Announcement

Collapse
No announcement yet.

MD5 Hashing Insecure

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • MD5 Hashing Insecure

    Hi,

    Why does Scriptcase only permit the use of MD5 cryptographic hash function when it has been known for years that it has is been severely compromised and all authorities warn AGAINST its use.

    My applications require the use of either SHA-256 or SHA-512 with salting. Why doesn't ScriptCase accommodate these secure functions. How do I incorporate these functions into my ScriptCase applications?

    Regards, John

  • #2
    The only spot I know of is the security module which uses MD5. MD5 is a standard php function. But it's fairly simple to go to the ide-created logon module and change the MD5 to what you want.
    Albert Drent
    aducom software netherlands
    scriptcase partner, reseller, support and (turn-key) development
    www.scriptcase.eu / www.scriptcase.nl

    Comment


    • #3
      you can always modify the forms created by the security module to use the sha encryption you need.

      for example in the sec_form_add_users form that scripcase creates automatically you can change the md5() function to whatever you want.

      I would recommend to use php default functions.

      http://php.net/sha1

      Regards.

      Comment


      • #4
        Originally posted by JohnMMM View Post
        Hi,

        Why does Scriptcase only permit the use of MD5 cryptographic hash function when it has been known for years that it has is been severely compromised and all authorities warn AGAINST its use.

        My applications require the use of either SHA-256 or SHA-512 with salting. Why doesn't ScriptCase accommodate these secure functions. How do I incorporate these functions into my ScriptCase applications?

        Regards, John

        NetMake is severely behind the times, I do not think they have anyone on staff with any knowledge of this century's crypto requirements.

        This can be verified by simply looking at the encryption used when you pay for ScriptCase: test NetMake Server

        I wrote the security module for use in our Payroll System using SHA256 with salt, and we will probably move to SHA512 soon.

        Dave
        Last edited by daveprue; 02-16-2015, 12:21 AM.
        Dave Prue
        Code Whisperer
        Lahar International Corp
        www.lahar.net

        Comment


        • #5
          Dave! add us a huge favor all, a tutorial how to do that in current scriptcase security module
          I'm sure scriptcase guys will not care or even add it to their module, moreover, you for sure deserver $$ for it which they will not doe
          but I'm sure many people here will appreciate and pray for your efforts dear

          Comment


          • #6
            Mike,

            I will make it available to all on my web server in the next day or two.

            Dave
            Dave Prue
            Code Whisperer
            Lahar International Corp
            www.lahar.net

            Comment


            • #7
              thanks Dave that would be great

              Comment


              • #8
                Dave,

                Make that double thanks. Could you post a link where this tutorial may be available?

                Regards, John

                Comment


                • #9
                  A good start is to look into the available php functions like

                  http://php.net/manual/en/function.hash-init.php

                  As in Scriptcase the standard MD5 function is used, it's not that hard to replace that by another function.
                  Albert Drent
                  aducom software netherlands
                  scriptcase partner, reseller, support and (turn-key) development
                  www.scriptcase.eu / www.scriptcase.nl

                  Comment


                  • #10
                    Originally posted by aducom
                    A good start is to look into the available php functions like

                    http://php.net/manual/en/function.hash-init.php

                    As in Scriptcase the standard MD5 function is used, it's not that hard to replace that by another function.
                    Yes, in the most simple terms, that is true. In addition though (to do it properly), you need methods to create and store good random salt values, unique for each password. I also did quite a bit of work to support rock solid userid creation with email delivery of activation codes, and lots of work to support a reliable password reset mechanism. Of course while I was at it I fixed all the broken session handling as well.

                    The delay in me making it available is that I have to create a new project, import the security related apps from my project, clean them up and insert copyright notices, etc.

                    A bit of background, so that you can understand the system where my security code currently resides. My application is a Cloud Based Human Resources and Payroll System. Customers subscribe and become an "account". An account has one or more "companies" and some number of "users" - account administrators, company administrators, payroll clerks, managers, and employees. Each "company" has a unique database of identical structure. The "users" that belong to an "account" can access one or more "companies" depending on their role. The Account Administrators can add users to their account. Company Administrators can enable log in for any "employee" of that company. Accounts have maximum number of companies, users and employees, based on the plan that they subscribe to.

                    I will probably pull out most of the account/database related stuff, but if anyone in particular needs to do anything like this, I can make some of it available to them.
                    I will let you know when I have it ready.

                    Dave
                    Last edited by daveprue; 02-17-2015, 06:01 AM.
                    Dave Prue
                    Code Whisperer
                    Lahar International Corp
                    www.lahar.net

                    Comment


                    • #11
                      That is indeed marvelous job Dave, I'm sure you've worked hard to reach to this extend. At your own freedom to share the code, as I said earlier, maybe SC guys will not care, but for sure we will appreciate.

                      Albert, you are right about the function, many other stuff can be added as well, we are targeting a lot of people in Dave's addition, specially for those are not familiar with these terms and for those who can't "easily" apply the same in SC, not everybody has same experience after all.


                      Regards

                      Comment


                      • #12
                        No Mike, you're right. But it depends on your need so the function I showed is usable as a replacement for the current MD5 call.

                        However, if you need more advanced security then Dave's solution comes in hand. But to have a random unique salt for each password would need to store the salt somewhere in the database? Then it wouldn't make sence, but it makes me curious to his solution.

                        Regarding the rest, the generated security module of scriptcase is indeed limited and like Dave I have my own solution(s) depending on my security needs, multi group assignment for one thing.

                        If people are not so familiar with php and need to stick to the module of SC itself then replacing the MD5 by a better function would be the way to go.
                        Albert Drent
                        aducom software netherlands
                        scriptcase partner, reseller, support and (turn-key) development
                        www.scriptcase.eu / www.scriptcase.nl

                        Comment


                        • #13
                          Albert,

                          Originally posted by aducom View Post
                          No Mike, you're right. But it depends on your need so the function I showed is usable as a replacement for the current MD5 call.

                          However, if you need more advanced security then Dave's solution comes in hand. But to have a random unique salt for each password would need to store the salt somewhere in the database? Then it wouldn't make sence, but it makes me curious to his solution.
                          We are talking about two very different things here.

                          Hacking into a password protected website is what we are trying to prevent. Protecting the Database Server is a different topic entirely.

                          Salting prevents the use of rainbow tables to create hash collisions. A hash collision is caused when a password (the original or some other password) generates the same hash. Since the hashing algorithm is one direction only, hackers use tables of every possible hash code, and a password that will generate that hash code. These tables are readily available for MD-5. Take a look here

                          Re-using a salt is very bad practice, salts should change every time a password changes, so that even if two loginIDs are using the same password on the system, their hash codes are different.

                          Storing the unique salt in the user table is widely accepted practice in the cryptographic community. Think of it this way - if you have 4096 bits of hash and 2048 bits of salt both store in the same record, then it is essentially the same as storing 6144 bits of hash (except of course for the math).

                          If somebody has hacked into your database server (totally different problem than hacking into the website), then they already have gained access to all your precious data. They do not need to bother to hack into the website itself. Still, however, even if they get the salt and hash, they cannot readily create a matching password, whereas a compromised MD-5 hash with no salt can be used to create a working password easily.

                          Dave
                          Last edited by daveprue; 02-18-2015, 12:26 AM.
                          Dave Prue
                          Code Whisperer
                          Lahar International Corp
                          www.lahar.net

                          Comment


                          • #14
                            Dave, tnx for your explanation. You absolutely have a good point there, never thought of that.
                            Albert Drent
                            aducom software netherlands
                            scriptcase partner, reseller, support and (turn-key) development
                            www.scriptcase.eu / www.scriptcase.nl

                            Comment


                            • #15
                              hi guys, I was looking into this and did a small test like took the hash of my admin user in mysql test project and put it on some online website and grrrr gave me the password in free-text like dycpting it easily

                              any finally tutorial that shows us how to use sh1 or any other useful hashing/protecting users password with better than md5 that tutorial will help everybody after all

                              Comment

                              Working...
                              X