[RC] Enhanced Password Encryption v1.2.1 (With dynamic keys)

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment!
Scam Warning
visionviper
Registered User
Posts: 31
Joined: Wed Sep 21, 2011 7:45 pm

[RC] Enhanced Password Encryption v1.2.1 (With dynamic keys)

Post by visionviper » Fri Oct 07, 2011 5:32 pm

Modification Name: Enhanced Password Encryption
Author: visionviper

Current status: Submitted to the MOD DB for validation.

Description: This modification changes phpBB to use encryption instead of hashing for passwords. This mod utilizes mcrypt, which supports the most powerful encryption types available. For more information on customizing the encryption for your forum check out the FAQ.

This mod can be installed to a live environment. When a user successfully logs in for the first time after the mod is installed their password will be re-encrypted.

Current Version: v1.2.1

Requirements: You PHP configuration must support mcrypt as well as whichever encryption scheme you wish to use.

Features:
  • Support enhanced password encryption
  • Customizable: ability to change encryption type and other things all from one config file
  • Can be installed to live boards seamlessly
Download:
http://hootworld.net/Enhanced%20Passwor ... yption.zip (v1.2.1 download, 39KB)
http://www.phpbb.com/customise/db/mod/e ... ncryption/ (general information)

What does dynamic keys mean for security?
Every encryption key used is unique to the password and user. This means in the event that a hacker obtains the encrypted passwords that each and every user's password will need to be cracked individually. It also means that passwords that are the same won't show up as the same in the database (like salted hashes). The stronger a user's password, the longer this will take. Additionally, without access to the phpBB constants a hacker would have no idea what encryption scheme is being used.

Change log:
v1.2.1
  • Changed key extending to happen before the encode.
  • Added looped hashing.
v1.2.0
  • Encryption key is now dynamic and based off of the password and initialization vector. This means each password has it's own encryption key.
v1.1.0
  • Fixed the SQL error in login_forum_box function.
  • Heavily modified the ModX install script.
  • SQL queries for install are now done with UMIL.
  • Forced re-login when attempting to change password from UCP before old password is converted to the new encryption.
  • Made some small changes to make compatible with 3.0.10.
v1.0.3
  • Fixed MOD X SQL queries.
v1.0.2
  • Simplified password re-encryption process after mod install. Users now only need to log in.
  • Implemented small code adjustments to meet PHPBB mod requirements.
  • Fixed installation file to cover various DBMS.
  • Fixed "account already activated" error with forgot password email activation link.
v1.0.1
  • Updated encryption_config.php as well as the encryption code to make changes to the encryption type easier.
v1.0
  • Initial submission to the MOD DB.

Please feel free to suggest features you might want included.
Last edited by visionviper on Tue Mar 13, 2012 3:28 pm, edited 34 times in total.

User avatar
DoYouSpeakWak
Registered User
Posts: 2307
Joined: Fri Jul 25, 2008 1:32 pm
Location: Island of Wak-Wak
Name: Hans Lassen
Contact:

Re: [RC] Enhanced Password Encryption

Post by DoYouSpeakWak » Sat Oct 08, 2011 2:33 pm

This looks very interesting. One problem with this as i see it.

Pw will be encrypted in the database. But if the "hacker" or who ever it is has access to the db he can just read the posts and all the content. Encryption wont matter unless its on all tables with potential private information.
Whatever you share comes back. Support the phpBB Communities
My Validated and Released Modifications
Offering paid phpBB help and System administrator services.

visionviper
Registered User
Posts: 31
Joined: Wed Sep 21, 2011 7:45 pm

Re: [RC] Enhanced Password Encryption

Post by visionviper » Sat Oct 08, 2011 3:04 pm

DoYouSpeakWak wrote:This looks very interesting. One problem with this as i see it.

Pw will be encrypted in the database. But if the "hacker" or who ever it is has access to the db he can just read the posts and all the content. Encryption wont matter unless its on all tables with potential private information.
Yes, but even now PHPBB doesn't use full table or full database encryption. This just kicks up the encryption PHPBB uses for passwords. US-CERT considers MD5 to be cryptographically broken and therefore unsuitable for use. This mod will allow those with support of better encryption to take advantage of it.

User avatar
DoYouSpeakWak
Registered User
Posts: 2307
Joined: Fri Jul 25, 2008 1:32 pm
Location: Island of Wak-Wak
Name: Hans Lassen
Contact:

Re: [RC] Enhanced Password Encryption

Post by DoYouSpeakWak » Sat Oct 08, 2011 6:12 pm

I cant see the reason for kicking up the encryption as you state. This mod is only usefull to protect the pw if the hacker has access the the db. if he has, alot more would have to be encrypted before the board gets any safer.
Whatever you share comes back. Support the phpBB Communities
My Validated and Released Modifications
Offering paid phpBB help and System administrator services.

visionviper
Registered User
Posts: 31
Joined: Wed Sep 21, 2011 7:45 pm

Re: [RC] Enhanced Password Encryption

Post by visionviper » Sat Oct 08, 2011 7:31 pm

DoYouSpeakWak wrote:I cant see the reason for kicking up the encryption as you state. This mod is only usefull to protect the pw if the hacker has access the the db. if he has, alot more would have to be encrypted before the board gets any safer.
It's one thing for a hacker to get access to all forum posts and PMs. It's another for a hacker to get a hold of the password that (let's face it) most people use on more than one site. I think that's worse.

In the PHPBB code they mention that they are in a way forced to used MD5 because it's really the only one you could say is universally supported. I'm just giving people the option to use something different.

User avatar
4_seven
I've Been Banned!
Posts: 5155
Joined: Wed Apr 30, 2008 1:41 am

Re: [RC] Enhanced Password Encryption

Post by 4_seven » Sat Oct 08, 2011 7:45 pm

Phpbb3 password encryption and mechanism is unhackable yet. MD5 is used in phpbb2. Phpbb3 uses a much more complex technique for that (mixed with salt etc.). Means: Even if you have the user-password from its db-entry. It's worthless, bcs. you can't reconstruct the "real password" from that. It's not possible.
Current Mods | Mod Base | php(BB) programming | No help via PM

visionviper
Registered User
Posts: 31
Joined: Wed Sep 21, 2011 7:45 pm

Re: [RC] Enhanced Password Encryption

Post by visionviper » Sat Oct 08, 2011 8:15 pm

4_seven wrote:Phpbb3 password encryption and mechanism is unhackable yet. MD5 is used in phpbb2. Phpbb3 uses a much more complex technique for that (mixed with salt etc.). Means: Even if you have the user-password from its db-entry. It's worthless, bcs. you can't reconstruct the "real password" from that. It's not possible.
Salting is especially good protecting against rainbow tables, but doesn't really help with the fact that MD5 is a terrible encryption technique when compared to AES, Twofish and other alternatives.
US-CERT wrote:Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.
Are we protecting classified data? No. But people should have the option to use stronger encryption for passwords if they choose. I just wanted to make a mod for PHPBB to give people that option :)

User avatar
4_seven
I've Been Banned!
Posts: 5155
Joined: Wed Apr 30, 2008 1:41 am

Re: [RC] Enhanced Password Encryption

Post by 4_seven » Sat Oct 08, 2011 8:31 pm

No matter, the base-intention is great, so good luck for fixing the admin-password-issue..
Current Mods | Mod Base | php(BB) programming | No help via PM

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 25454
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: [RC] Enhanced Password Encryption

Post by Paul » Sat Oct 08, 2011 8:41 pm

You should remember that the functions phpBB uses is not pure MD5, if you read at the phpass website, you will see it is more as just that ;).
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

visionviper
Registered User
Posts: 31
Joined: Wed Sep 21, 2011 7:45 pm

Re: [RC] Enhanced Password Encryption

Post by visionviper » Sat Oct 08, 2011 8:59 pm

4_seven wrote:No matter, the base-intention is great, so good luck for fixing the admin-password-issue..
I thankfully fixed that! It was some weird cache/cookie/I don't know what issue.
Paul wrote:You should remember that the functions phpBB uses is not pure MD5, if you read at the phpass website, you will see it is more as just that ;).
Well I thought so since I took a look at the phpass code and they support Blowfish and Extended DES but just reading the code in functions.php it didn't really seem it was trying to take advantage of these things.

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 25454
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: [RC] Enhanced Password Encryption

Post by Paul » Sat Oct 08, 2011 9:07 pm

phpBB has removed the functionality for a reason, if you read the comments in the code, it actually explains it :). It is basicly because phpBB has set a certian minimum requirement, and the requirements for these encryptions didnt meet that. This can cause problems when a board is moved and that kind of things.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

visionviper
Registered User
Posts: 31
Joined: Wed Sep 21, 2011 7:45 pm

Re: [RC] Enhanced Password Encryption

Post by visionviper » Sat Oct 08, 2011 9:13 pm

Paul wrote:phpBB has removed the functionality for a reason, if you read the comments in the code, it actually explains it :). It is basicly because phpBB has set a certian minimum requirement, and the requirements for these encryptions didnt meet that. This can cause problems when a board is moved and that kind of things.
I figured it had something to do with that, since you guys really have to support a wide range of things in a base PHPBB install and that is pretty much the exact reason I decided to make something more targeted.

User avatar
Neuropass
Registered User
Posts: 1158
Joined: Fri Apr 17, 2009 2:02 pm
Location: SciTE4AutoIt3

Re: [RC] Enhanced Password Encryption

Post by Neuropass » Sun Oct 09, 2011 5:10 am

I don't understand all this debating about the mod. Simple thank-you for bringing something different and useful to phpbb is what needed here.

visionviper
Registered User
Posts: 31
Joined: Wed Sep 21, 2011 7:45 pm

Re: [RC] Enhanced Password Encryption

Post by visionviper » Thu Oct 13, 2011 2:01 pm

Whoops. Didn't realize there would be no active download link on the MODDB page. I have added a link for the v1.0.1 install to the OP.

visionviper
Registered User
Posts: 31
Joined: Wed Sep 21, 2011 7:45 pm

Re: [RC] Enhanced Password Encryption v1.0.1

Post by visionviper » Sat Oct 15, 2011 3:55 am

If anyone has had an opportunity to use the mod I would love feedback on it.

Locked

Return to “[3.0.x] MODs in Development”