Paid Advertising is
ha.ckers sla.cking
Whether this is about, or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Is this encryption method secure?
Posted by: Ben
Date: March 05, 2010 07:23PM

Okay, so I'm using PHP and want to make an encryption method for storing a random value in the user's cookie as a method of authentication so they don't need to log back in every time they visit the site. Would the code below be secure?

$salt = "some random characters I made up";
hash('sha256', $salt.microtime(true).mt_rand(10000000,99999999));


Options: ReplyQuote
Re: Is this encryption method secure?
Posted by: Matt Presson
Date: March 05, 2010 08:38PM

From the code snippet here, it appears that the salt is static so all I would need to do is login one time and I have the "salt" for every user's cookie (not good). Second I can look at the time the cookie was created and get pretty close to the correct time that the user logged in so that would give me the second part of the cookie (not good). The last part is what really makes the "attack" infeasible but still, with enough resources it could also be brute forced.

If you do not want users to have to log in, generate a session cookie and simply set the expire attribute to some date in 2056 or something way far out. Let the application generate your cookie. Don't reinvent the wheel.


Options: ReplyQuote
Re: Is this encryption method secure?
Posted by: SAS
Date: March 08, 2010 07:15PM

If you reason like; As long as I don't understand what I am doing, plus adding some pseudo complexity that might actually weaken it beyond your scope because of the false assumption that more insecure seeding is better than no seeding at all, frankly the answer would be: No.

Options: ReplyQuote
Re: Is this encryption method secure?
Posted by: gat3way
Date: March 23, 2010 01:45PM

Actually, microtime(true) returns a float value in seconds and by looking at the cookie expire time and lifetime, you will obtain the integer part only. You need to bruteforce the number after the floating point (10^6 possible ones) and you have 9*10^7 possible mt_rand()-generated values. Bruteforce will take at most 9*10^13 (90 quadrillion) tries which is rather much for a bruteforce attack to be useful. Given the fact you make a HTTP request per try, bruteforce attack is completely unpractical.

And yes, the salt does not have any real security value since it's static. Anyway, with or without the salt, this is secure as bruteforce attacks are not practical.

Edited 1 time(s). Last edit at 03/23/2010 01:46PM by gat3way.

Options: ReplyQuote

Sorry, only registered users may post in this forum.