[Plugin]CB Hash (MD5, SHA-1 and SHA-256)

Thanks Kyatric. Could someone explain what could be the best use of this plugin? cheers

megatronx

I use it for passwords. A simple example would be~

User inputs their password -> It is hashed to something unknown -> Unknown string is sent over SSL -> Server hashes it again and stores or checks it.

Note: I don't recommend using that exact setup. Also, never store sensitive data information on the clients computer or send it back to the client.

I use it to has a pw on the client side, send it to php, hash it again, save it. Then send an activation email to the user to confirm its indeed them. Over SSL. Index, is this a good way to go about doing it? The a mail use a random 1 time key not related to the pw for verification.

—

I'm not too educated in this matter but I spent several days trying to figure out a solution to something I learned. I wanted to make a tutorial at some point but I didn't want to mislead if there was something I missed. Therefore, feel free to look deeper into the things I mention- if you have concerns. I wont be sharing code at this moment. I also wont be writing those tutorial pages (yet anyway). I'm just going to give you way more than you asked for in one post. It will perhaps come in handy for you or anyone who searches this in the future- and so here we go.

I'll start off by saying this. If you're doing operations on the client-side a person who wants to attack knows exactly what you're doing. Never depend on the client-side. Never trust the client-side. It can be manipulated. So the best way is to always design away from a client dependency.

Now. I don't recommend sending passwords in plain text on the basis that it's the most frowned upon thing. A single encryption on the client-side should be fine. Do not mix encryption unnecessarily. It will weaken your encryption when you're not careful.

You're going to want to get an SSL Certificate. These can be moderately difficult to understand at first. I'd go way more in-depth but this post would be giant. You can get a cheap SSL for around $10 a year. RapidSSL, Comodo, TrustSSL(GeoTrust), DigiSign, Verisign. You'd primarily want one of these, and for this- preferably the cheapest.

It will latch onto ONE domain (example.com) and the immediate subdirectories (example.com/*). It will not latch onto, (*.example.com) or any of those subdirectories (*.example.com/*).

Wildcard SSL exists and covers the domain, subdomains and all subdirectories (*.exampledomain.com/*) but they're a lot more expensive ($100+). I don't think you'll need Wildcard or an EV SSL, so don't be too concerned with those.

SSL is great. It helps give an extra layer of confidence to your members. The most important part here is that it will encrypt information that transfers over the line. It will also help indicate if something seems tampered. Although this is a huge plus, it comes with some drawbacks. Things that come from non-SSL connections will sometimes get blocked by your browser. You can also encounter things such as Cross-Domain and Cross-Origin more frequently. However, it's all part of the development process and it feels good once it's done.

Note: exampledomain.com IS NOT secure. You have to use https:// and you can use exampledomain.com as the port is not what is important.

So, with all this you should be able to get the data from the client to the server. The important part now is storage. SHA and MD5 are very fast encryption methods. This sounds good on paper but is horrid against crackers.

There is a fancy way of offloading a particular cracking to a graphics card. SHA/MD5 being run through multiple machine's graphics cards can hit up to millions of attempts every second. A lunch break could become disastrous for many people.

Now, this would most likely only be the most determined of people out there. You'd have to paint a huge target on your back to piss them off. Maybe you could *shrugs*. There is a possible protection from this.

There is a method called PBKDF2 which will run a SHA512(or 256, not sure which) over and over to the extent that you specify. The more times the better. It connects something called a Unique SALT value to the password and re-rusn the encryption thousands, ten thousands and hundred thousands of times making it require more resources to hack.

Another newer method is called SCRYPT. This hasn't been tested too much so it's not openly recommended. However, this method takes an increased amount of resources. This would essentially mean it is very difficult to crack these values. This of course depends on the settings you specify.

You can find PHP libraries of PBKDF2 and SCRYPT. You can find NODEJS libraries that can help do this in Javascript alongside Socket.IO.

Now I told you it would be easy to understand. Well- at the core of it- it is. The true issue is that PBKDF2 and SCRYPT can skyrocket the CPU usage and RAM usage very easily depending on the settings you choose. Keeping them lower, you might be fine. However, if a lot of logins have to be processed at one time- things get very complicated.

I'd recommend trying them on low settings and going with that. I wont be sharing my code any time soon (as I'm still using and developing it) but this is some idea of security. It's tough. I just hope I could clear something up for you.

I wont go into details but also look into something called Cloudflare.

Note: Make sure to understand what they do with SSL because if you buy a certificate it wont work with their Free nor the $20 plan.

Index sounds like I have everything covered except the experimental stuff you mentioned. I even covered the cracker attacks. There can only be 5 failed login attempts per 2 hour period before it locks you out of the system(24 hour period or email request required to unlock) the password is shad twice each with a lengthy salt client side before going to the server. The server then shas it 3 times each with a random string. The first thing I did wax get a ssl cert. :) successful login sends a session variable made up of user information like ip, browser..... When these things change the session becomes invalid to avoid session jacking.

— Two hours seems a bit much but alright. Also, remember to escape the variables before they go into the database. It's also a good idea to configure firewall settings to avoid user access to ports outside of the ones they are supposed to access.

Good Luck!

Index ill ask the server company if they allow access to that on my end(firewall). But with the escaping, I use mysqli prepared statements and I was told by someone that those are escaped already and do not have access to the actual MySQL string. Did you hear different somewhere about mysqli prepared statements or were you speaking in regards to MySQL statements?

— MySQL statements.

— Index Hum guys, I don't want to appear has a party crasher, but wouldn't you mind taking this discussion in another topic or via PM (even though a new topic would be nice for other users I guess).

It's been far out of the scope of the plugin I guess ^^

Post a link to the next topic in case other users search for the same kind of operation you're talking about (even though it's mostly server side programming which is generally admitted as out of the scope of C2's forums too)

Thanks ^^

(I keep getting warnings each time you post a new message, it's getting a bit annoying there ^^)

Lol sorry KYATRIC. Had a brain fart moment apparently.

<3 Np. I think we were pretty much over anyway, haha.

Kyatric,

EDIT: The error pops up after the first cycle I found out. So it must be with the getlastresult string. I suppose I could just hash my passwords once but I like doing it twice for good measure before sending through ssl to the database for storage/comparison.

One of the last couple of updates seems to have broken this plugin which I desperately need for my app. Is there any way you can take a peek at what is wrong? Here is the error that pops up.

<img src="https://dl.dropboxusercontent.com/u/77974757/cbhash.PNG" border="0" />

And here is what I'm trying to do.

<img src="https://dl.dropboxusercontent.com/u/77974757/hash2.PNG" border="0" />

Any help would be greatly appreciated.

—: It looks like you're creating an endless loop in the last event.

Indeed, recent updates in C2 made it so the event call now allows for this "type of issue".

You're generating a hash, and it triggers the event that checks when hashes are generated. In loop.

To fix the issue, I just put the action "Set CB_Hash_Cycle to 1" first before generating the second hash.

Here is the capx I've reproduced.

I can't explain for sure what changed, this would be a question for Ashley, but apparently, I don't think it's related to the plugin (unless I handled badly the triggering part).

Not sure if that fixed it or not. I lost the error but now it's not showing the expected cycle two in the textbox. Would you mind just verifying that I setup your hashing plugin correctly?

Capx

I don't have the behavior/plugin "Textbox addon".