RSS

Tag Archives: php

The mathematical effectiveness of salt and hash (using sha1)

I have been heavily researching password storage lately, because I believe there are still lapses in internet security that keep it far behind what hackers are able to achieve, and, as a programmer, I want to keep such things as lock-tight as possible.

It, shamefully, just clicked with me the power of rainbow tables (for which I only learned the term in the last few days).  For some background, any legitimate website or authentication system does not store your password in plain text.  It uses a one-way encryption and stores that encryption.  Then to check if you used the right password, it encrypts the one you send it and compares it against the stored encryption.  This minimizes opportunities for a copy of your password to be easily accessible, decryptable, or readable, in any sense to someone who want to use it for malfeasance.

The trick with all one-way encryptions used for such “hashing” purposes is their resulting strings are fixed length.  For example, sha1, which is probably the most widely used method on the web, creates alphanumeric (0-9, a-z not case sensitive) hexadecimal strings of length 40 (at least using the php sha1() method with which I am familiar — I’m not a sha1 expert).  Because of this, there are possible collisions.  In other words, although your password might encrypt to one string, there are effectively infinite other strings that would encrypt to that same string.

Before getting too uptight about this, just do the basic numbers.  The sha1 encryption creates 40 character strings with 36 16 possible characters in each place, meaning there are 36^40 16^40 possible resulting encryptions.  That number?

178,689,910,246,017,054,531,432,477,289,437,798,228,285,773,001,601,743,140,683,776
1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

Is there even a word for that?  Yes … 178.69 novemdecillion 1.46 quindecillion.  (that is a big number)

So a hacker would build the corresponding rainbow table by finding exactly 1 string that converts to each of those 178,689 1,461,501 … hashes.  Then, somehow, they get your encrypted password, and all they have to do is look it up in this table, and they have your password (or at least one that collides with yours’ hash).

It is very simple, but, fortunately, at this point, that rainbow table would not fit on all the hard drives in the world.  In fact, it would take about 50 billion earths to find an equivalent number of atoms the earth is only composed of about 133 quindecillion atoms. (That’s one hash per 89 atoms — a human hair is about 10000 atoms thick).

But let’s abandon the seeming impossibility of the existence of this table temporarily.  A common practice in secure storage of passwords these days is to “salt” the password before hashing and storing it.  That is, you take the password, prepend (or append) a random string, then encrypt the resulting string.  (More complex salts can exist, but the idea is that you modify the password in a predictable, repeatable way).  What this does is force a hacker to build a corresponding rainbow table for EVERY password he/she wants to hack, because the unsalted rainbow table won’t work (I’ll leave this to you to figure out why if you don’t know at this point.)

The problem is, if you’re still using sha1 to encrypt the salted password, it’s no different than if you didn’t salt the password.  If this complete sha1 rainbow table DID exist, the salt would serve absolutely no purpose, it would just shift the collision.  Some infinite subset of strings would still map to this encrypted string.

As a side note, the rainbow tables that exist are simply compilations of common types of passwords, and, in many instances, they work, because people just don’t use strong enough passwords.  This reduces the size of the tables to a usable form, so, in this case, the salting is imperative.  I am discussing today the case where a complete sha1 rainbow table exists.  I have said that it is pretty much impossible, but, from a purely theoretical standpoint, eventually, even the number 178.69 novemdecillion 1.46 quindecillion will become small as technology improves with time.

By the way, “strong,” for all intents and purposes of one-way hashing, just means long.  Knowing a password is short drastically decreases the number of hashes that need to be generated for the table.  Good advice? Use passwords 20 characters or longer — i.e. a sentence “This is my password, baby. Nothing personal, but don’t steal it.”

My question is, is it really effective to use the same encryption mechanism after you salt the password?  Salting is little more than an obfuscation in the presence of a complete rainbow table.  In the face of the assumed existence of this rainbow table, and ignoring that most passwords aren’t truly “random,” there is exactly no difference between “salt and hash” and simply “hash.” This just leads me to the conclusion that the inherent flaw in one way hashes is that they create strings of finite length, but that is exactly why they are useful.

Perhaps the only purpose of this post was to legitimately use the word novemdecillion quindecillion more than once.  I dunno, but I would certainly appreciate expert commentary on the topic.

Edit: After initially writing this, I realized that sha1 created hex strings, not alphanumeric.  This changed the numbers, but fortunately not the article.  I decided to leave the old numbers in strikethrough because, well, novemdecillion is a cool freaking word.

 

Posted by on September 30, 2010 in Computers, Programming

4 Comments

Tags: , , , , , , , , , , , , ,

Howto: Enable PCNTL in Ubuntu PHP installations

PCNTL in PHP allows for some handy advanced “trickery” using the OS process functions inherent in Linux (*nix?).  I believe some features are available in Windows, but I know for certain that pcntl_fork() is not.

Anyway, it is not enabled by default, so if you want to take advantage of the functions on your Ubuntu LAMP server, you might spend hours searching the web for that magic aptitude command.  But, as far as I can tell, it doesn’t exist.

Luckily, I stumbled across this article on the Ubuntu forums, so I’m dedicating a post here with the hopes that other will find it more easily.


Please note that you’ll probably need build-essentials and a few other source compilation basics, but as long as you have that, the following code will get you what you want.

First, in your home directory:

mkdir php
cd php
apt-get source php5
cd php5-(WHATEVER_RELEASE)/ext/pcntl
phpize
./configure
make

Then:

cp modules/pcntl.so /usr/lib/php5/WHEVER_YOUR_SO_FILES_ARE/
echo "extension=pcntl.so" > /etc/php5/conf.d/pcntl.ini

FYI: “make install” does not appear to put the files in the correct place.

Btw, please direct any thanks/praise to skout23 on the Ubuntu forums.

 

Posted by on July 30, 2010 in Computers, How-To

24 Comments

Tags: , , , , , , ,

WordPress 3.0, multi-sites, and migrating only some of your posts

I started my original blog a little over a year ago now simply as a way to have a place to post thoughts online. As it progressed and I started to flesh out my music site, I realized that I actually have at least 3 distinct types of thoughts I want to post: music-related, general commentary on my life, hobbies, and interests, and philosophical topics.

WordPress is extremely powerful, and I quickly began using its RSS functionality to feed my music related posts to my music website, but, as it turns out, this is kind of bad from a search engine perspective. I ended up using cross-domain canonical URLs to make Google happy. Additionally, it was kind of confusing. While I don’t really have much traffic to any of my sites, I like to pretend that I do, and it just wasn’t adding up.

Then comes WordPress 3.0 which allows you to host multiple blogs (even, unofficially, on multiple domains), so it gave me the opportunity to allocate content correctly to my domains.

There are drawbacks, of course.  It’s not like you get to just make posts and decide which domain you want it on.  You still have separate sites with separate management profiles, etc., it’s just that anytime you upgrade core components (such as themes, plugins, and even WordPress itself) you don’t have to do it for every blog.

Plus, all your content is in a centralized, easily accessible place.  Perhaps in the future more fine-tuned enhancements will evolve, but for the time being all I had to do was some MySQL footwork (in moving the right posts to the right blogs, which was simple enough as I already had “Music” and “Philosphy” categories).

I have had crimulus.com reserved for some time as my “personal” site — projects I’m working on, hobby showcases, etc., but I never really fleshed it out.  My music site, jeremytharp.com, is about 5 years old now, but it relayed podcast data, music news, etc. for anyone visiting that site, but, for a search engine, it treated it as if it were hosted on my actual blog which is at coffeecuphalfmoons.com.

To summarize, I just wanted to express how pleased I am with the feature as well as inform any readers (if you exist) of the changes.

Finally, for the technological grit, if anyone else intends to do this, I had to make a modification to my coffeecuphalfmoons.com theme.

I had plenty of indexed content, so now most of those are on crimulus.com or blog.jeremytharp.com, so links from search engines would generate a 404.  I simply modified my theme’s index.php send a GET request for the $_SERVER[‘REQUEST_URI’] on each of the domains (crimulus.com and blog.jeremytharp.com) in the event that have_posts() returned false.  If either of those requests returns a header code other than 404, I send a 301 redirect for that.

So, a search engine refers a user to http://www.coffeecuphalfmoons.com/a/post/that/i/moved/

I check (using cURL) to see if http://www.crimulus.com/a/post/that/i/moved/ or http://blog.jeremytharp.com/a/post/that/i/moved/ returns a 200, 301, etc.  If so, then it’s probably the post that was originally referred to.

This is how you help keep pagerank value and link-juice when you’re migrating only a few posts from a blog on one domain to a blog on another.  At least, that’s how I did it.

 

Posted by on July 13, 2010 in Commentary, Computers, Reviews

2 Comments

Tags: , , , , , , , , , , , ,

WORDPRESS HOW-TO: Ignore/Hide A Category On Your Home Page

Sometimes you don’t want a particular category to appear on your WordPress home page.  For me, I create weekly Twitter digests, and I’d rather they not be part of the page welcome.

The process of hiding them actually took me a little bit to figure out, so I thought I’d share.  It’s rather simple, so don’t blink!  🙂

Simply edit “index.php” in the wp-content/themes/<your_theme_here>/ directory.

Between the lines:

<?php if (have_posts()) : ?>

and

<?php while (have_posts()) : the post(); ?>

Insert the line:

<?php if (is_home()) { query_posts("cat=-XXX"); } ?>

Be sure to replace “XXX” with the unique numeric ID of the category you want to ignore.  To find the ID, log into your admin, navigate to your categories, and select the one you want to ignore.  The number will then appear in the URL.

NOTE: Make sure you don’t delete the “-” before the “XXX” or else you will ONLY show entries from the category.

If you update your theme, you will probably have to repeat this procedure.

If you want to hide multiple categories simply append the other categories to the string with a comma: (Example: “cat=-12,-82,-4”)

It also follows, then, that this technique can also be used to hide tags, posts, etc.

 

Posted by on February 28, 2010 in Computers, How-To, Programming

1 Comment

Tags: , , , , , , , , , , , , , , , ,