Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Encryption using MD5 Vs sha1, A warning for commerce sites.
Encryption using MD5 Vs sha1, A warning for commerce sites.
  • El Forum
    Guest
  •  
#1
01-29-2009, 06:23 PM

[eluser]TWP Marketing[/eluser]
I've been using Goldmoney for about a decade and have avoided use of the MD5 algorythm based on this notice from 2004 on the Goldmoney site:

"A Note About Hashes (21 Sep 2004)
Recent announcements have been made that indicate the use of the MD5 hash to confirm message integrity may no longer be reliable. The GoldMoney merchant interfaces make use of MD5 and SHA-1 hashes, and given these recent announcements we recommend to all merchants that they update their systems to make use of SHA-1 exclusively."

There is link to the original notice about MD5 here: http://cryptography.com/cnews/hash.html

I've made an attempt to remove all MD5 usage from my copy of CI, I hope I found everything as the usage is scattered fairly widely. I suggest that it would be a good addiontion to CI if the encryption methods were consolidated into a single library?
  • El Forum
    Guest
  •  
#2
01-29-2009, 06:33 PM

[eluser]The Wizard[/eluser]
i think you got to take it to seriously.

md5 is pretty secure, yes, collisions can be made with md5 BUT its not like
there is a practical solution to just, magically reverse some md5 encoded strings.
YES there are rainbow tables, but with propper hash you should be fine.

BESIDES, use sha1 and your fine.
Why such a kernel panic like this?
  • El Forum
    Guest
  •  
#3
01-30-2009, 12:20 PM

[eluser]TWP Marketing[/eluser]
Herr Kaleun,
Panic might be an overstatement, but I do design and operate commercial sites using my Goldmoney account (and obviously the accounts of my clients) and I do take seriously the possibility of MD5 being compromised. I posted as a caviat to other designers and operators of commerce sites. Where money is concerned, especially on the internet, I believe you cannot be too cautious...
  • El Forum
    Guest
  •  
#4
01-31-2009, 03:08 PM

[eluser]The Wizard[/eluser]
http://www.heise.de/security/Konsequenze...kel/121148

it's actually in german but, describes the whole scenario and all the hype about it,
so its basically nothing (YET) Smile
  • El Forum
    Guest
  •  
#5
01-31-2009, 03:18 PM

[eluser]Tom Schlick[/eluser]
all i have to add is always use SALTS!!! SALTS SALTS SALTS SALTS SALTS. i always use two. one that is specific to the user (stored in the database and is only used for that one user) and one that is hardcoded into the software that is the same for everyone. both placed around the password makes the password impossible to crack using rainbow tables and would take years to try to brute force.
  • El Forum
    Guest
  •  
#6
01-31-2009, 03:19 PM

[eluser]The Wizard[/eluser]
yeah, thats pretty safe.
  • El Forum
    Guest
  •  
#7
01-31-2009, 03:29 PM

[eluser]yogal[/eluser]
You could also use one of the SHA-2 family algorithms like Sha256/sha512 for storing passwords etc. As far as I know they are supported on most php implemementations and should work out of the box. Ofc, as trs21219 said, salts are important.
The only limit might be using this with SSL - bacause I've read somewhere thats its difficult to introduce new hashes to SSL.

Regards,
yogal
  • El Forum
    Guest
  •  
#8
01-31-2009, 04:38 PM

[eluser]Colin Williams[/eluser]
Between design, IA, usability, html, css, javascript, PHP, MySQL, et. al., I have little time to focus on the latest security issues. So I appreciate the heads up! Maybe it's worthwhile for the CI team to at least consider it.




Theme © iAndrew 2016 - Forum software by © MyBB