0

I have an idea for a system to log in users and validate their login on pages.
I realize that there are lots of systems out there, but I mainly was curious if the idea I had was any good. I've done some digging, but most results seem to leave out what I've always thought to be important practices (like password encryption, etc). I'll probably look harder for a pre-made solution, as it is probably more secure, but I haven't really worked with application security, and was hoping to get some feedback.

When a user logs in, their name and password are verified against a database, the password is encrypted using SHA256 and a randomly generated salt, the overall string (both the salt and the encrypted password is 128 chars. long). Here's the password validation code:

 function ValidatePassword($password, $correctHash)
 {
    $salt = substr($correctHash, 0, 64); //get the salt from the front of the hash
    $validHash = substr($correctHash, 64, 64); //the SHA256

    $testHash = hash("sha256", $salt . $password); //hash the password being tested
    //if the hashes are exactly the same, the password is valid
    return $testHash === $validHash;
}

If the login is valid, they are assigned a token. This token is similar to the password encryption, but stores the encrypted epoch as well as another random salt. The token, the login time, an expiration time, and the username are stored in a DB and the username and the token are transmitted as session information.

Here's the code that creates the token:

function loginUser($email)
{
  $thetime = time();
  $ip = $_SERVER['REMOTE_ADDR'];

  $dbuser="///";
  $dbpass="///";
  $dbtable="tokens";
  mysql_connect(localhost,$dbuser,$dbpass);
  mysql_select_db("///") or die( "Unable to select database");

  //Generate a salt
  $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
  //Hash the salt and the current time to get a random token
  $hash = hash("sha256", $salt . $password);
  //Prepend the salt to the hash
  $final = $salt . $hash;

  $exptime = $thetime + 3600;

  //Store this value into the db
  $query = "INSERT INTO `spanel`.`tokens` VALUES ('$final', $thetime, $exptime,    $thetime, '$ip', MD5('$email') )";
  mysql_query($query) or die ("Could not create token.");

  //Store the data into session vars
  $_SESSION['spanel_email'] = $email;
  $_SESSION['spanel_token'] = $final;

  return true;

}

When they reach a page, the token they have and the username are checked against the DB. If the check is good, the expiration time is updated and the page loads. Here's that code:

function validateUser($page)
{
  //Grab some vars
  $thetime = time();
  $ip = $_SERVER['REMOTE_ADDR'];
  $token = $_SESSION['spanel_token'];
  $email = $_SESSION['spanel_email'];

  $dbuser="///";
  $dbpass="///";
  $dbtable="tokens";
  mysql_connect(localhost,$dbuser,$dbpass);
  mysql_select_db("///") or die( "Unable to select database");

  //Global var
  //Get the var for token expire
  $token_expire = 3600;
  //Validate the token
  $query = "SELECT * FROM `tokens` WHERE `token` LIKE '$token' AND `user_id` LIKE   MD5('$email') AND `exp` > $thetime";
  $result = mysql_query($query) or die(mysql_error());
  //Check if we have a valid result
  if ( mysql_num_rows($result) != 1 ) {
    //Logout the user
    //Destroy the session
    session_destroy();
    //Redirect
    header("location: /spanel/login.php?denied=1");
    exit();
    //(Since the token is already invalid, there's no reason to reset it as invalid)
  }
  $row = mysql_fetch_assoc($result);

  //Update the token with our lastseen
  $newexp = $thetime + $token_expire;
  $query = "UPDATE `spanel`.`tokens` SET `exp` = $newexp, `lastseen_ip` = $thetime,    `lastseen_ip` = '$ip' WHERE `token` LIKE '$token'";
  mysql_query($query);

}

Feedback (good and bad) is appreciated. Like I said, I haven't done much security and was hoping to get pointers.

EDIT: I fear I overestimated my ability to effectively create a login system. Saying this, I understand if you decide to stop trying to figure out the jumbled mess that was this probably flawed idea.

Nevertheless, here's the php code from the login page. (After what's been said here, I realize just POST'ing the password is a big no-no).

    $email = $_POST['email'];
    $password = $_POST['password'];
    $dbuser="///";
    $dbpass="///";
    $dbtable="///";
    mysql_connect(localhost,$dbuser,$dbpass);
    mysql_select_db("spanel") or die( "Unable to select database");
    $query = "SELECT * FROM users WHERE `email` LIKE '$email'";
    $result=mysql_query($query) or die(mysql_error());
    $num=mysql_num_rows($result);
    $row = mysql_fetch_array($result);
    if ( ValidatePassword($password, $row['hash']) == true ) {
      loginUser($email);
      header("location: /spanel/index.php");
    } else {
      echo "<p>Login Failed.</p>";
    }

Here's the bit that generates the password salt and hash when the account is created.

 function HashPassword($password)
 {
    $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); //get 256 random bits in hex
    $hash = hash("sha256", $salt . $password); //prepend the salt, then hash
    //store the salt and hash in the same string, so only 1 DB column is needed
    $final = $salt . $hash; 
    return $final;
}

Thanks for the feedback, I'm glad the problems with my lack of knowledge were found here and not after an attack.

akester
  • 63
  • 1
  • 7
  • 6
    I hope this doesn't come off as nit-picky, but I just want to make sure you understand: Hashing and encryption are two different things--hashing algorithms are designed to *not* be reversible. It looks like what you are trying to do is hash the password, not encrypt it, which is good. If you are intending to encrypt passwords, I'd say that's a bad practice as your system should never need to know the user's actual password. – Casey Kinsey May 14 '12 at 17:17
  • Where does `$password` in `loginUser` come from? – Gumbo May 14 '12 at 17:27
  • And how do you use these functions? – Gumbo May 14 '12 at 17:36
  • Thanks, I'd be hashing, not encrypting. And the $password is an error that I didn't catch (I recycled the code and didn't update that variable). I intended it to be $thetime – akester May 14 '12 at 17:39
  • When the user logs in, the login page validates the password using validatePassword. If it passes, it calls loginUser to assign them a token. (A bit messy, really they should be one function) On each page load, the page calls validateUser which checks the token. – akester May 14 '12 at 17:44
  • Then where does `$correctHash` come from? How do you retrieve that value? – Gumbo May 14 '12 at 18:09
  • The login page forwards that. Its just pulled from the user table. (It could – akester May 14 '12 at 18:20
  • There is none, Judging by your response I feel like this is important. – akester May 14 '12 at 19:09
  • 1
    wow, you don't understand SQL injection and yet you want to write your own authentication protocol... – rook May 15 '12 at 01:14
  • @Rook is right. It would be an easy job to get access by exploiting the SQL injection vulnerability without any further knowledge. – Gumbo May 15 '12 at 17:08

3 Answers3

1

For one, hashing like that is insecure. sha256 can be broken easily, at least for short passwords. You must use some hash stretching. See if you can find some PBKDF2 implementations or use the wikipedia's suggestion for a "for loop" with sha256. Moreover I don't get what you achieve with having more session variables. I don't understand what validateuser() does, it still relies on session id, or am I missing something.

sivann
  • 2,083
  • 4
  • 29
  • 44
  • So (I'm asking because I don't know, not to be rude) what would be a good way to protect against replay attacks. (I get having a challenge key that's regenerated with each load, but I guess I'm hard time visualizing how that would work). – akester May 14 '12 at 17:53
  • Please elaborate on what is prone to replay attacks. – Gumbo May 14 '12 at 18:21
  • @akester Please show the javascript code , and the php code which generates the challenge key on the login page. – sivann May 14 '12 at 18:55
  • @sivann No java, I don't have any implementation of a nonce (I assume that's what your looking for) and I guess I'm not sure what you're looking for on the php page. – akester May 14 '12 at 19:16
  • 2
    I fear I may have gotten in over my head on this one. – akester May 14 '12 at 19:16
  • on PBKDF2 for password hashing, please also read [this answer on the subject](http://security.stackexchange.com/a/6415/2113) – Jacco May 26 '12 at 13:06
1

Similar to sivann, I can’t see the reason for the additional spanel_token either. All it seems to effectively do is to ensure that the session is no longer valid after the token’s expiration time. Since both values for token and user_id for the WHERE condition are stored in the session and are only set during the login, they won’t change. But session expiration can be implemented much easier.

But apart from that and much more important: your code is vulnerable to SQL injection. It would be easy with the knowledge you’ve posted here. All you need is to do the following steps:

  • Find out the number of columns of users with a UNION SELECT injection in email:

    ' UNION SELECT null, …, null WHERE ''='

    If the wrong number of columns is entered, your script will throw a MySQL error, otherwise the “Login Failed.” will appear. Thanks for that.

  • By using the following query:

    SELECT t1.* FROM users t1 RIGHT JOIN (SELECT email, '000000000000000000000000000000000000000000000000000000000000000060e05bd1b195af2f94112fa7197a5c88289058840ce7c6df9693756bc6250f55' hash FROM users LIMIT 1) t2 USING (email);

    the value 000000000000000000000000000000000000000000000000000000000000000060e05bd1b195af2f94112fa7197a5c88289058840ce7c6df9693756bc6250f55 is injected into each record instead of the original hash column value. The leading 0s are the salt and the remaining string is the salted SHA-256 hash value for an empty password string, which will result in a valid password.

    So we end up with entering an empty string for the password field and the following for the email field:

    ' UNION SELECT t2.* FROM users t1 RIGHT JOIN (SELECT email, '000000000000000000000000000000000000000000000000000000000000000060e05bd1b195af2f94112fa7197a5c88289058840ce7c6df9693756bc6250f55' hash FROM users LIMIT 1) t2 USING (email) WHERE ''='

This should suffice to get ‘authenticated’ as any user.

Community
  • 1
  • 1
Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • I realized the SQL problem shortly after someone else pointed it out. I usually leave it out of development because the `mysql_real_escape_string` function never seems to work without some work (From what I gathered,I think it's proper, but I could be wrong). As for the rest of it, I realize now how flawed the design was, and I'm most defiantly going to implement openid. I guess my thinking was that an attacker could spoof the cookie information, (like a replay attack, but using original information) but after the comments here I'll stop sticking my nose where it doesn't belong. – akester May 16 '12 at 05:42
  • @akester Simply copying the cookie will always be possible. The key is to protect the cookie as much as possible. – Gumbo May 16 '12 at 06:43
-1

Just commenting on the salt/hash system: Storing the salt alongside the password in the database sort of defeats the purpose of salting--if you database is compromised the salt becomes useless from a security perspective, because its right there to aid in guessing / breaking the security. The purpose of a salt is to increase the time taken to guess a hashed word by adding a secret string of appropriate length to the value you are hashing.

Casey Kinsey
  • 1,451
  • 9
  • 16
  • 1
    Not exactly, the salt provides protection against a replay attack (from network sniffers). I agree the salt (or challenge key) should be generated each time, but if the database gets compromised so does the password table. – sivann May 14 '12 at 17:19
  • That's a good point, I definitely misunderstood a key aspect of salting. And we agree that salts should not be stored in an evergreen fashion in the database. – Casey Kinsey May 14 '12 at 17:30
  • 2
    @sivann You’re wrong. [The salt is intended to protect against precomputed lookup table assisted dictionary attacks.](http://en.wikipedia.org/wiki/Salt_\(cryptography\)) – Gumbo May 14 '12 at 17:33
  • Maybe I should think twice before second guessing myself. That said, sivann does provide a valid point regarding challenge keys in token assisted authentication, and his concern regarding replay attacks is valid: http://en.wikipedia.org/wiki/Replay_attack I think the concepts of salts and challenge keys are being confused, but both are important aspects of tokenized authentication. – Casey Kinsey May 14 '12 at 17:59
  • 1
    This does not seem to be a challenge-respone authentication scheme like HTTP Digest where the client sends just a digest instead of the password. – Gumbo May 14 '12 at 18:13
  • @Gumbo No I'm not wrong. It's supposed to be CRAM (but probably wrong implementation), so a salt to be sent over the network. The poster says the hash is randomly generated on each login. – sivann May 14 '12 at 18:50
  • 1
    @sivann It still is not comparable to CRAM: In a CRAM, the [nonce](http://en.wikipedia.org/wiki/Cryptographic_nonce) (you wouldn’t call it [salt](http://en.wikipedia.org/wiki/Salt_\(cryptography\))) is sent to the client to incorporate it into the response calculation and instead of the plain password the response is used to authenticate the user. This is where you need a nonce so that the response is only valid with this specific nonce that is only valid for a single use. But doing this internally on the server side is nonsense. – Gumbo May 14 '12 at 19:06
  • @Gumbo Of course, but I presume the poster has other code not shown here which does exactly that. He says the login page provides the $correcthash, something that resembles cram. – sivann May 14 '12 at 19:09
  • As for the nonce, it's called "salt" in RFC2898, but nonce, salt, seed, all work :-) – sivann May 14 '12 at 19:18
  • @sivann $correcthash is the line from the password table (The salt + the salted and hashed password) – akester May 14 '12 at 19:18
  • @akester On a previous comment you mentioned the login page forwards that. Then perhaps the whole thing is flawed. I suggest you read about Challenge-response authentication before inventing your own methods. – sivann May 14 '12 at 19:20
  • @akester Then, again: how exactly do you retrieve that value form the table? Please show us the whole process, i. e. how you use these functions. – Gumbo May 14 '12 at 19:21
  • @Gumbo and sivann: I added some code, but I feel like I overestimated my skill. I'll most defiantly use a ready-made solution for the final app. Sorry for wasting your time. – akester May 14 '12 at 19:38
  • @Gumbo is correct here: "The salt is intended to protect against precomputed lookup table assisted dictionary attacks". Although there are other threats that need protecting against, salting your hashes is meant to tackle the precomputation attack thread. Maybe also read [another answer on salting](http://stackoverflow.com/questions/1645161/salt-generation-and-open-source-software/1645190) – Jacco May 26 '12 at 12:54