=mail-qk0-f194.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BB/23-33659-A39BD075 for <internals@lists.php.net>; Tue, 12 Apr 2016 23:12:58 -0400
Received: by mail-qk0-f194.google.com with SMTP id u190so1079013qkh.2
        for <internals@lists.php.net>; Tue, 12 Apr 2016 20:12:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=685S/3q1CZpzjzPgwZM3HLb7rQr7FgnXl5TVeTEl8b4=;
        b=yOjF5bWvumjdzUaIwev/LWxOkVIH2mqkr8CJjl5+0PfpyiO+QZZkDpxCjdvh95Aa/K
         A1aGDc6CwOer8iCTFJA5ainN3E9JpgzP39o81fYmLKqTWoU7kSRxdy7+vkzIufMrn8Y2
         TSdD6Jm3glgcxKCk8o1/4tE9MP/jOMV8COMM4DXFn6pAvL1S6gXCs8H84bKeXklNYC1B
         vlI2POex24zKTtUvAzUbxXLdkOY3W6qa6auChTyp+D+2ZBCam310tDbtzt4GKDl7rL6R
         rPFOwLXGfU1Sx6eLBTSjvXIfviBbuOszEhXRcQkTnsTHmpRmJBkaSBmjW/+VnigYsZqn
         091g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=685S/3q1CZpzjzPgwZM3HLb7rQr7FgnXl5TVeTEl8b4=;
        b=LVPEbqihw4Tn4h08wwvQFFozQXbBhpwZUf+WfHDlnJcRmQ1bfRSbuIUwmx2OOra+Eb
         mAbv8A4EWIZzSsdPA/eGuVpH1vOzyloNLP3I5dn4e4MvscRh85z2QNB9+PNAFS4mr3Z7
         G2IKKDhIsDtBzDT26+vUc1NMz9FYDnX45GCjWqUJWE5clzXHoVmUGGjZ3WEtkSjkLvXV
         ayKxenY831T//6AIb/BeI6OUlDVtDI8rkqgTEeHwzQg/87jObdl48VuY82H6DPkYrsDq
         Sjbgr+6wqpcS1ZI1dnOw6Wft1SK17MfyPYGvg9/6aDxaztSBIVGaoY2BICJRjb2/Yly+
         Bgkg==
X-Gm-Message-State: AOPr4FXHFssp3Z+gHSV3ILlKDZy0POKtzmsLFPPfU0NB8Ah2UZm35XvhSpuUiA6nEm5q8+sg/mfCTfeIrNVlHw==
X-Received: by 10.55.79.5 with SMTP id d5mr7896172qkb.30.1460517175388; Tue,
 12 Apr 2016 20:12:55 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.140.39.175 with HTTP; Tue, 12 Apr 2016 20:12:15 -0700 (PDT)
In-Reply-To: <570D1E89.4050702@gmail.com>
References: <CAGa2bXY3Zdrq-vU6_gCJVC3smP7DooBsKFNmQpz=ksdKsQORbQ@mail.gmail.com>
 <5706EEF3.3050705@gmail.com> <CAGa2bXbQkw2ouDJf5FHk3dbA4Xea4DmCwPdHUt_WRQ7H=EMAeQ@mail.gmail.com>
 <570D1E89.4050702@gmail.com>
Date: Wed, 13 Apr 2016 12:12:15 +0900
X-Google-Sender-Auth: j5cHGa3tTzeOVA3LfBl0GYSxQ9I
Message-ID: <CAGa2bXbjGuZ5R2hSAaVJSnQV_2zxtGLY4myOy3SaSXo4ppvABQ@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Session ID without hashing
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Stas,

On Wed, Apr 13, 2016 at 1:12 AM, Stanislav Malyshev <smalyshev@gmail.com> wrote:
>
>> PRNG like /dev/urandom is supposed to be secure, but fair point. It
>> may be good idea keeping old hash based session ID just in case
>> someone find vulnerability. I suppose it's unlikely with modern PRNGs,
>> though.
>
> That assumes we use /dev/urandom directly and it is always available on
> all systems and always accessible to PHP. I don't think it is the case
> now, is it?

Yes and no.
Patch uses php_random_bytes(), so it uses appropriate PRNG for the system.
php_random_bytes() is supposed to be available always.

>
>> If we have to care about PRNG state exposure, code may be changed to
>> read random length from RPNG. This would be good enough mitigation. I
>> would like to hear from PRNG experts if this is good enough. (or not
>> needed)
>
> We have pretty good way of removing this problem. It's called hashing.
> Now we are inventing our own crypto tricks to not use existing and
> proven method of doing it. This looks like bad idea to me. We do not
> have expertise to even evaluate if it's safe.

Experts say secure PRNG like /dev/urandom is safe.

>> w/ Patch: Requests per second: 2278.59 [#/sec] (mean)
>> w/o Patch: Requests per second: 899.36 [#/sec] (mean)
>> (This is CLI server and "ab -c 20 -n 100000" result on Core i7 4770s Linux)
>
> My point is it does not matter. Nobody cares if session ID generation
> takes 1 ms instead of 2 ms.
>
>> request. (This should be done with caution. Otherwise, you may
>> experience lost sessions a lot due to race conditions) Such apps will
>> see performance gain.
>
> No they won't. Even if they change session ID on every request (which
> sounds extremely weird, I have never seen anybody doing it and would
> never recommend doing it) the different would still be unnoticeable if
> the application does anything beyond generating session IDs. Unless you
> can show speedup on real apps, I don't think this point is worth ever
> mentioning again.

Why shouldn't?
It's just a use case in the wild.

The reason why regenerating session ID always is not recommended is
because there is no "Time Stamp" based management in current session
which is declined recently.

If time stamp based session management is used, there is no worries
updating session ID on every request.

>> We cannot control PRNG behavior. It's enabled for broken PRNG
>> insurance. use_strict_mode=1 (detecting session ID collisions) is
>> mandatory, anyway.
>
> If we are assuming broken PRNG, it surely is unsafe to export its state
> to the whole world. Either we assume PRNG is safe and sound, or not. And
> I really don't like the idea of grouping unrelated changes together.

Discussion is based on FUD.
AFAIK, I saw papers state PRNGs are secure enough, but opposite.
(We can safely ignore side channel attack issue, I suppose)

>
>> has comment for keeping hash/PRNG related INIs? I would like to remove
>> hash/PRNG related INIs if not many of us insist.
>
> I think removing existing INI entries is completely unnecessary and just
> creates BC problems without any benefit.

There is no BC.
Removed INI are just ignored if users are used.

Security concern is endless. We need to trust something, otherwise
endless mitigation is required.

Modern secure PRNGs are good enough to rely on just like other security
related features like hash, encryption, etc. Simple mitigation like reading
random length from PRNG should be good enough for those who are
concerned secure RPNG vulnerability.

Question is "Current session ID is generation is optimal way?" or "Is it
better than proposed one?" If so, why?

Crypto experts say "secure PRNG is safe", why should we care too much
about secure PRNG vulnerability? Why we should invent our own entropy
added random value and take hash of it?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net