Bug #51436 [PATCH]: LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs

Tue, 30 Mar 2010 19:43:39 -0700 

Edit report at http://bugs.php.net/bug.php?id=51436&edit=1

 ID:               51436
 Patch added by:   phi...@php.net
 Reported by:      andreas at andreas dot org
 Summary:          LCG entropy fix insufficient, uniqid leaks entropy,
                   leads to weak session IDs
 Status:           Open
 Type:             Bug
 Package:          *Encryption and hash functions
 Operating System: all
 PHP Version:      5.3.2

 New Comment:

The following patch has been added/updated:

Patch Name: session_entropy_docs_php_ini_default_off_still
Revision:   1270003407
URL:       
http://bugs.php.net/patch-display.php?bug=51436&patch=session_entropy_docs_php_ini_default_off_still&revision=1270003407


Previous Comments:
------------------------------------------------------------------------
[2010-03-31 01:08:13] phi...@php.net

Regarding session.entropy_file and session.entropy_length, please
clarify this 

topic a bit and ideally include an example for Windows users. I see
words like 

ksecdd.sys and CryptoAPI but am unsure how these might apply to 

session.entropy_file.



And, what are the downsides of using these options... performance?

------------------------------------------------------------------------
[2010-03-30 20:19:27] paj...@php.net

On a related note, we should document session.entropy-file in a better
way. Maybe this page should be a good place to inform the users about
this setting and why it should always be used:



http://www.php.net/manual/en/session.installation.php



Thanks Rasmus for the notice.

------------------------------------------------------------------------
[2010-03-30 12:38:31] andreas at andreas dot org

Description:
------------
PHP utilizes a cryptographically weak random number generator to produce
session ID information.  Additionally, not enough entropy is used for
the initial seeding of the RNG, and some of the entropy can leak by
careless use of the uniqid() PHP function.  Under certain circumstances,
these individual weaknesses interact and reduce the number of possible
values of a PHP session ID so much that exhaustive search for a valid
session ID against the web server becomes feasible.



I suggest to make sure that a cryptographically secure RNG is used for
session ID generation, sufficient entropy is used to seed the RNG, and
to change the uniqid() function to always return a hashed value.



A complete discussion of why I think the code is vulnerable, including
estimates on the attack effort, is available from
http://berlin.ccc.de/~andreas/php-entropy-advisory.txt



------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=51436&edit=1

Reply via email to