Topic: Of interest to web database developers (Read 4831 times)

toasty0 · « **on:** September 16, 2005, 10:13:50 pm »

http://www.eweek.com/article2/0,1759,1859751,00.asp

FPF-SCM_TraceyG_XC · « **Reply #1 on:** September 16, 2005, 10:51:57 pm »

The page cannot be found

toasty0 · « **Reply #2 on:** September 16, 2005, 10:59:07 pm »

Quote from: FPF-TraceyG on September 16, 2005, 10:51:57 pm

The page cannot be found

It is a slow load...but just in case it is an IP location block I'll cut&paste.

Microsoft Scraps Old Encryption in New Code
September 15, 2005

By Paul F. Roberts
Microsoft is banning certain cryptographic functions from new computer code, citing increasingly sophisticated attacks that make them less secure, according to a company executive.

ADVERTISEMENT
Partner Resource Center The Redmond, Wash., software company instituted a new policy for all developers that bans functions using the DES, MD4, MD5 and, in some cases, the SHA1 encryption algorithm, which is becoming "creaky at the edges," said Michael Howard, senior security program manager at the company, Howard said.

RELATED LINKS

Microsoft Drops More Hints on Its Office 12 Server Plans
The Case for Encryption
Microsoft Extends Its Next-Generation Graphics Tech to Macs, Mobile Devices
Open Source Code Finds Way into Microsoft Product
Microsoft Intensifies Developer Courtship

MD4 and MD5 are instances of the Message Digest algorithm that was developed at MIT in the early 1990s and uses a cryptographic hash function to verify the integrity of data.

The algorithms are used to create digital signatures and check the integrity of information passed within Microsoft Corp.'s products.

DES (Data Encryption Standard) is a cipher that is used to encrypt information that is used in many networking protocols.

All three algorithms show signs of "extreme weakness" and have been banned, Howard said.

Microsoft is recommending using the Secure Hash Algorithm (SHA)256 encryption algorithm and AES (Advanced Encryption Standard) cipher instead, he said.

The change is part of a semi-yearly update to Microsoft's Secure Development Lifecycle policies by engineers within Microsoft's Security Business & Technology Unit.

To read more about the importance of encryption, click here.

Developers who use one of the banned cryptographic functions in new code will have it flagged by automated code scanning tools and will be asked to update the function to something more secure, Howard said.

Eventually, the company will also remove vulnerable cryptographic functions from older code, though that will take longer, he said.

"Threats are constantly evolving, so it's important to stay one step ahead," he said.

"It's about time," added Bruce Schneier of Counterpane Security Inc.

Microsoft should have ended use of DES, MD4 and MD5 "years ago," and is only being prudent in doing so now, Schneier said.

However, the company's "case by case" approach to banning SHA1 is more aggressive, considering that theoretical attacks on that algorithm only appeared in February, Schneier said.

The theoretical attacks on SHA0 and SHA1 were developed by Chinese researchers and have some experts predicting that those algorithms will soon be considered too vulnerable to rely on.

The NIST (National Institute of Standards and Technology) has scheduled a workshop in October to discuss alternatives to SHA1.

Using vulnerable encryption algorithms could expose sensitive data in Microsoft systems. But attacks on those algorithms are still unlikely, given other, easier to exploit holes in the software, Schneier said.

"There's just so much that's worse," he said of the other security holes.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

Copyright (c) 2005 Ziff Davis Media Inc. All Rights Reserved.

FPF-SCM_TraceyG_XC · « **Reply #3 on:** September 16, 2005, 11:55:30 pm »

Interesting... I wonder how much this will effect someone using mySQL and php.

toasty0 · « **Reply #4 on:** September 17, 2005, 09:32:07 am »

I think it is clearly an issue for everyone. Here is just one example why: http://www.codeproject.com/useritems/HackingMd5.asp

Bonk · « **Reply #5 on:** September 17, 2005, 12:03:07 pm »

Most websites receive the passwords used as plain text then hash them for storage in the databse. Unless the server is running on SSL there is no encryption client side. This would have more implications for OpenSSL and the like, but I'm pretty sure they're already up to snuff on this or beyond it.

http://www.openssl.org/

SMF uses the MD5 hash on passwords for storage in the db. But the password is sent in plain text anyway, run a sniffer on our network and you could pick up all the passwords. Pretty sure no one cares that much though. I suppose I could implement SSL and make Dynaverse.net a secure site, but I'm not sure the server will handle the load of encrypting and decrytping all transmissions - it might though, I'd have to try it and see...

http://www.php.net/manual/en/security.database.storage.php
http://www.php.net/manual/en/ref.mhash.php

PHP is capable of SHA256 encryption.

MySQL 4.1.0 uses a 45 byte password hash,
http://dev.mysql.com/doc/mysql/en/password-hashing.html

But unless you are connecting over SSL or another secured connection this does not really make any differnce.

This probably affects things like password protected word documents and the like the most.

Not much implications for php-mysql applications, SSL is where the security is for web applications, pretty much separate from php and MySQL, though the support is there:

http://www.php.net/manual/en/ref.ssh2.php
http://www.php.net/openssl

http://dev.mysql.com/doc/mysql/en/secure-connections.html

Not really a concern for your average php-mysql gaming forum.

toasty0 · « **Reply #6 on:** September 17, 2005, 09:44:40 pm »

Quote from: Bonk on September 17, 2005, 12:03:07 pm

Most websites receive the passwords used as plain text then hash them for storage in the databse. Unless the server is running on SSL there is no encryption client side. This would have more implications for OpenSSL and the like, but I'm pretty sure they're already up to snuff on this or beyond it.

http://www.openssl.org/

SMF uses the MD5 hash on passwords for storage in the db. But the password is sent in plain text anyway, run a sniffer on our network and you could pick up all the passwords. Pretty sure no one cares that much though. I suppose I could implement SSL and make Dynaverse.net a secure site, but I'm not sure the server will handle the load of encrypting and decrytping all transmissions - it might though, I'd have to try it and see...

http://www.php.net/manual/en/security.database.storage.php
http://www.php.net/manual/en/ref.mhash.php

PHP is capable of SHA256 encryption.

MySQL 4.1.0 uses a 45 byte password hash,
http://dev.mysql.com/doc/mysql/en/password-hashing.html

But unless you are connecting over SSL or another secured connection this does not really make any differnce.

This probably affects things like password protected word documents and the like the most.

Not much implications for php-mysql applications, SSL is where the security is for web applications, pretty much separate from php and MySQL, though the support is there:

http://www.php.net/manual/en/ref.ssh2.php
http://www.php.net/openssl

http://dev.mysql.com/doc/mysql/en/secure-connections.html

Not really a concern for your average php-mysql gaming forum.

That's odd. I always assumed every one does it like the suggested ASP.NET model and hashes PWs and such on the client side when a user submits it.

Bonk · « **Reply #7 on:** September 18, 2005, 01:12:21 pm »

Quote from: Iconoclast::toasty0 on September 17, 2005, 09:44:40 pm

That's odd. I always assumed every one does it like the suggested ASP.NET model and hashes PWs and such on the client side when a user submits it.

That can only happen with SSL which is unrelated to the scripting language used.

toasty0 · « **Reply #8 on:** September 18, 2005, 01:21:36 pm »

*raised eyebrow*

Maybe we're talking about two different things then.

Bonk · « **Reply #9 on:** September 18, 2005, 04:38:32 pm »

So it would seem.

I suspect you are describing what one should do with applications separate from compliant web browsers. i.e. an application or plugin that a user downloads and installs that interacts with a web database. I imagine one might be able to write a SHA256 encryption javascript to run in compliant browsers (as painful as that would be), but many users have javascript totally disabled, so it would not be reliable.

To secure web browser traffic one must use a standard SSL implementation. Unless there is some other standard web browser function to encrypt submitted form data of which I am unaware?

toasty0 · « **Reply #10 on:** September 19, 2005, 12:53:20 am »

Sorry this example is only for a hashed pw. When I get a bit more time this week I'll go through my code and or some texts for better examples of encrypted pw that are done on the client machine then passed back to the server.

This is written with C# (but could be accomplished in any .Net language including C++) and no javascript was used for this particular method.

Code: [Select]

string hashedpwd =    
    FormsAuthentication.HashPasswordForStoringInConfigFile
        (UserPass.Value, "SHA1");

News: