#471 open
Edgar Valarezo

Security::cipher function cannot decrypt

Reported by Edgar Valarezo | March 16th, 2010 @ 01:48 AM | in Future

Security::cipher() trust in a deprecated srand() and rand() behaviour: with the same seed, the same random numbers sequence.
This generate a unpredictable mask at the moment of encrypt, so is imposible the decryption. Some kind of explicit function is needed in replace of rand(), like this:

function mask($seed, $min = 0, $max = 255) {
    $delta = $max - $min;

    $r = 123;
    $seed .= $r . "PaqH";

    for ($i = 0; $i < strlen($seed); $i++) {
        $r += ceil(ord($seed[$i]) * $delta / 255);
        while ($r > $delta) {
            $r = $r % ord($seed[$i]); 
        }
    }
    return $r;
}

Comments and changes to this ticket

  • Edgar Valarezo

    Edgar Valarezo March 16th, 2010 @ 02:05 AM

    Maybe is the Suhosin patch:

    $ php -v

    PHP 5.2.10-2ubuntu6.4 with Suhosin-Patch 0.9.7 (cli) (built: Jan 6 2010 22:41:56)

  • Mark Story

    Mark Story March 16th, 2010 @ 11:12 AM

    • → Milestone set to 1.2.6
    • → State changed from “new” to “wont-fix”

    suhosin will do it. And rand() is not deprecated.

  • Edgar Valarezo

    Edgar Valarezo March 16th, 2010 @ 04:48 PM

    You are right, I was wrong, thanks. Nevertheless Security::cipher use srand and rand functions in a wrong way, like a hashing method. This misconception could cause "random" issues like this with Suhosin, so a better solution could be something like this one:

    function cipher($text, $key = '') {

    $key .= Configure::read('Security.cipherSeed');

$out = '';
$textLength = strlen($text);
$keyLength = strlen($key);
$k = 0;

for ($i = 0; $i < $textLength; $i++) {
    $seed = md5($key . $key[($k++) % $keyLength]);
    $mask = hexdec($seed[6] . $seed[9]); // :)
    $out .= chr(ord($text[$i]) ^ $mask);
}

return $out;

    }

  • dr. Hannibal Lecter

    dr. Hannibal Lecter August 29th, 2010 @ 11:32 AM

    I can confirm that the testCipher() test fails on a Suhosin-enabled server - live test link. If you refresh the page it is obvious that the result is completely random.

    This is an unmodified setup of latest Cake 1.2 from Github + Simpletest.

    It seems to fail because of the line 189, as Edgar suggested. When I change the line to "$mask = hexdec($seed[6] . $seed[9]);" it seems to be working.

  • Mark Story

    Mark Story August 29th, 2010 @ 11:56 AM

    • → Milestone changed from 1.2.6 to 2.0.0
    • → State changed from “wont-fix” to “open”

    I could see switching the ciphering approach between versions. Doing it as a bugfix could break cipher encoded text for installs that do not have issues with suhosin. Having things break when updating to a bugfix release is something I'd like to avoid. However, we can revisit the cipher method in 2.0 as there will be many API changes then.

  • Phally

    Phally August 31st, 2010 @ 01:16 PM

    Suhosin ignores srand() (and mt_srand()) by default. Turn this off and Security::cipher() works fine again. If I recall correctly it is the 'ignore.srand' setting.

  • michaelc

    michaelc September 1st, 2010 @ 03:43 PM

    Refs #176.

  • Mark Story

    Mark Story September 29th, 2011 @ 09:48 PM

    • → Milestone changed from 2.0.0 to Future

    Moving out, this one didn't make it into 2.0

  • euromark

    euromark February 2nd, 2012 @ 05:40 PM

    after having some trouble with encrypted cookies myself and reading http://milesj.me/blog/read/security-cipher-suhosin
    I find it a pretty good idea for cakephp to provide a clean approach in Security/Cookie components that will also work with Suhosin patch installed (as almost every php setup has).
    it might not always be possible or desired to modify the php.ini for this to work.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Source available from github

Repository is at http://github.com/cakephp/cakephp

Creating a bug report

When creating a bug report, please include as much relevant information as possible. Please include code to reproduce the issue. Or even better, make a unit test. Either change an existing test or add a new test to show that the expected behavior is not occuring.

People watching this ticket

Tags

Referenced by