Bug #21491
closed
Use HMACs for authencity and integrity checks
0%
Description
On several places in TYPO3 Core, md5() function calls are used to proove authencity and integrity of parameters in HTTP requests.
One example is showpic eID. By creating a MD5 hash over parameters and the secret encryption key, TYPO3 makes sure that no further parameter has been injected ore existing ones aren't modified.
However, MD5 hashing itself prooves to have a bunch of weaknesses. In the future, the TYPO3 way for integrity checks might become vulnerable. I hereby suggest to keep up with development in security industry.
Using HMAC [1] is a valid method to proove integrity and authencity of datat. WIth PHP5, a dedicated function is available. HMAC itself uses known hashing methods; nonetheless, creating HMACs is more than creating a hash.
This RFC is about extending t3lib_div by a hmac function. Using the newly introduced method throughout the Core will taken care of by an additional RFC.
Advantages of HMACs in TYPO3:- having a dedicated method for integrity and authencity checks on data
- raising the awareness of HMACs and thus make them easily useable by creating a t3lib_div method
- using one API method enables us to easily switch to a different hashing algorithm in future
Note:
Thanks to Sebastian Kurfürst, HMACs are already used in FLOW3 and Extbase.
[1] http://en.wikipedia.org/wiki/HMAC
(issue imported from #M12502)
Files
Updated by Marcus Krause about 14 years ago
I've added a new version (v1) of this RFC. This removes the dependency of ext/hash by adding a fallback hmac generation.
Also the length argument has been dropped. The resulting HMAC length is mentioned in PHPdoc.
I switched to HMAC-SHA-1 (instead of md5) because sha1 is already in use for extbase and openid.
Nonetheless, I added ext/hash to the recommended PHP extensions as using ext/hash will certainly have a speed advantage.
Updated by Marcus Krause about 14 years ago
v2 removes two unnecessary function calls in fallback hmac generation code
Updated by 
Updated by