MD5 in pg and php

MD5 in pg and php

am 29.04.2004 09:07:16 von Joolz

Hi, I'm completely new to hashing, so please bear with me.

I want to store passwords in a pg db, MD5 seems like a good way to
enhance security (no more plaintext passwords over the line etc.) I
had a look at MD5, in PHP 4.3.4 there is a function md5() which seems
to work nicely:

echo md5('apple');

returns ae6d32585ecc4d33cb8cd68a047d8434 every time. Apart from the
PHP frontend, I also want to be able to use the same algorithm in
native pg. I found that postgresql-contrib-7.3.4 has a function
crypt() which I expected to work the same. However:

select crypt('apple', gen_salt('md5'));

gives values different from the PHP md5() function, and moreover,
they're different each time. Can anyone please tell me what I should
do to get the same result in native pg as in PHP?

Thanks!

--
08:59-09:07
Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2188.nptl

---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match

Re: MD5 in pg and php

am 29.04.2004 10:15:30 von Joolz

> [Marek Lewczuk schreef op 29-04-2004 09:31 +0100]
>
> Joolz wrote:
> >Hi, I'm completely new to hashing, so please bear with me.
> >
> >I want to store passwords in a pg db, MD5 seems like a good way to
> >enhance security (no more plaintext passwords over the line etc.) I
> >had a look at MD5, in PHP 4.3.4 there is a function md5() which seems
> >to work nicely:
> >
> > echo md5('apple');
> >
> >returns ae6d32585ecc4d33cb8cd68a047d8434 every time. Apart from the
> >PHP frontend, I also want to be able to use the same algorithm in
> >native pg. I found that postgresql-contrib-7.3.4 has a function
> >crypt() which I expected to work the same. However:
> >
> > select crypt('apple', gen_salt('md5'));
> >
> >gives values different from the PHP md5() function, and moreover,
> >they're different each time. Can anyone please tell me what I should
> >do to get the same result in native pg as in PHP?
> >
> >Thanks!
> >
>
> I whould suggest to update PG to version 7.4, where there is built-in
> MD5 function.

Thanks, I already found some fc1 rpm's (still in development). But can
anyone tell me if the 7.4 internal md5() function will do the same as
the PHP md5() function? Or do a quick select md5('apple') and let me
know if the result is 'ae6d32585ecc4d33cb8cd68a047d8434'?

I really wouldn't like to upgrade from my current stable situation,
only to find out that it didn't solve my original problem.

TIA!

--
10:14-10:15
Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2188.nptl

---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings

Re: MD5 in pg and php

am 29.04.2004 10:30:33 von Christopher Kings-Lynne

> Thanks, I already found some fc1 rpm's (still in development). But can
> anyone tell me if the 7.4 internal md5() function will do the same as
> the PHP md5() function? Or do a quick select md5('apple') and let me
> know if the result is 'ae6d32585ecc4d33cb8cd68a047d8434'?
>
> I really wouldn't like to upgrade from my current stable situation,
> only to find out that it didn't solve my original problem.

Postgres 7.4:

usa=> select md5('apple');
md5
----------------------------------
1f3870be274f6c49b3e31a0c6728957f
(1 row)


And my PHP:

bash-2.05a$ php -q

1f3870be274f6c49b3e31a0c6728957f

So mine are the same, but yours is completely different to anything.

Chris


---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Re: MD5 in pg and php

am 29.04.2004 10:31:14 von Marek Lewczuk

Joolz wrote:
> Hi, I'm completely new to hashing, so please bear with me.
>
> I want to store passwords in a pg db, MD5 seems like a good way to
> enhance security (no more plaintext passwords over the line etc.) I
> had a look at MD5, in PHP 4.3.4 there is a function md5() which seems
> to work nicely:
>
> echo md5('apple');
>
> returns ae6d32585ecc4d33cb8cd68a047d8434 every time. Apart from the
> PHP frontend, I also want to be able to use the same algorithm in
> native pg. I found that postgresql-contrib-7.3.4 has a function
> crypt() which I expected to work the same. However:
>
> select crypt('apple', gen_salt('md5'));
>
> gives values different from the PHP md5() function, and moreover,
> they're different each time. Can anyone please tell me what I should
> do to get the same result in native pg as in PHP?
>
> Thanks!
>

I whould suggest to update PG to version 7.4, where there is built-in
MD5 function.



---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)

Re: MD5 in pg and php

am 29.04.2004 10:49:32 von Stefan Sturm

Hello,

> I really wouldn't like to upgrade from my current stable situation,
> only to find out that it didn't solve my original problem.

I did a "select md5('apple');". PostgreSQL 7.4.2
For me, the result is: 1f3870be274f6c49b3e31a0c6728957f

In php I did a "echo md5('apple');". php 4.3.6
The result in php is also: 1f3870be274f6c49b3e31a0c6728957f

I don't now, how you get your answer...

Greetings,
Stefan Sturm




---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faqs/FAQ.html

Re: MD5 in pg and php

am 29.04.2004 10:50:40 von Nick Barr

Joolz wrote:

>>[Marek Lewczuk schreef op 29-04-2004 09:31 +0100]
>>
>>Joolz wrote:
>>
>>
>>>Hi, I'm completely new to hashing, so please bear with me.
>>>
>>>I want to store passwords in a pg db, MD5 seems like a good way to
>>>enhance security (no more plaintext passwords over the line etc.) I
>>>had a look at MD5, in PHP 4.3.4 there is a function md5() which seems
>>>to work nicely:
>>>
>>> echo md5('apple');
>>>
>>>returns ae6d32585ecc4d33cb8cd68a047d8434 every time. Apart from the
>>>PHP frontend, I also want to be able to use the same algorithm in
>>>native pg. I found that postgresql-contrib-7.3.4 has a function
>>>crypt() which I expected to work the same. However:
>>>
>>> select crypt('apple', gen_salt('md5'));
>>>
>>>gives values different from the PHP md5() function, and moreover,
>>>they're different each time. Can anyone please tell me what I should
>>>do to get the same result in native pg as in PHP?
>>>
>>>Thanks!
>>>
>>>
>>>
>>I whould suggest to update PG to version 7.4, where there is built-in
>>MD5 function.
>>
>>
>
>Thanks, I already found some fc1 rpm's (still in development). But can
>anyone tell me if the 7.4 internal md5() function will do the same as
>the PHP md5() function? Or do a quick select md5('apple') and let me
>know if the result is 'ae6d32585ecc4d33cb8cd68a047d8434'?
>
>I really wouldn't like to upgrade from my current stable situation,
>only to find out that it didn't solve my original problem.
>
>TIA!
>
>
>
OK, PHP

---------------------------------------------------

echo md5('apple');

?>
---------------------------------------------------

produces

---------------------------------------------------
1f3870be274f6c49b3e31a0c6728957f
---------------------------------------------------

and postgres:

---------------------------------------------------
im_perf=# select version();
version
------------------------------------------------------------ ---------------------------------------------
PostgreSQL 7.4.2 on i686-pc-linux-gnu, compiled by GCC gcc (GCC) 3.3.2
20031022 (Red Hat Linux 3.3.2-1)
(1 row)

im_perf=# select md5('apple');
md5
----------------------------------
1f3870be274f6c49b3e31a0c6728957f
(1 row)
---------------------------------------------------

I have no idea why these two results dont agree with yours, but at least
they agree with each other. It is probasbly different library versions.


Nick




---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org

Re: MD5 in pg and php

am 29.04.2004 10:54:09 von Joolz

> [Marek Lewczuk schreef op 29-04-2004 10:49 +0100]
>
> Joolz wrote:
> >>[Marek Lewczuk schreef op 29-04-2004 09:31 +0100]
> >>
> >Thanks, I already found some fc1 rpm's (still in development). But can
> >anyone tell me if the 7.4 internal md5() function will do the same as
> >the PHP md5() function? Or do a quick select md5('apple') and let me
> >know if the result is 'ae6d32585ecc4d33cb8cd68a047d8434'?
> >
> >I really wouldn't like to upgrade from my current stable situation,
> >only to find out that it didn't solve my original problem.
> >
> >TIA!
> >
>
> I have 7.4.1 version and "select md5('apple')" returns:
> 1f3870be274f6c49b3e31a0c6728957f
>
> But I have checked in my PHP 4.3 what will return md5('apple') and:
> 1f3870be274f6c49b3e31a0c6728957f
>
> So as you see there are the same - but they are different from your result.

Thanks for testing this!

I'm not sure if I'm happy with the outcome... Seems as if the result
of both md5() functions depends on something outside of PHP and
postgresql... Which could mean that if I backup my db and restore it
on another server (which of course should be possible) all my
passwords will be broken :-(

I guess I'll have to take a better look at how md5 works...

Thanks again!

--
10:50-10:54
Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2188.nptl

---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match

Re: MD5 in pg and php

am 29.04.2004 11:26:26 von Joolz

> [Joolz schreef op 29-04-2004 10:54 +0200]

....

> I guess I'll have to take a better look at how md5 works...

(foot in brain)

I had a typo on my testcode, now I get
1f3870be274f6c49b3e31a0c6728957f too.

Thanks everyone, I will have a look at what's changed between 7.3.4
and 7.4.2 and then (probably) upgrade.

--
11:23-11:26
Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2188.nptl

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

Re: MD5 in pg and php

am 29.04.2004 11:49:41 von Marek Lewczuk

Joolz wrote:
>>[Marek Lewczuk schreef op 29-04-2004 09:31 +0100]
>>
> Thanks, I already found some fc1 rpm's (still in development). But can
> anyone tell me if the 7.4 internal md5() function will do the same as
> the PHP md5() function? Or do a quick select md5('apple') and let me
> know if the result is 'ae6d32585ecc4d33cb8cd68a047d8434'?
>
> I really wouldn't like to upgrade from my current stable situation,
> only to find out that it didn't solve my original problem.
>
> TIA!
>

I have 7.4.1 version and "select md5('apple')" returns:
1f3870be274f6c49b3e31a0c6728957f

But I have checked in my PHP 4.3 what will return md5('apple') and:
1f3870be274f6c49b3e31a0c6728957f

So as you see there are the same - but they are different from your result.



---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)

Re: MD5 in pg and php

am 29.04.2004 12:11:29 von Bruno Wolff III

On Thu, Apr 29, 2004 at 09:07:16 +0200,
Joolz wrote:
>
> I want to store passwords in a pg db, MD5 seems like a good way to
> enhance security (no more plaintext passwords over the line etc.) I
> had a look at MD5, in PHP 4.3.4 there is a function md5() which seems
> to work nicely:

This may not help as much as you think. If you are using an ssl connection,
the passwords won't be sent in the clear. If you aren't using an ssl
connection the hashes will be in clear. I don't believe the postgres
uses a random challenge so that you won't really raise the bar much.
Plus if snooping passwords is a threat, most likely snooping data will
be as well (though not always) and forcing connections to use ssl may be
your best bet. I believe as typically used this is vulnerable to man in
the middle attacks, but these are going to be significantly harder to do than
simple snooping.

---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match

securing PHP/Postgresql (was: MD5 in pg and php)

am 29.04.2004 18:57:23 von Joolz

> [Bruno Wolff III schreef op 29-04-2004 05:11 -0500]
>
> On Thu, Apr 29, 2004 at 09:07:16 +0200,
> Joolz wrote:
> >
> > I want to store passwords in a pg db, MD5 seems like a good way to
> > enhance security (no more plaintext passwords over the line etc.)
> > I had a look at MD5, in PHP 4.3.4 there is a function md5() which
> > seems to work nicely:
>
> This may not help as much as you think. If you are using an ssl
> connection, the passwords won't be sent in the clear. If you aren't
> using an ssl connection the hashes will be in clear. I don't believe
> the postgres uses a random challenge so that you won't really raise
> the bar much. Plus if snooping passwords is a threat, most likely
> snooping data will be as well (though not always) and forcing
> connections to use ssl may be your best bet. I believe as typically
> used this is vulnerable to man in the middle attacks, but these are
> going to be significantly harder to do than simple snooping.

Thanks for the tip. I already have things like:

if (ini_get('register_globals') === 1) {
say it's not safe, don't enter the application }

and

if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] !== 'on') {
idem }

in my login screen. Still, I would feel more assured if passwords go
over the line md5()'d, even if that line is encrypted.

I have other things to worry about next. Right now I let the user
enter the pg username and password, store these values in session
variables and use them every time a database connection is needed.

Someone told me this is very insecure, as the session variables are
stored in either /tmp on the server (that's where I have them put), in
a local cookie or in the URL. Neither would be safe, a better approach
would be to authenticicate once (by looking up the user + password in
a table), and give access to certain tables, views etc. based on the
result of the first lookup; the result being different roles in the
organisation who have access to certain views etc. or a simple 'false'
if the password is wrong.

I have to think about it long and hard :-), the extra "layer" makes
things more secure, I would only have to register username (for
auditing purposes) plus the "role" in session variables, which could
be md5()'d. Still, the extra layer is from a logical point of view
redundant and thus errorprone.

Still, it might be a good idea. If anyone cares to share their opinion
on the matter (or discuss how you handled this), TIA!

--
18:38-18:57
Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2188.nptl

---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org

Re: securing PHP/Postgresql (was: MD5 in pg and php)

am 01.05.2004 14:07:26 von Andrew McMillan

On Thu, 2004-04-29 at 18:57 +0200, Joolz wrote:
>
> I have to think about it long and hard :-), the extra "layer" makes
> things more secure, I would only have to register username (for
> auditing purposes) plus the "role" in session variables, which could
> be md5()'d. Still, the extra layer is from a logical point of view
> redundant and thus errorprone.
>
> Still, it might be a good idea. If anyone cares to share their opinion
> on the matter (or discuss how you handled this), TIA!

For myself, I handle security roughly as follows:

Password is stored as a salted md5, which means that two users with the
same password have different on-disk records of it.

Logged in user gets a session cookie which is an md5 of random data plus
a session id. The session id is looked up, and the random data (which
is only known server-side) is validated. Of course the session id is
predictable, but the random data is not.

I use a general user-id to access the database, rather than database
users and permissions. I generally find that the database permissions
model is not a good fit to the permissions I want for my website.

Hope this is of interest,
Andrew McMillan.
------------------------------------------------------------ -------------
Andrew @ Catalyst .Net .NZ Ltd, PO Box 11-053, Manners St, Wellington
WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St
DDI: +64(4)916-7201 MOB: +64(21)635-694 OFFICE: +64(4)499-2267

------------------------------------------------------------ -------------


---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faqs/FAQ.html