New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix #87: security helper converted into component and improved #4089
Fix #87: security helper converted into component and improved #4089
Conversation
@@ -17,7 +17,7 @@ When a user provides a password for the first time (e.g., upon registration), th | |||
|
|||
|
|||
```php | |||
$hash = \yii\helpers\Security::generatePasswordHash($password); | |||
$hash = \yii\helpers\Yii::$app->getSecurity()->generatePasswordHash($password); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
\yii\helpers has to be removed in this document.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
Should we then change
Which one to choose ? Maybe last one is better IMO |
What do you mean. |
ah, i see so you make it with simple replace , ok |
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-.'; | ||
|
||
return substr(str_shuffle(str_repeat($chars, 5)), 0, $length); | ||
return mcrypt_create_iv($length, MCRYPT_DEV_URANDOM); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mcrypt
should be put in the minimum requirement of Yii then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose we can keep orignal fallback.
Looks good to me overall. Good job! |
TODO: advance |
Btw, what if password and encryption functions would be split into separate classes, i.e. Then calling for example Then they could be configured separately or overriden, for example:
|
Such separation has been already rejected. |
* Static helper `yii\helpers\Security` has been converted into an application component. You should change all usage of | ||
its methods to a new syntax, for example: instead of `yii\helpers\Security::hashData()` use `Yii::$app->getSecurity()->hashData()`. | ||
If you have used `yii\helpers\Security` for encryption or hash generating, you need to explicitly configure 'security' | ||
component for the legacy code support in following way: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To make more clear that the following is not recommended but only for apps that must reuse cyphertexts generated with the previous version:
Yii has upgraded its default encryption and hash parameters since Yii 2.0 Beta. If you need to decrypt/validate data that was encrypted/hashed before this upgrade, use the following configuration of the 'security' component:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Applied.
], | ||
// ... | ||
]; | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could add another note:
You may configure two components
'legacySecurity'
and'security'
with different configurations to use the legacy component to deal with values encrypted with the old class.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes but insert "and re-encrypt/re-hash using the 'security' component" at end.
I'm uncomfortable with the fallback to PHP iteration of We sacrificed portability with the original password helper because With this revision from @klimov-paul we are requiring But fallback to PHP iteration in |
Define "general attacks". Exhaustive search? Nope. |
Based on the papers that I posted, it is a bad choice. |
At papes, which you have posted says it is no reason to worry about AES-256. It said there rather clearly. |
Repetita iuvant:
|
@ekerazha are you only refering to the abstract of the paper or have you read it in full? As far as I understand from the abstract the decision to make here needs complete information about the whole details of the paper content. |
@cebe I read it, and although I'm not a cryptography expert, I'm a graduated computer engineer and I perfectly know what "computational complexity" is. This is not philosophy and these are numbers: AES-128: 2^126.1 (biclique attack) |
I see your point with comparing complexity but that is not all that has to be considered. There may be other attacks that have different complexity and may be more practical than the ones described in the paper. There also seem to be a bunch of papers with more up to date information. Yours is from 2009. To decide on this topic we should also check out information in more up to date papers describing differnt attacs. |
Here are the quotations from the links you provided: http://eprint.iacr.org/2009/374 says:
Conclusion at http://eprint.iacr.org/2009/317 says:
Conclusion at https://www.schneier.com/blog/archives/2009/07/another_new_aes.html says:
Can you point a sentence, which explicitly says AES-192 should be preferred to AES-256? |
I took what currently is the best attack for every algorithm: biclique attack for AES-128 and related-key attacks for AES-192 and AES-256. |
Repetita iuvant: AES-128: 2^126.1 (biclique attack) |
Can you give a reference that states that these are the "best attacks"? @ekerazha as said before, just numbers are not the only thing to decide on this topic. |
If you want a "summary": http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
|
It is. Cryptography is math. |
Once again your own links prove your wrong: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard says:
|
You are pointing to the abstract mathematical experements and algorithm, wich in some abstract case can break AES algorithm, while NONE of them is feasible! |
While completely ignoring the common threats, which higher key size opposites better. |
77a186b9e9f8c21e26d3f64dc9e8009ffee137de81ba7a942cd5af4fcbad9532s:32:"�Ï��:�)Û²È1Wa)��©e�>��H7JÑ'd¾×À�"; as the cookie of csrf token. |
You still have to define "common threats" or "general attacks". Please stop spreading urban legends and bring scientifically valid arguments like I did. |
That's true, but you still have to explain why you should deliberately choose an algorithm with a poorer security margin (AES-256) when you can choose an overall better algorithm (AES-192). |
In a nutshell... computational complexity for key recovery against AES: Exhaustive search
Biclique attack
Related-key attack
At the moment every attack is not computationally feasible (AES is not broken). The point is that the best thing is to choose the algorithm with the best security margin. Actually, it is AES-192 because the best attack against AES-192 has a 2^176 complexity, while the best attack against AES-256 has a 2^99.5 complexity (2^99.5 < 2^176) and the best attack against AES-128 has a 2^126.1 complexity (2^126.1 < 2^176). So, while these attacks are all infeasible, AES-192 has the best security margin (at the moment). And while it's true that related-key attacks are more difficult to be performed (because you need relations between different keys), they can be performed (still, at the moment a key recovery is not computationally feasible, as I've already said). So, while AES-128, AES-192 and AES-256 are all safe to use (at the moment), AES-192 has the overall larger security margin and it is the most balanced algorithm (at the moment). Moreover, as I've already said, AES-128, AES-192 and AES-256 use a 128 bit block size, so that's another thing to fix (in the merged code it says that AES-256 uses a 256 bit block size). |
/** | ||
* @var string strategy, which should be used to generate password hash. | ||
* Available strategies: | ||
* - 'password_hash' - use of PHP `password_hash()` function with PASSWORD_DEFAULT algorithm. This option is recommended, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't entirely understand PHP's documentation for PASSWORD_DEFAULT
.
I think it says that PASSWORD_DEFAULT
is – at present – the same as PASSWORD_BCRYPT
in all versions of PHP >= 5.5.0 but that it may change in the future if PHP decides to adopt a stronger algorithm.
Can someone verify this for sure?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PASSWORD_DEFAULT will change over time. Check out the RFC Documentation for more details.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ircmaxell thanks. Can you confirm that PASSWORD_DEFAULT at present amounts to the same thing as PASSWORD_BCRYPT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you
Ok, here's my $0.02: AES-256 is weaker than AES-192In specific cases, yes it is. In the general case, no it is not. In the specific case used here, it's not. Related key attacks are extremely useful when you're deriving keys. If you're using a single key, this is not a problem. If you're deriving keys similar to how WAP did, you're in big trouble. In the case used here where it's used as a simple block cipher with random keys (or strongly derived keys using PBKDF2 or HKDF), AES-256 is still significantly stronger. So yes, the best possible attack against AES-256 is faster than the best possible attack against AES-192, the usage here isn't likely to trigger that style of attack. Therefore, the best case attack is still 2^254.4 The Bottom LineI think it's worthless to discuss. PHP isn't a strong enough language to provide robust crypto in the first place. The presence of side-channel attacks and the chances of an implementation error are going to be the security threats. If you're storing data where the attacks against AES are important, then they are going to be far more effective by attacking PHP than the AES encrypted data. Let's be real with the expectations of the secured data... |
* - 'pbkdf2' - PBKDF2 key derivation. This option is recommended, but it requires PHP version >= 5.5.0 | ||
* - 'hmac' - HMAC hash key derivation. | ||
*/ | ||
public $deriveKeyStrategy = 'hmac'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we change the default to "pbkdf2"
? I know it won't work in PHP 5.4 but the exception thrown alerts the developer to the security question and explains how to fix it. I think this is a good way to nudge people to 5.5 if they want to use key stretching.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure it's a good idea. 5.5 isn't that wide adopted yet and it's very likely that people will use 5.4 sice framework itself runs well on it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I withdraw my request. I ran some tests and found that the PHP loop implementation is much faster than I imagined. It's something like 30% slower than hash_pbkdf2()
. Test code here
There are discrepancies with the IETF test vectors that I will report in an issue.
It's a curious statement when you consider the current implementation (PHP fallbacks etc.).
It could be possible, therefore AES-192 is better than AES-256 because it is the algorithm with the more balanced security margin. |
Fix yiisoft#87: security helper converted into component and improved
Fix #87: security helper improvement
Migrated from #4052