Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>My php is not great and I'm a dude with one semester's worth of crypto, so by no means an expert. When evaluating the strength of a crypto system, one typically assumes an adversary has full access to your algorithm and implementation.</p> <p>I see the line: </p> <pre><code> $tmphash = pack('H*',sha1(sin(microtime(1)))); </code></pre> <p>and I think that this is your key. Like I said, my PHP is pretty bad, so please correct me if I am wrong. </p> <p>If the php sha1 function returns 40-bit hex number, this gives you a key space of WEP. The last time I checked, WEP can be cracked in about 3 minutes. I'm not totally sure if this is based on inherent vulnerabilities in the protocol through information leakage, or if this is because of a super small keyspace. However, 16^40 doesn't seem like a big enough key space for cryptographic security. </p> <p>Additionally, based on this, all I would need to know is an approximate time that a user generated this request and you would greatly reduce the key space you need to search through. If the microtime() method in php actually gives you the current microseconds since the epoch, this would reduce my key search space from whatever 16^40 (php output ofsha1?) to the number of microseconds in the time frame I feel confident your user received this data from you. I could write a cracker that would run through this keyspace from the time I feel most confident at (the time I sniffed the packet) and back off from there until I hit some sort of a threshold.</p> <p>You can always play the game of "my algorithm is a secret", but most security professionals I know don't really feel like that is a very valid argument (or a fun game to play). These are just two arguments a dude with a very basic education came across that only address your keyspace. </p> <p>Don't implement anything like this yourself. It's a bad idea. If you are writing toy programs for a class it's cool, but if this is for any sort of production system whatsoever, I highly recommend using a tried and true cryptosystem. </p> <p>-Brian J. Stinar-</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload