Browsing posts in: Programming

Securing Passwords, One Way Hashes, PBKDF2, PHP and You

Plain text passwords and simple one way hashes are not enough to protect your users. You need salt, pepper, and peanut butter. Am I crazy you ask? Maybe, but read on.

It happens to big huge companies (LinkedIn, Last.fm, eHarmony), the little guys, and everything in between. Databases get breached and passwords get hacked. It always surprises me when I hear about how many thousands of users had the password “password”, or that the target’s password hashes were cracked in a matter of hours or days- or worse, their passwords were plain text. At this point, it is so easy to make passwords pretty secure with just basic knowledge of cryptography and hashing. As a matter of fact, as a competent developer, you don’t need to know much at all about the how’s and why’s of crypto to secure your users’ data.

First, do not think you are safe because you run your passwords through MD5 or SHA-256. MD5 has been cracked and SHA-256 is barely better than storing their passwords in plain text. Cryptograhic hash functions are NOT password hash functions!

One Way Hashing

A one way hash performs a bunch of mathematical operations that transform input into a (mostly) unique output, called a digest. Because these operations are one way, you cannot ‘decrypt’ the output- you can’t turn a digest into the original input. Good cryptographic hash functions should not generate digests that are the same for different input. Additionally, when the input is changed, just slightly, the resulting digest should be very different.

A typical use case would be when a user signs up for a website and creates a password. The conscientious developer takes the plain text password, runs it through a hashing function (let’s say, MD5) and stores the result in the database. When the user goes to log in the next time they enter their password and the authentication mechanism runs it through MD5 and compares the result against what is stored in the database.

That sounds pretty safe, right? Wrong. It’s akin to locking the door and leaving the window open. If the database was stolen it might make it harder to infer anything about the passwords just by looking at the data, but it doesn’t really make it any harder to guess or “crack” the password.

Password Hash Functions

… are not the same as cryptographic hash functions

Just using a cryptographic function on a plain text password doesn’t defend it very well. There a number of major problems and threats that are not being avoided. The two biggest are speed and recognizability of hashes.

Hashing Speed

Cryptographic hash functions are used for lots of things, most of them have to do with fingerprinting and verifying data. They are designed to be very fast so that the encryption processes isn’t slowed down. This presents a big problem for password hashing. Speed. The faster a function creates a digest, the more frequently an attacker can guess the password and compare the output. MD5, for instance, is so fast that on basic hardware you could guess over 5 billion times per second. Think about it for a second, do you need that speed to allow your users to log in? When it takes 15 seconds to enter your username and password, a few second to log in, and a few seconds of perceived page load time, will they notice the difference between .000001 seconds or 1 second for the authentication mechanism? The answer is no, not to enough of a degree to degrade their experience. For password hashing, slower is good.

Recognizability of Hashes

What happens when 10,000 people all use “password” as their password? Their hashes are all the same! If you just get one account cracked, you automatically crack everyone else with the same hash. If an attacker has a huge, precomputed list of hashes (called a rainbow table), they can scan your database looking for any hashes that match. They’ve already cracked accounts without even guessing a password yet! They could have a huge percentage of your system’s passwords before ever once making a guess.

Fortunately though, there are a few relatively easy things you can do to make their life harder. You don’t need to do anything heroic and the code isn’t even that tricky. Heck, most of it already exists and is free to use.

Salting

Talk about low hanging fruit. All you have to do is add some random characters to their password (and keep track of them). A salt is a random sequence of data which is added to the hash function or the password string itself. Say you generated a salt “12345” and had a password “password”, you could put them together “password12345″ and run that through your hash function to produce a digest that wouldn’t be so easily given up. Every password should have its own salt and should be at minimum, 32 characters or more to make it harder to guess the digest.

This is a basic salt generation algorithm. Do NOT use this function for generating salts where you are trying to protect details like credit card numbers, or even email addresses for that matter. It’s a pretty poor implementation, really.

When we create a user password we’ll generate a salt, add it to the password string, hash the password to get a digest, then store the salt and digest in the database. To log the user in subsequently we could use functions like the following:

Password Stretching

Stretching is creating a digest of a digest (of a digest of a digest … of a digest … you get it.) If you create a digest of a password, then create a digest of that X number of times you can no longer simply create a digest (from a rainbow table or otherwise) and compare it directly to the digest that is stored in the database. To compare passwords you’ll have to run the exact same number of iterations if hashing digests to compare passwords. This is useful on multiple fronts: it slows things down and (in conjunction with salted passwords) your hashes no longer look the same as everyone else’s. It stands to reason that if hashing a password once takes X amount of time, hashing it twice will take approximately 2X. You’ve just cut in half the number of times an attacker can guess your passwords. Congratulations! A good system takes so long to process a single digest that guessing a password using brute force will take more than a lifetime.

Let’s modify our password hashing function:

Notice that I have re-salted every hash to add extra randomization to the digest… just another wrinkle to throw at an attacker.

Pepper

Additionally, you can have an application wide salt, called a pepper. Think of it as a salt for the salt, except this salt is unique only to the application, server, environment, or database.
You could use it like that hash('sha256', $pepper . $password . $salt);

Adaptive Key Derivation

Adaptive key derivation functions generate digests from passwords while applying salts and stretching. They implement many more wrinkles and are tested against attack vectors you may never think of- which is the important part. They are tested against attack vectors. Rolling your own cryptographic functions introduce a lot of unnecessary exposure and take more time than using generally accepted libraries, implementations and functions. I’m going to focus on the one I know best, PBKDF2. There are others such as bcrypt and mcrypt

Peanut Butter Keeps Dogs Friendly Too

PBKDF2 (Password-Based Key Derivation Function) is probably the most widely used derivation function. It is a container for a hash function, e.g. SHA-1 or RIPEMD,. For each input it applies a salt and iterates the hash many times in such a way that not much entropy (length and randomness) is lost. Primarily, it is done in such a way that it is SLOW to generate a single digest. The US government and NSA use this for generating strong encryption keys.

Adaptive keys are great first step, but remember, this is one tiny piece of securing user data.

Below is a very basic class I created that can be used for generating salts and digests through a variety of ways. You can download it here. This file will be updated regularly, so stay in touch!


Changing Created By or Author Property in SharePoint 2007

After a frustrating experience, I’d like to share the ‘secret’ of updating the Created By and/or Author SPListItem system property. I was trying set the Created By and/or Author SPListIem system property but found that the changes didn’t take and my object’s values were reset after calling SPListItem.Update();

The Wrong Way

If you’re like me, you probably assumed something similar to this would work just fine:

Not so fast my friend! If you trace/quickwatch your variables you’ll notice that your Created By property is reset after the update. Why? Because you didn’t set all the necessary properties. Oh, you didn’t know you had to set other properties at the same time to get Created By or Author to stick? Neither did I, until now…

The Right Way

Maybe not the correct way, but the way I got it to work:

That’s right, to successfully save the Created By property you must also set the Modified By and Modified properties AND call SPListItem.UpdateOverwriteVersion() to get the Created By property to actually save your new value. Hopefully you find this post sooner than I found my answer.


NSLog Conditionally in Debug Mode and NSLog Macros

Using Objective-C Macros to Conditionally Log

During the course of developing and debugging my first iOS apps I’ve realized that there has to be at least a semi-decent way of using log statements for debugging messages as well as error messages without a lot of code overhead and manual changes when switching between building for Release and Debug.

Using macros and compiler settings, you too can quickly separate the statements out and streamline your debugging/logging code.

Creating Your Macros

Find the -Prefix.pch header file for your project and open it for editing. If your project’s name is MyProject you will look for MyProject-Prefix.pch.

Add the following lines to the end of your Prefix header file:

What We Did

I have prefixed each macro with Ash so that there is no confusing them as macros I created. As you can also see, we have created a few different ways to log. We have a standard wrapper for NSLog that we will call instead of NSLog that will only fire if we’ve built using a debug mode flag. We also have two different methods for creating detailed log messages on the fly that will include our log message along with the function and line number the message originates from. The nice thing about these macros is that you can easily change the string format to log in any way that you want.

XCode Settings

  1. Select your project in the Xcode explorer/left pane

    XCode Project

    Xcode 4.2

     
  2. Select Build Settings in the Xcode center window
  3. Search for preprocessor in the Build Settings section and add DEBUGGING as a Debug Preprocessor Macro.

    Xcode Preprocessor Build Settings

    Set the Debug preprocessor settings


Three20 and Xcode 4 – How to solve Three20.h not found

Update: 18-Feb-2012

Even after the upgrade I have found that certain builds and project settings were flaky. To improve your build speed and reduce all the configuration hassles of using Three20 and Xcode 4 together, check out my latest blog post on Building Static Libraries

Update: 05-Feb-2012

After upgrading to Three20 1.0.6.2 and following the basic install instructions here, I had no problem building without changing any project settings. Your mileage may vary, however.

I’d still consider myself rather novice to the world of iOS development and the transition from Xcode 3 to Xcode 4 has thrown me for a loop in a few areas. I’ve grown to like storyboards and find Xcode as an IDE to be getting better, but there are some things that drive me nuts. For instance, spending the better part of a day trying to figure out how to get Three20 to work in my project (that was working JUST fine under Xcode 3!).

First!

Follow the instructions provided by Three20 to get yourself oriented with what is going on.

Getting the Build Option to Work:

  • In the Project Navigator view, do the following for each of the Three20 projects (e.g. Three20, Three20Core, etc):
  • Click on the project
  • Go to Build Settings
  • Go to the Deployment section and make sure Skip Install is set to YES for all the configurations (Debug, Internal, Release)
  • Click on the project’s target (under the Targets section) and double check that Skip Install is set to YES for each configuration as well
  • Make sure to repeat these steps in each Three20 project in your project tree

Configuring Build Settings

  • In the Project Navigator view, select your project and then Build Settings
  • Add the two following entries to the Header Search paths and make them the first entries in the list:
    • $(BUILT_PRODUCTS_DIR)/../three20
    • $(BUILT_PRODUCTS_DIR)/../../three20
  • Make sure to set it both in Release and Debug configurations, and that the same build settings appear in your project’s target

Setting the Build Location

Go to Xcode4 Preferences [Cmd + ,] > Locations > Derived Data > Advanced and select Place build products in derived data location.

Clean your project, then build it. Voila.


Authentication Using WordPress and Zend Framework

I recently had the need to implement a Zend Framework web app that could authorize against WordPress without necessarily using WordPress as the front end. I was very relieved to find out it was quite easy to do!

In your application’s index.php (typically found at public/index.php) you need to include the WordPress header file to make sure you have access to the WordPress functions later in your application:

I have the following code in my LoginController.php (application/modules/public/controllers/LoginController.php) file.

doWordpressAuth function

IndexAction


How to Specify Non-String PHP Data Types in Zend Config XML and INI Files

Zend Config INI and Zend Config XML are adapters in the Zend Framework that allow you to store your application or website configuration data (such as database connector information and salt values) in an easy to interpret text file (I happen to prefer INI files over XML because INI is more terse).

The biggest downside to these files is that they don’t store PHP data types or values like NULL, FALSE, or TRUE, and you can’t specify an int, double, or float, the adapters only return strings.

Here is the recursive code for converting all your values:

Here is how I use it in my Bootstrap.php file in my Zend Framework application:

The following config file will end up looking like the following array (before turning it into a Zend_Config object)


Using mysqli Extension to Query MySQL from PHP Instead of the mysql Extension

I was answering a very basic question on stackoverflow today that boiled down to “How do I query mysql from PHP using a user input” and was horrified to see the first two answers.

The first answer went along the lines of:
[code=”php”]
$result = mysql_query(“SELECT * FROM table WHERE field = ‘”. $_POST[‘input’] .”‘”);
while($row = mysql_fetch_array($result)){
//do stuff
}
[/code]

This is bad. Very bad. Very, very bad.
This is the kind of thing that allowed (maybe a bit of hyperbole, but stick with me) Sony to be brought to its knees. This is how all your user data gets stolen. This is how Anonymous makes you look like a fascist who wants to eat babies. It’s bad. It did come from someone with a pretty low score on SO, but I’m living proof that a low score on SO doesn’t mean you don’t know what you’re doing.

Why?

The first MAJOR problem is: You are taking direct, unsanitized user input. You have not validated that the input is correct, even relates to what you are having them input, or is safe.
By taking direct input straight from the user (by directly using the $_POST variable nonetheless) they could attack via sql injection at worst, and the $_POST field may not exist, giving you an error, at best.

The second problem is the use of the mysql extension in PHP. According to the manual, the mysql extension should only be used in 4.1.3 and lower, anything newer should be using mysqli for improved performance and security.

I have heard there are some issues with mysqli in certain cases that essentially require the use of the mysql_ extension to get around them. As far as I know, these are few in number and getting better by the day. I personally, haven’t ever had a problem with mysqli.

On to a more correct example:
[code=”php”]
$db = new mysqli(“localhost”,”user”,”password”,”database”);

if(mysqli_connect_error())
{
printf(“Connection failed:%s \n”,mysqli_connect_error());
exit();
}

$input = mysqli_real_escape_string($db, $_POST[‘search’]);

/*
* Validate that $input is correct after escaping
* Implement your validation below!
*/

if($result = $db->query(“SELECT * FROM table WHERE field = $input”, MYSQLI_ASSOC))
{
while($row = $result->fetch_object())
{
// $row is an associative array
// Do something here
}
}
$db->close();
[/code]

What’s better about this code?

First, it’s not perfect. You could pick it apart, but it’s a good example of where to start and I wrote it in about 45 seconds.
It shows:

  • Connecting to the mysql database
  • Ensuring a connection occured and handling the mysql connection error
  • Querying the database
  • Escaping user input AND THEN validating
  • Iterating through the mysql results
  • Closing the database connection (people never remind beginners to do this)!

The basics shouldn’t be so complicated that it takes two months to make heads or tails of what your code really does (I’m looking at you Zend Framework), but it should start with a good explanation of the big picture.


Adding HTML Tags to a Zend Form Element

For the purposes of styling I had the need to put an opening <div> at the beginning of one element, and a closing </div> tag at the end of another. The Zend Framework guides don’t do a great job of detailing this.

On the element you want to add the opening div tag you would do the following:
[code=”php”]
$open_element->addDecorator(array(
array(‘openDiv’ =>’HtmlTag’),
array(‘tag’ => ‘div’, ‘openOnly’ => true)
));
[/code]

On the element you want to add the closing div tag:
[code=”php”]
$close_element->addDecorator(array(
array(‘closeDiv’ =>’HtmlTag’),
array(‘tag’ => ‘div’, ‘closeOnly’ => true)
));
[/code]


CSS and JavaScript File Versioning to Force Refreshing of Your User’s Cache

When you push updates to your site or web app, you may notice issues with users’ cache still holding onto the old version of CSS and JavaScript files. An easy way to force a reload of the files is to call them with a version number in the request like so:
[code=”html”]

[/code]

When you update the version of the file it will force the file to reload. This is very handy because you can extend the length of time of the cache on the user’s end or the server and force a reload when an update occurs without any special tricks.


Custom Username Validator Using Zend_Validate_Abstract for Zend Framework

Do you find yourself having to use multiple steps to validate a new username? If you’ve got a create user screen, or some other form that requires the creation of a username (or some other input that must be unique and is in a datastore), you can create a custom validator that uses a database mapper to validate that the input is unique.

First step, create a lookup method in your mapper (or whatever class you use for datastore access) that will query your datastore to verify the input is unique. In this case, I’m using a MySQL database backend and am using a mapper/model hierarchy and am only showing the relavant function from my mapper class.

[sourcecode=”php”]

public static function isRegisteredUser($username)
{
try
{
$table = new Ashurex_Model_DbTable_UserView();
$stmt = $table->select()
->where(‘username = ?’)
->bind(array($username));

$row = $table->fetchRow($stmt);

if(!($row == null))
{
return true;
}
else
{
return false;
}
}
catch(Exception $e)
{
self::logException(__METHOD__,$ex);
return null;
}
}

[/sourcecode]

Next, we’ll create a custom validator that extends Zend_Validate_Abstract and utilizes our mapper function during validation.

[sourcecode=”php”]
class Ashurex_Validate_Text_Username extends Zend_Validate_Abstract
{
const INVALID = ‘textInvalid';
const NOT_NAME = ‘notName';
const STRING_EMPTY = ‘textStringEmpty';
const STRING_LENGTH = ‘textStringLength';
const NAME_TAKEN = ‘textNameTaken';

protected static $_filter = null;
protected $_allowEmpty;

protected $_messageTemplates = array(
self::INVALID => ‘Invalid characters entered’,
self::NOT_NAME => ‘Input contains characters not valid for a username’,
self::STRING_EMPTY => ‘No input entered’,
self::STRING_LENGTH => ‘Username must be between 6 and 64 characters’,
self::NAME_TAKEN => ‘Username is already taken’
);

public function isValid($value)
{
// Make sure a value was entered
if(($value == null)||($value == ”))
{
$this->_error(self::STRING_EMPTY);
return false;
}

// The value must be a string
if (!is_string($value)) {
$this->_error(self::INVALID);
return false;
}

// Set the internal value to the input
$this->_setValue($value);

// Validate that the input is alphanumeric
$al = new Zend_Validate_Alnum();
if(!$al->isValid($value))
{
$this->_error(self::INVALID);
return false;
}

// Validate that the string length meets requirements
$sl = new Zend_Validate_StringLength(array(‘min’ => 6,’max’ => 64));
if(!$sl->isValid($value))
{
$this->_error(self::STRING_LENGTH);
return false;
}

// Make sure the username doesn’t already exist
if(Ashurex_Model_Mapper_User::isRegisteredUser($value))
{
$this->_error(self::NAME_TAKEN);
return false;
}

return true;
}
}
[/sourcecode]

Finally, we can use our new validator just as we would any other validator. The following code is an excerpt from my custom create user form:
[sourcecode=”php”]
class Ashurex_Form_Admin_AddUser extends Zend_form
{
public function init()
{
$this->setName(‘add_user_form’);
$this->setMethod(‘post’);

$username = new Zend_Form_Element_Text(‘username’);
$username->setFilters(
array(
new Zend_Filter_StringTrim(),
new Zend_Filter_StringToLower(),
));
$username->setValidators(
array(
new Ashurex_Validate_Text_Username(),
));
$username->setRequired(true);
$username->setLabel(‘Username’);

… lots of other code follows …

}
}

[/sourcecode]


Pages:12