fCryptography question / Suggestions Anyone?

fCryptography question

I'm new to flourish but so far have found it to be amazingly well written with great documentation. There was a question/concern that I had once I read up on the fCryptography system.

From the documentation, and confirmed by testing, the result of a call to: 

fCryptography::hashPassword($password)

produces what is referred to in the in-code documentation as an 80 character Flourish fingerprint that looks something like: 

fCryptography::password_hash#[salt]#[hash]

I've read the docs and agree with your use of a non-trivial sha1 hash and mangle routine, the only issue I see is that if there ever were to be a vulnerability discovered against the hashing algorithm employed by Flourish that potential crackers could use the first part of the fingerprint to determine that Flourish was used and then know that they could apply a certain attack vector.

Of course this is all theoretical, no vulnerability has been discovered, and the methodology Flourish uses seems sound to me (I have for my job implemented several security and log on systems in similar fashions). I'm more just curious as to the design decision to include this in the fingerprint.

Thank you for your time, and cheers to a great unframework.

Matt

Reply Quote
Matt Nowack
08/12/09 22:15:42
  • Message #348

    A few people have asked this question of me, and there are two reasons. The initial reason is to make it possible to figure out what is going on with code you may not be familiar with. Rather than having some random hash and having to reverse engineer it when you need to use some other programming language with Flourish, you can google any of those fingerprints and get a description of what is happening.

    Secondly, by adding a fingerprint, it allows me to version the algorithms and released more fixed versions if any vulnerabilities are found. Thus if you upgraded to the latest version of Flourish, perhaps I changed the hash algorithm to use bcrypt if available. I could add a new fingerprint for bcrypt hashes and the code would be able to use the appropriate algorithm for verifying the password. Linux and BSD systems do this with the built in crypt functionality. The hashes start with $1$, $2$ or $3$ based on what algorithm is used.

    The last point I would make is that security through obscurity isn't security at all. Just because it is a little bit of a challenge to figure out what hashing algorithm is used doesn't mean your hashes are any more secure.

    Thanks for the question!

    Reply Quote
    wbond
    08/14/09 09:30:27
    • Message #349

      That seems reasonable to me, thanks for the quick response.

      I understand your point on security through obscurity not being security at all, I didn't intend to imply that security through obscurity would be a good practice.

      Thanks again, I will continue using flourish with my latest project, so far so good.

      Matt

      Reply Quote
      Matt Nowack
      08/14/09 13:13:46