Edit report at http://bugs.php.net/bug.php?id=51436&edit=1
ID: 51436
Updated by: phi...@php.net
Reported by: andreas at andreas dot org
Summary: LCG entropy fix insufficient, uniqid leaks entropy,
leads to weak session IDs
Status: Open
Type: Bug
Package: *Encryption and hash functions
Operating System: all
PHP Version: 5.3.2
New Comment:
As for these session.entropy directives, due to compatibility issues I'm
unsure
how best to include these recommended values in php.ini-* so the
following
patch[1] adds information where appropriate, although it does not change
the
default values. One trouble: it breaks convention, as other directives
are in
fact changed (and not only recommended). This patch only solves this bug
through
documentation, which may or may not be our ultimate solution.
We still need to discuss whether changing the default php.ini-* values
is
appropriate, and the potential impact (e.g. Windows) it would have. And
of
course explore alternative options that essentially don't "require"
/dev/urandom. Like, Rasmus/Scott mentioned something about using
OpenSSL's
existing abstraction layer to do it.
And lastly, while documenting we should describe:
- Briefly mention the difference between /dev/urandom and /dev/random
- Talk about performance issues
- Alternatives to /dev/random (e.g. EGD, hardware, ...)
- Mention which Operating Systems lack /dev/random (Windows, and Solaris
8 and
below come to mind)
[1] Patch name: session_entropy_docs_php_ini_default_off_still
Previous Comments:
------------------------------------------------------------------------
[2010-03-31 04:43:27] phi...@php.net
The following patch has been added/updated:
Patch Name: session_entropy_docs_php_ini_default_off_still
Revision: 1270003407
URL:
http://bugs.php.net/patch-display.php?bug=51436&patch=session_entropy_docs_php_ini_default_off_still&revision=1270003407
------------------------------------------------------------------------
[2010-03-31 01:08:13] phi...@php.net
Regarding session.entropy_file and session.entropy_length, please
clarify this
topic a bit and ideally include an example for Windows users. I see
words like
ksecdd.sys and CryptoAPI but am unsure how these might apply to
session.entropy_file.
And, what are the downsides of using these options... performance?
------------------------------------------------------------------------
[2010-03-30 20:19:27] paj...@php.net
On a related note, we should document session.entropy-file in a better
way. Maybe this page should be a good place to inform the users about
this setting and why it should always be used:
http://www.php.net/manual/en/session.installation.php
Thanks Rasmus for the notice.
------------------------------------------------------------------------
[2010-03-30 12:38:31] andreas at andreas dot org
Description:
------------
PHP utilizes a cryptographically weak random number generator to produce
session ID information. Additionally, not enough entropy is used for
the initial seeding of the RNG, and some of the entropy can leak by
careless use of the uniqid() PHP function. Under certain circumstances,
these individual weaknesses interact and reduce the number of possible
values of a PHP session ID so much that exhaustive search for a valid
session ID against the web server becomes feasible.
I suggest to make sure that a cryptographically secure RNG is used for
session ID generation, sufficient entropy is used to seed the RNG, and
to change the uniqid() function to always return a hashed value.
A complete discussion of why I think the code is vulnerable, including
estimates on the attack effort, is available from
http://berlin.ccc.de/~andreas/php-entropy-advisory.txt
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=51436&edit=1
