• Welcome to Valhalla Legends Archive.
 

[MySQL/PHP] Repeat values?

Started by Barabajagal, October 11, 2007, 02:06 PM

Previous topic - Next topic

iago

I suppose using security by obscurity works a bit, but that's not what salt is designed for -- salting is designed for an open system, where the source can be examined. I guess I'm so accustomed to opensource stuff.

One potential attack against that that immediately comes to mind is for a user to find his own record and bruteforce the salt. Since the IP is known, it might not be as difficult. Just a thought.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Banana fanna fo fanna

You're supposed to store a unique salt along with each item in the database, IIRC. I might just be really tired, but I think that there's no point in salting a field if the salt is the same for each item (can't you still do precomputing attacks?)

You should assume that the attacker can get your source, your database, and your encryption keys.

And if you care about user privacy, just do a regular hash of them. If you salt them the way you are supposed to like I talked about earlier, you lose the one-to-one mapping of IP address to IP address hash.

Hdx

It's mainly for the computer illiterate who know what an IP is, but know nothing about security.
(There are a lot of people)
Just tell them that its hashed/encrypted. And they feel a lot better.
~Hdx

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

iago

Quote from: Banana fanna fo fanna on October 14, 2007, 08:55 PM
You're supposed to store a unique salt along with each item in the database, IIRC. I might just be really tired, but I think that there's no point in salting a field if the salt is the same for each item (can't you still do precomputing attacks?)

You should assume that the attacker can get your source, your database, and your encryption keys.

And if you care about user privacy, just do a regular hash of them. If you salt them the way you are supposed to like I talked about earlier, you lose the one-to-one mapping of IP address to IP address hash.
You can still do precomputation attacks, but it would have to be so specific (against his particular implementation) that it would never happen.

But you're right, having a constant salt can cause other problems, and I wouldn't be surprised if it weakened the hashing.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Camel

You should modify your code so that users who log in between 11:59 PM and 12:00AM are counted.

Also, you should do more research in to whatever database you're using; you could save yourself a lot of time by having the DB do all of the processing.

Barabajagal

Like I said, I already rewrote everything. The code in the first post is now obsolete.

Regarding the salt: Here's what I actually did so you guys will shut up. I hashed the IP address via MD5. I then split it in half [S1 and S2] and capitalized S1 (S2 lowercase). I then put S2, the IP again, and S1 into a second MD5 hash. Good enough?

iago

Quote from: Andy on October 16, 2007, 02:41 PM
Regarding the salt: Here's what I actually did so you guys will shut up. I hashed the IP address via MD5. I then split it in half [S1 and S2] and capitalized S1 (S2 lowercase). I then put S2, the IP again, and S1 into a second MD5 hash. Good enough?
No, it's pointless for all the reasons stated above.

And correct me if I'm wrong, but that means you don't even have a salt, the MD5 is based 100% on the IP address, which means the domain of possible hashes is still 4.2 billion known values, which can be calculated in a reasonable time.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Banana fanna fo fanna

Quote from: Andy on October 16, 2007, 02:41 PM
Like I said, I already rewrote everything. The code in the first post is now obsolete.

Regarding the salt: Here's what I actually did so you guys will shut up. I hashed the IP address via MD5. I then split it in half [S1 and S2] and capitalized S1 (S2 lowercase). I then put S2, the IP again, and S1 into a second MD5 hash. Good enough?

No. Just hash it once using SHA-2.

Barabajagal

Except that the attacker wouldn't know the way they were hashed, so if you try to calculate all the MD5 values for possible IPs, none of them would match up, and adding a static salt to them wouldn't help either.

iago

Unless, of course, the attacker reads this forum?

In any case, security by obscurity isn't generally considered a valid method of security. You have to assume that the attacker has access to your sourcecode, then try to security it based on that assumption.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Barabajagal

Even if they read it, it won't help. It's not some program I'm releasing or selling for money. It's an unsecure connection to a php page that displays your IP and happens to store it as well for statistics use.

Banana fanna fo fanna

"Go big or go home"
- Poet Laureat Johnny Tsunami