[PHP] Is this unsecure?
Hi, I have bumped into a problem. I need to use a web service that is located on server B from server A. The server B will execute a script when the web service is accessed and an email is sent as an parameter. The problem is, if I only have the email as incoming parameter, anyone can just figure out the url for the web service, the name, and then just send the email to that address. To make this a little bit secure I setup so two parameters are sent, the email and a confirmation code. First I was just thinking to basically have a password sent with, and if that is correct just execute the script. However, due to server restrictions I can not run it on HTTPS, so that also looses value. So this is how I solved it: I send a parameter with the request that is the email, some extra characters and then MD5 on that. I do this on server A and then server B just checks if it is the same resulting string. If so, we know it comes from server A because that server is the only one that knows the extra characters used. $authstring = md5(asdf.$email.fdsa); Would this be hard to crack assuming that the one who cracks does not know the characters that are used to generate the $authstring? Maybe someone have experience with this? Or just a comment? Best regards, Peter Lauri www.lauri.se http://www.lauri.se/ - personal web site www.dwsasia.com http://www.dwsasia.com/ - company web site
Re: [PHP] Is this unsecure?
On Tue, 2006-09-05 at 16:04 +0700, Peter Lauri wrote: I have bumped into a problem. I need to use a web service that is located on server B from server A. The server B will execute a script when the web service is accessed and an email is sent as an parameter. The problem is, if I only have the email as incoming parameter, anyone can just figure out the url for the web service, the name, and then just send the email to that address. Why not just use SOAP envelope authentication? --Paul All Email originating from UWC is covered by disclaimer http://www.uwc.ac.za/portal/uwc2006/content/mail_disclaimer/index.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Is this unsecure?
Isn't that just to send a username and password with the request? Or is the username and password protected somehow in that process? -Original Message- From: Paul Scott [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 05, 2006 4:08 PM To: Peter Lauri Cc: php-general@lists.php.net Subject: Re: [PHP] Is this unsecure? On Tue, 2006-09-05 at 16:04 +0700, Peter Lauri wrote: I have bumped into a problem. I need to use a web service that is located on server B from server A. The server B will execute a script when the web service is accessed and an email is sent as an parameter. The problem is, if I only have the email as incoming parameter, anyone can just figure out the url for the web service, the name, and then just send the email to that address. Why not just use SOAP envelope authentication? --Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is this unsecure?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 $authstring = md5(asdf.$email.fdsa); md5 is unsecure. Use sha1 ( http://www.php.net/sha1 ) instead -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE/XjEIo1XmbAXRboRAh14AJ9eqyWj6bRCfCG3bGi9A94uQxJz4wCfbyeS Wt9KKC7QrRCoJDCDRG5I/kY= =JTiq -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is this unsecure?
Ruben Rubio wrote: md5 is unsecure. Use sha1 ( http://www.php.net/sha1 ) instead SHA1 has also been partially broken. Until more hash algorithms work their way into PHP, using both md5 and sha1 plus the remote IP as mentioned in a previous email would certainly add to the security of the system. Personally, I think that md5 is fine for the purpose outlined. I believe that md5's weakness is in that it's possible to generate collisions, so since in this case the original email is known, collisions are less relevant. (They're trying to crack the password that is the appended letters, by brute-forcing combinations of character group 1emailcharacter group 2. It seems to me that collisions don't help. Please correct me if I'm wrong - I'm definitely no cryptographer. ;-) jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is this unsecure?
What you are doing is what banks have been doing for ages with wire transfers and it is called MAC, Message Authentication Code (not related to an Ethernet MAC address at all). Wire transfers are sent in clear text amongst banks. Each bank has set a 'signature' (a code) with each other. They use an algorithm which includes the message itself and that code. Notice that the message is send in clear text. It doesn't matter that MD5 is not secure or that it can be decripted (which, in fact, it cannot, since it is a one-way code), the important point here is that the extra code appended to the clear message is never found. Actually, amongst banks not only the message is sent in clear text but the algorith is well know, the only thing that is not known is the validation code, which is changed every so often so that even if found out, it cannot be used for long. Just make sure that you have a safe means of exchanging keys in between the servers every now and then. Banks usually send a book of keys for a certain period physically amongst them and only when they are received and it is certain they have not been intercepted or tampered with they get used. Satyam - Original Message - From: Peter Lauri [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Tuesday, September 05, 2006 11:04 AM Subject: [PHP] Is this unsecure? Hi, I have bumped into a problem. I need to use a web service that is located on server B from server A. The server B will execute a script when the web service is accessed and an email is sent as an parameter. The problem is, if I only have the email as incoming parameter, anyone can just figure out the url for the web service, the name, and then just send the email to that address. To make this a little bit secure I setup so two parameters are sent, the email and a confirmation code. First I was just thinking to basically have a password sent with, and if that is correct just execute the script. However, due to server restrictions I can not run it on HTTPS, so that also looses value. So this is how I solved it: I send a parameter with the request that is the email, some extra characters and then MD5 on that. I do this on server A and then server B just checks if it is the same resulting string. If so, we know it comes from server A because that server is the only one that knows the extra characters used. $authstring = md5(asdf.$email.fdsa); Would this be hard to crack assuming that the one who cracks does not know the characters that are used to generate the $authstring? Maybe someone have experience with this? Or just a comment? Best regards, Peter Lauri www.lauri.se http://www.lauri.se/ - personal web site www.dwsasia.com http://www.dwsasia.com/ - company web site -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is this unsecure?
Peter Lauri wrote: Isn't that just to send a username and password with the request? Or is the username and password protected somehow in that process? -Original Message- From: Paul Scott [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 05, 2006 4:08 PM To: Peter Lauri Cc: php-general@lists.php.net Subject: Re: [PHP] Is this unsecure? On Tue, 2006-09-05 at 16:04 +0700, Peter Lauri wrote: I have bumped into a problem. I need to use a web service that is located on server B from server A. The server B will execute a script when the web service is accessed and an email is sent as an parameter. The problem is, if I only have the email as incoming parameter, anyone can just figure out the url for the web service, the name, and then just send the email to that address. Why not just use SOAP envelope authentication? --Paul Peter, The approach is fairly secure. But it would be much better to use the output buffer to append a chunk of characters to the whole page and then md5 that. This makes it much less likely that a snooper could bruit force attack the system. The next stage beyond that is just to AES encrypt the whole communication. As you have access to both ends, there is no requirement for asymmetric cryptography. Then simply put a known phrase as the start of the request then the other end checks for after decryption and if it is not there it rejects the message. Crank that up to 256Bit encryption and you have a commercial spec system :-) Cheers AJ PPS as MD5 is now part cracked, if you are truly paranoid, use SHA. -- www.deployview.com www.nerds-central.com www.project-network.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is this unsecure?
At 4:48 PM +0200 9/5/06, Satyam wrote: It doesn't matter that MD5 is not secure or that it can be decripted (which, in fact, it cannot, since it is a one-way code), Not that you said otherwise. It's my understanding that while MD5 has cannot be decrypted some encryption can be cracked by matching matching results. They don't have to work the code backwards. For example, if I MD5 apple -- it will produces a corresponding code (1f3870be274f6c49b3e31a0c6728957f). If a cracker has a library of dictionary hash codes, it's a simple matter to compare all those hash codes with my code to find a corresponding match, thus exposing apple as the encrypted word. That's one of the reasons why one shouldn't use a real word as a password. tedd PS: I wish my server had php5 for several reasons, including the crack functions -- fascinating -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is this unsecure?
I didn't mean to contradict anyone, I just meant to make sure that Peter knew that in this case it didn't matter. Satyam - Original Message - From: tedd [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Tuesday, September 05, 2006 6:18 PM Subject: Re: [PHP] Is this unsecure? At 4:48 PM +0200 9/5/06, Satyam wrote: It doesn't matter that MD5 is not secure or that it can be decripted (which, in fact, it cannot, since it is a one-way code), Not that you said otherwise. It's my understanding that while MD5 has cannot be decrypted some encryption can be cracked by matching matching results. They don't have to work the code backwards. For example, if I MD5 apple -- it will produces a corresponding code (1f3870be274f6c49b3e31a0c6728957f). If a cracker has a library of dictionary hash codes, it's a simple matter to compare all those hash codes with my code to find a corresponding match, thus exposing apple as the encrypted word. That's one of the reasons why one shouldn't use a real word as a password. tedd PS: I wish my server had php5 for several reasons, including the crack functions -- fascinating -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is this unsecure?
On 9/5/06, tedd [EMAIL PROTECTED] wrote: At 4:48 PM +0200 9/5/06, Satyam wrote: It's my understanding that while MD5 has cannot be decrypted some encryption can be cracked by matching matching results. They don't have to work the code backwards. For example, if I MD5 apple -- it will produces a corresponding code (1f3870be274f6c49b3e31a0c6728957f). If a cracker has a library of dictionary hash codes, it's a simple matter to compare all those hash codes with my code to find a corresponding match, thus exposing apple as the encrypted word. That's one of the reasons why one shouldn't use a real word as a password. If you are going to validate a e-mail address and a password i think that is a better approach to generate the following hash: $hash = md5($email . $password) In this case, there is no way to get the clear password if you know hash and have a database of hash codes. -- Saludos Oscar -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is this unsecure?
At 12:10 PM -0500 9/5/06, Oscar Gosdinski wrote: On 9/5/06, tedd [EMAIL PROTECTED] wrote: At 4:48 PM +0200 9/5/06, Satyam wrote: It's my understanding that while MD5 has cannot be decrypted some encryption can be cracked by matching matching results. They don't have to work the code backwards. For example, if I MD5 apple -- it will produces a corresponding code (1f3870be274f6c49b3e31a0c6728957f). If a cracker has a library of dictionary hash codes, it's a simple matter to compare all those hash codes with my code to find a corresponding match, thus exposing apple as the encrypted word. That's one of the reasons why one shouldn't use a real word as a password. If you are going to validate a e-mail address and a password i think that is a better approach to generate the following hash: $hash = md5($email . $password) In this case, there is no way to get the clear password if you know hash and have a database of hash codes. Yes, and there are lot's of different techniques shown in the comments under function HD5 in the php manual. http://us3.php.net/manual/en/function.md5.php I think it pays off in terms of security to consider adding additional characters to passwords. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php