Written on 21 September 2014, 04:10pm
Tagged with: authentication, CakePHP, php, security
Don’t hash secrets, HMAC them!
This is an old but incredibly useful article written by Ben Adida, currently director of engineering at Square, previously working at Mozilla.
The idea is that simply hashing + salting the secrets is not enough. You need to HMAC them (Hash-function Message Authentication Code). HMAC always uses a hashing function (like MD5, SHA1, etc), but this hashing function is not used to hash the secret alone.
If you know SHA1(secret || message), then you can compute SHA1(secret || message || ANYTHING)
You don’t need to know exactly how HMAC works, just like you don’t need to know exactly how SHA1 works. Under the hood, what’s approximately going on is two hashes, one after the other, with the secret combined after the first hash.
– Don’t hash secrets, HMAC them!
PHP has the hash_hmac function starting with the version 5.1.2. Interesting enough, CakePHP’s default authentication mechanism only uses hashing+salt, not HMAC. And MediaWiki uses something closer to HMAC.
But there’s a catch. If the secret is longer than the block size of the hash function, then HMAC will use the hash of the secret. See here and here (screenshots below)
And this leads to the following problem:
Mathias Bynens elaborates this:
SHA-1 has a block size of 512 bits, which equals 64 bytes.
So in this case, if the supplied key takes up more than 64 bytes, then SHA1(key) is used as the key. More generally, for any chosen_password larger than 64 bytes, the following holds true (pseudo-code):
PBKDF2_HMAC_SHA1(chosen_password) == PBKDF2_HMAC_SHA1(HEX_TO_STRING(SHA1(chosen_password))
PBKDF2+HMAC hash collisions explained
Takeaway? Don’t hash secrets, HMAC them. But make sure that the length of the secret is not larger than the block size of the hashing algorithm.
On the same line, maybe using passwords longer than 64 bytes is not such a good idea… 🙂