2011-10-31, 12:05 PM
ok, I'm in the middle of a new plugin (well, its not techincally a plugin as it doesn't use the plugin system at all ).
Basically, it adds an extra level of encryption to the passwords in the database. One that to my knowledge makes bruteforcing exceptionally difficult and long, even with a small password.
How does it work?
Normally, MyBB does this:
md5(md5($password.$salt).$salt);
This in english is "encrypt the password with a salt appended, then append the salt to that hash. Finally, encrypt it again".
This is a reasonably good encryption method apart form one major problem. Bruteforcing is simple, as the salt and hash are both stored in the database.
password + salt ->MYBB ENCRYPTION -> hash
This is a simple problem, in maths it would be (approximately):
f(a+b)=>y
Now if you know y, as well as b (the salt) AND f() (the function) you can quite easily find the password through bruteforcing.
How does this plugin/mod help?
Essentially we encrypt again. However, we do not use MD5(), as this is a one way algorithm. We use an reversible algorithm. Think of it as a secret message, where you can only read it if you have the password.
The algorithm we are using is called TripleDES, an algorithm used in the banking industry. The encryption key is stored as a protected variable inside of a file separate from the MyBB global system. This means the variable is ONLY accessible from the functions in that file.
We are increasing the complexity not only by adding the TripleDES algorithm, but also by adding in a random variable. This random variable is a 6 character random string, that is not known to anybody, not even MyBB, or the enhanced encryption algorithm.
When a user account is created, MyBB hashes the password in the normal way. A random 6 character string is appended, then the whole thing is encrypted and added to the database. When it comes to checking the password when the user logs in, the encrypted hash is takes from the database, decrypted and the last 6 characters are removed. The user inputted password is then hashed by MyBB and compared to our trimmed, unencrypted, hash.
Putting this in a mathematical way:
f(g(p + s) + r) = y
In this case you know the final hash (y), the salt (s), as well as f() and g() (the TripleDES function and MyBB hash function respectively). However, there are too many unknowns: the password (p) and the random salt ®. There is also the fact that they do not know the ecnryption key for the TripleDES algorithm!
So how could it be hacked?
Well the hacker needs the encryption key to start with, or he is going to have to bruteforce 112bits of security! So, normally the encryption key would be found by using a known password and salt, producing a known MyBB hash. Then you could determine the encryption key.
MyBB Hash -> ENCRYPTION KEY -> Final hash
However, we have made this impossible, as the hackr will NEVER know the MyBB hash, because it has a 6 character random string appended!
So, basically they have to bruteforce:
- The password
- The encryption key
- The random salt
Which would make brute forcing infeasible, even ith a server farm of GPU's.
Mod Progress:
- Login Process = done
- Change password = done
- Registration = done
- Installer = incomplete
- Uninstaller = incomplete
- Converter = incomplete
Planned features:
- A desktop application, used to convert entire unencrypted databases to their encrypted form, and back.
- A MyBB merge module
Basically, it adds an extra level of encryption to the passwords in the database. One that to my knowledge makes bruteforcing exceptionally difficult and long, even with a small password.
How does it work?
Normally, MyBB does this:
md5(md5($password.$salt).$salt);
This in english is "encrypt the password with a salt appended, then append the salt to that hash. Finally, encrypt it again".
This is a reasonably good encryption method apart form one major problem. Bruteforcing is simple, as the salt and hash are both stored in the database.
password + salt ->MYBB ENCRYPTION -> hash
This is a simple problem, in maths it would be (approximately):
f(a+b)=>y
Now if you know y, as well as b (the salt) AND f() (the function) you can quite easily find the password through bruteforcing.
How does this plugin/mod help?
Essentially we encrypt again. However, we do not use MD5(), as this is a one way algorithm. We use an reversible algorithm. Think of it as a secret message, where you can only read it if you have the password.
The algorithm we are using is called TripleDES, an algorithm used in the banking industry. The encryption key is stored as a protected variable inside of a file separate from the MyBB global system. This means the variable is ONLY accessible from the functions in that file.
We are increasing the complexity not only by adding the TripleDES algorithm, but also by adding in a random variable. This random variable is a 6 character random string, that is not known to anybody, not even MyBB, or the enhanced encryption algorithm.
When a user account is created, MyBB hashes the password in the normal way. A random 6 character string is appended, then the whole thing is encrypted and added to the database. When it comes to checking the password when the user logs in, the encrypted hash is takes from the database, decrypted and the last 6 characters are removed. The user inputted password is then hashed by MyBB and compared to our trimmed, unencrypted, hash.
Putting this in a mathematical way:
f(g(p + s) + r) = y
In this case you know the final hash (y), the salt (s), as well as f() and g() (the TripleDES function and MyBB hash function respectively). However, there are too many unknowns: the password (p) and the random salt ®. There is also the fact that they do not know the ecnryption key for the TripleDES algorithm!
So how could it be hacked?
Well the hacker needs the encryption key to start with, or he is going to have to bruteforce 112bits of security! So, normally the encryption key would be found by using a known password and salt, producing a known MyBB hash. Then you could determine the encryption key.
MyBB Hash -> ENCRYPTION KEY -> Final hash
However, we have made this impossible, as the hackr will NEVER know the MyBB hash, because it has a 6 character random string appended!
So, basically they have to bruteforce:
- The password
- The encryption key
- The random salt
Which would make brute forcing infeasible, even ith a server farm of GPU's.
Mod Progress:
- Login Process = done
- Change password = done
- Registration = done
- Installer = incomplete
- Uninstaller = incomplete
- Converter = incomplete
Planned features:
- A desktop application, used to convert entire unencrypted databases to their encrypted form, and back.
- A MyBB merge module