Bug #51436 [Opn]: LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs
Edit report at http://bugs.php.net/bug.php?id=51436edit=1 ID: 51436 Updated by: paj...@php.net Reported by: andreas at andreas dot org Summary: LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs Status: Open Type: Bug Package: *Encryption and hash functions Operating System: all PHP Version: 5.3.2 New Comment: Well, the easiest to backport something now and here is to use the given settings. You can do it right now. Previous Comments: [2010-04-07 17:21:47] andreas at andreas dot org I strongly suggest backporting. Also, the fact that uniqid() values are predictable too needs addressing. [2010-03-31 20:30:53] ras...@php.net I have switched the default in trunk to either /dev/urandom or /dev/arandom if it exists. We actually already had a check for it in Zend for the zend_mm_random() function, Whether we backport this to 5.3 or just improve the documentation for that setting is up to Johannes, I think. [2010-03-31 20:03:18] ras...@php.net Automatic comment from SVN on behalf of rasmus Revision: http://svn.php.net/viewvc/?view=revisionamp;revision=297232 Log: Set session.entropy_file to /dev/urandom or /dev/arandom by default if present at compile-time. Addresses part of bug #51436 [2010-03-31 05:04:14] phi...@php.net As for these session.entropy directives, due to compatibility issues I'm unsure how best to include these recommended values in php.ini-* so the following patch[1] adds information where appropriate, although it does not change the default values. One trouble: it breaks convention, as other directives are in fact changed (and not only recommended). This patch only solves this bug through documentation, which may or may not be our ultimate solution. We still need to discuss whether changing the default php.ini-* values is appropriate, and the potential impact (e.g. Windows) it would have. And of course explore alternative options that essentially don't require /dev/urandom. Like, Rasmus/Scott mentioned something about using OpenSSL's existing abstraction layer to do it. And lastly, while documenting we should describe: - Briefly mention the difference between /dev/urandom and /dev/random - Talk about performance issues - Alternatives to /dev/random (e.g. EGD, hardware, ...) - Mention which Operating Systems lack /dev/random (Windows, and Solaris 8 and below come to mind) [1] Patch name: session_entropy_docs_php_ini_default_off_still [2010-03-31 04:43:27] phi...@php.net The following patch has been added/updated: Patch Name: session_entropy_docs_php_ini_default_off_still Revision: 1270003407 URL: http://bugs.php.net/patch-display.php?bug=51436patch=session_entropy_docs_php_ini_default_off_stillrevision=1270003407 The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=51436 -- Edit this bug report at http://bugs.php.net/bug.php?id=51436edit=1
Bug #51436 [Opn]: LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs
Edit report at http://bugs.php.net/bug.php?id=51436edit=1 ID: 51436 Updated by: ras...@php.net Reported by: andreas at andreas dot org Summary: LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs Status: Open Type: Bug Package: *Encryption and hash functions Operating System: all PHP Version: 5.3.2 New Comment: I have switched the default in trunk to either /dev/urandom or /dev/arandom if it exists. We actually already had a check for it in Zend for the zend_mm_random() function, Whether we backport this to 5.3 or just improve the documentation for that setting is up to Johannes, I think. Previous Comments: [2010-03-31 20:03:18] ras...@php.net Automatic comment from SVN on behalf of rasmus Revision: http://svn.php.net/viewvc/?view=revisionamp;revision=297232 Log: Set session.entropy_file to /dev/urandom or /dev/arandom by default if present at compile-time. Addresses part of bug #51436 [2010-03-31 05:04:14] phi...@php.net As for these session.entropy directives, due to compatibility issues I'm unsure how best to include these recommended values in php.ini-* so the following patch[1] adds information where appropriate, although it does not change the default values. One trouble: it breaks convention, as other directives are in fact changed (and not only recommended). This patch only solves this bug through documentation, which may or may not be our ultimate solution. We still need to discuss whether changing the default php.ini-* values is appropriate, and the potential impact (e.g. Windows) it would have. And of course explore alternative options that essentially don't require /dev/urandom. Like, Rasmus/Scott mentioned something about using OpenSSL's existing abstraction layer to do it. And lastly, while documenting we should describe: - Briefly mention the difference between /dev/urandom and /dev/random - Talk about performance issues - Alternatives to /dev/random (e.g. EGD, hardware, ...) - Mention which Operating Systems lack /dev/random (Windows, and Solaris 8 and below come to mind) [1] Patch name: session_entropy_docs_php_ini_default_off_still [2010-03-31 04:43:27] phi...@php.net The following patch has been added/updated: Patch Name: session_entropy_docs_php_ini_default_off_still Revision: 1270003407 URL: http://bugs.php.net/patch-display.php?bug=51436patch=session_entropy_docs_php_ini_default_off_stillrevision=1270003407 [2010-03-31 01:08:13] phi...@php.net Regarding session.entropy_file and session.entropy_length, please clarify this topic a bit and ideally include an example for Windows users. I see words like ksecdd.sys and CryptoAPI but am unsure how these might apply to session.entropy_file. And, what are the downsides of using these options... performance? [2010-03-30 20:19:27] paj...@php.net On a related note, we should document session.entropy-file in a better way. Maybe this page should be a good place to inform the users about this setting and why it should always be used: http://www.php.net/manual/en/session.installation.php Thanks Rasmus for the notice. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=51436 -- Edit this bug report at http://bugs.php.net/bug.php?id=51436edit=1
Bug #51436 [Opn]: LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs
Edit report at http://bugs.php.net/bug.php?id=51436edit=1 ID: 51436 Updated by: paj...@php.net Reported by: andreas at andreas dot org Summary: LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs Status: Open Type: Bug Package: *Encryption and hash functions Operating System: all PHP Version: 5.3.2 New Comment: On a related note, we should document session.entropy-file in a better way. Maybe this page should be a good place to inform the users about this setting and why it should always be used: http://www.php.net/manual/en/session.installation.php Thanks Rasmus for the notice. Previous Comments: [2010-03-30 12:38:31] andreas at andreas dot org Description: PHP utilizes a cryptographically weak random number generator to produce session ID information. Additionally, not enough entropy is used for the initial seeding of the RNG, and some of the entropy can leak by careless use of the uniqid() PHP function. Under certain circumstances, these individual weaknesses interact and reduce the number of possible values of a PHP session ID so much that exhaustive search for a valid session ID against the web server becomes feasible. I suggest to make sure that a cryptographically secure RNG is used for session ID generation, sufficient entropy is used to seed the RNG, and to change the uniqid() function to always return a hashed value. A complete discussion of why I think the code is vulnerable, including estimates on the attack effort, is available from http://berlin.ccc.de/~andreas/php-entropy-advisory.txt -- Edit this bug report at http://bugs.php.net/bug.php?id=51436edit=1
Bug #51436 [Opn]: LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs
Edit report at http://bugs.php.net/bug.php?id=51436edit=1 ID: 51436 Updated by: phi...@php.net Reported by: andreas at andreas dot org Summary: LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs Status: Open Type: Bug Package: *Encryption and hash functions Operating System: all PHP Version: 5.3.2 New Comment: Regarding session.entropy_file and session.entropy_length, please clarify this topic a bit and ideally include an example for Windows users. I see words like ksecdd.sys and CryptoAPI but am unsure how these might apply to session.entropy_file. And, what are the downsides of using these options... performance? Previous Comments: [2010-03-30 20:19:27] paj...@php.net On a related note, we should document session.entropy-file in a better way. Maybe this page should be a good place to inform the users about this setting and why it should always be used: http://www.php.net/manual/en/session.installation.php Thanks Rasmus for the notice. [2010-03-30 12:38:31] andreas at andreas dot org Description: PHP utilizes a cryptographically weak random number generator to produce session ID information. Additionally, not enough entropy is used for the initial seeding of the RNG, and some of the entropy can leak by careless use of the uniqid() PHP function. Under certain circumstances, these individual weaknesses interact and reduce the number of possible values of a PHP session ID so much that exhaustive search for a valid session ID against the web server becomes feasible. I suggest to make sure that a cryptographically secure RNG is used for session ID generation, sufficient entropy is used to seed the RNG, and to change the uniqid() function to always return a hashed value. A complete discussion of why I think the code is vulnerable, including estimates on the attack effort, is available from http://berlin.ccc.de/~andreas/php-entropy-advisory.txt -- Edit this bug report at http://bugs.php.net/bug.php?id=51436edit=1
Bug #51436 [Opn]: LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs
Edit report at http://bugs.php.net/bug.php?id=51436edit=1 ID: 51436 Updated by: phi...@php.net Reported by: andreas at andreas dot org Summary: LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs Status: Open Type: Bug Package: *Encryption and hash functions Operating System: all PHP Version: 5.3.2 New Comment: As for these session.entropy directives, due to compatibility issues I'm unsure how best to include these recommended values in php.ini-* so the following patch[1] adds information where appropriate, although it does not change the default values. One trouble: it breaks convention, as other directives are in fact changed (and not only recommended). This patch only solves this bug through documentation, which may or may not be our ultimate solution. We still need to discuss whether changing the default php.ini-* values is appropriate, and the potential impact (e.g. Windows) it would have. And of course explore alternative options that essentially don't require /dev/urandom. Like, Rasmus/Scott mentioned something about using OpenSSL's existing abstraction layer to do it. And lastly, while documenting we should describe: - Briefly mention the difference between /dev/urandom and /dev/random - Talk about performance issues - Alternatives to /dev/random (e.g. EGD, hardware, ...) - Mention which Operating Systems lack /dev/random (Windows, and Solaris 8 and below come to mind) [1] Patch name: session_entropy_docs_php_ini_default_off_still Previous Comments: [2010-03-31 04:43:27] phi...@php.net The following patch has been added/updated: Patch Name: session_entropy_docs_php_ini_default_off_still Revision: 1270003407 URL: http://bugs.php.net/patch-display.php?bug=51436patch=session_entropy_docs_php_ini_default_off_stillrevision=1270003407 [2010-03-31 01:08:13] phi...@php.net Regarding session.entropy_file and session.entropy_length, please clarify this topic a bit and ideally include an example for Windows users. I see words like ksecdd.sys and CryptoAPI but am unsure how these might apply to session.entropy_file. And, what are the downsides of using these options... performance? [2010-03-30 20:19:27] paj...@php.net On a related note, we should document session.entropy-file in a better way. Maybe this page should be a good place to inform the users about this setting and why it should always be used: http://www.php.net/manual/en/session.installation.php Thanks Rasmus for the notice. [2010-03-30 12:38:31] andreas at andreas dot org Description: PHP utilizes a cryptographically weak random number generator to produce session ID information. Additionally, not enough entropy is used for the initial seeding of the RNG, and some of the entropy can leak by careless use of the uniqid() PHP function. Under certain circumstances, these individual weaknesses interact and reduce the number of possible values of a PHP session ID so much that exhaustive search for a valid session ID against the web server becomes feasible. I suggest to make sure that a cryptographically secure RNG is used for session ID generation, sufficient entropy is used to seed the RNG, and to change the uniqid() function to always return a hashed value. A complete discussion of why I think the code is vulnerable, including estimates on the attack effort, is available from http://berlin.ccc.de/~andreas/php-entropy-advisory.txt -- Edit this bug report at http://bugs.php.net/bug.php?id=51436edit=1