[Plugin]CB Hash (MD5, SHA-1 and SHA-256)

Post your completed addons to share with the community

Post » Sun Jan 13, 2013 4:09 pm

Thanks Kyatric. Could someone explain what could be the best use of this plugin? cheers
My professional Royalty Free Music at Scirra Assets Store
--------------------------------
Specs: i5 2500, 16gb of ram, gtx 770, win 7, Focusrite Scarlett 8i6, Mackie mr8mk2, Alesis 320, browsing the net on chrome.
B
71
S
19
G
19
Posts: 1,919
Reputation: 16,910

Post » Thu Feb 14, 2013 3:36 am

@megatronx

I use it for passwords. A simple example would be~

User inputs their password -> It is hashed to something unknown -> Unknown string is sent over SSL -> Server hashes it again and stores or checks it.


Note: I don't recommend using that exact setup. Also, never store sensitive data information on the clients computer or send it back to the client.Index2013-02-14 03:38:14
B
72
S
10
G
6
Posts: 104
Reputation: 7,550

Post » Thu Mar 07, 2013 2:45 am

I use it to has a pw on the client side, send it to php, hash it again, save it. Then send an activation email to the user to confirm its indeed them. Over SSL. @index, is this a good way to go about doing it? The a mail use a random 1 time key not related to the pw for verification.lanceal2013-03-07 02:46:49
B
67
S
21
G
15
Posts: 701
Reputation: 15,579

Post » Thu Mar 07, 2013 5:03 am

@lanceal

I'm not too educated in this matter but I spent several days trying to figure out a solution to something I learned. I wanted to make a tutorial at some point but I didn't want to mislead if there was something I missed. Therefore, feel free to look deeper into the things I mention- if you have concerns. I wont be sharing code at this moment. I also wont be writing those tutorial pages (yet anyway). I'm just going to give you way more than you asked for in one post. It will perhaps come in handy for you or anyone who searches this in the future- and so here we go.



I'll start off by saying this. If you're doing operations on the client-side a person who wants to attack knows exactly what you're doing. Never depend on the client-side. Never trust the client-side. It can be manipulated. So the best way is to always design away from a client dependency.

Now. I don't recommend sending passwords in plain text on the basis that it's the most frowned upon thing. A single encryption on the client-side should be fine. Do not mix encryption unnecessarily. It will weaken your encryption when you're not careful.

You're going to want to get an SSL Certificate. These can be moderately difficult to understand at first. I'd go way more in-depth but this post would be giant. You can get a cheap SSL for around $10 a year. RapidSSL, Comodo, TrustSSL(GeoTrust), DigiSign, Verisign. You'd primarily want one of these, and for this- preferably the cheapest.

It will latch onto ONE domain (example.com) and the immediate subdirectories (example.com/*). It will not latch onto, (*.example.com) or any of those subdirectories (*.example.com/*).

Wildcard SSL exists and covers the domain, subdomains and all subdirectories (*.exampledomain.com/*) but they're a lot more expensive ($100+). I don't think you'll need Wildcard or an EV SSL, so don't be too concerned with those.

SSL is great. It helps give an extra layer of confidence to your members. The most important part here is that it will encrypt information that transfers over the line. It will also help indicate if something seems tampered. Although this is a huge plus, it comes with some drawbacks. Things that come from non-SSL connections will sometimes get blocked by your browser. You can also encounter things such as Cross-Domain and Cross-Origin more frequently. However, it's all part of the development process and it feels good once it's done.

Note: http://exampledomain.com:443 IS NOT secure. You have to use https:// and you can use https://exampledomain.com:8011 as the port is not what is important.

So, with all this you should be able to get the data from the client to the server. The important part now is storage. SHA and MD5 are very fast encryption methods. This sounds good on paper but is horrid against crackers.

There is a fancy way of offloading a particular cracking to a graphics card. SHA/MD5 being run through multiple machine's graphics cards can hit up to millions of attempts every second. A lunch break could become disastrous for many people.

Now, this would most likely only be the most determined of people out there. You'd have to paint a huge target on your back to piss them off. Maybe you could *shrugs*. There is a possible protection from this.

There is a method called PBKDF2 which will run a SHA512(or 256, not sure which) over and over to the extent that you specify. The more times the better. It connects something called a Unique SALT value to the password and re-rusn the encryption thousands, ten thousands and hundred thousands of times making it require more resources to hack.

Another newer method is called SCRYPT. This hasn't been tested too much so it's not openly recommended. However, this method takes an increased amount of resources. This would essentially mean it is very difficult to crack these values. This of course depends on the settings you specify.


You can find PHP libraries of PBKDF2 and SCRYPT. You can find NODEJS libraries that can help do this in Javascript alongside Socket.IO.




Now I told you it would be easy to understand. Well- at the core of it- it is. The true issue is that PBKDF2 and SCRYPT can skyrocket the CPU usage and RAM usage very easily depending on the settings you choose. Keeping them lower, you might be fine. However, if a lot of logins have to be processed at one time- things get very complicated.

I'd recommend trying them on low settings and going with that. I wont be sharing my code any time soon (as I'm still using and developing it) but this is some idea of security. It's tough. I just hope I could clear something up for you.




I wont go into details but also look into something called Cloudflare.
Note: Make sure to understand what they do with SSL because if you buy a certificate it wont work with their Free nor the $20 plan.Index2013-03-07 05:05:19
B
72
S
10
G
6
Posts: 104
Reputation: 7,550

Post » Thu Mar 07, 2013 12:11 pm

@index sounds like I have everything covered except the experimental stuff you mentioned. I even covered the cracker attacks. There can only be 5 failed login attempts per 2 hour period before it locks you out of the system(24 hour period or email request required to unlock) the password is shad twice each with a lengthy salt client side before going to the server. The server then shas it 3 times each with a random string. The first thing I did wax get a ssl cert. :) successful login sends a session variable made up of user information like ip, browser..... When these things change the session becomes invalid to avoid session jacking.
B
67
S
21
G
15
Posts: 701
Reputation: 15,579

Post » Thu Mar 07, 2013 4:57 pm

@lanceal Two hours seems a bit much but alright. Also, remember to escape the variables before they go into the database. It's also a good idea to configure firewall settings to avoid user access to ports outside of the ones they are supposed to access.

Good Luck!
B
72
S
10
G
6
Posts: 104
Reputation: 7,550

Post » Thu Mar 07, 2013 8:19 pm

@index ill ask the server company if they allow access to that on my end(firewall). But with the escaping, I use mysqli prepared statements and I was told by someone that those are escaped already and do not have access to the actual MySQL string. Did you hear different somewhere about mysqli prepared statements or were you speaking in regards to MySQL statements?
B
67
S
21
G
15
Posts: 701
Reputation: 15,579

Post » Thu Mar 07, 2013 8:30 pm

@lanceal MySQL statements.
B
72
S
10
G
6
Posts: 104
Reputation: 7,550

Post » Thu Mar 07, 2013 9:03 pm

@lanceal @Index Hum guys, I don't want to appear has a party crasher, but wouldn't you mind taking this discussion in another topic or via PM (even though a new topic would be nice for other users I guess).

It's been far out of the scope of the plugin I guess ^^
Post a link to the next topic in case other users search for the same kind of operation you're talking about (even though it's mostly server side programming which is generally admitted as out of the scope of C2's forums too)

Thanks ^^
(I keep getting warnings each time you post a new message, it's getting a bit annoying there ^^)
New to Construct ? Where to start

Image Image
Image Image

Please attach a capx to any help request or bug report !
Moderator
B
247
S
85
G
40
Posts: 6,998
Reputation: 57,786

Post » Thu Mar 07, 2013 10:48 pm

Lol sorry @Kyatric. Had a brain fart moment apparently.
B
67
S
21
G
15
Posts: 701
Reputation: 15,579

PreviousNext

Return to Completed Addons

Who is online

Users browsing this forum: No registered users and 2 guests