[wp-trac] [WordPress Trac] #20276: Tie nonces and cookies to expirable sessions
WordPress Trac
noreply at wordpress.org
Wed Jun 4 21:45:39 UTC 2014
#20276: Tie nonces and cookies to expirable sessions
-------------------------------------------+------------------
Reporter: ryan | Owner:
Type: task (blessed) | Status: new
Priority: normal | Milestone: 4.0
Component: Security | Version:
Severity: normal | Resolution:
Keywords: has-patch commit dev-feedback | Focuses:
-------------------------------------------+------------------
Comment (by duck_):
Replying to [comment:22 mdawaffe]:
> A few thoughts of unknown validity about the scheme:
>
> 1. 62^40^ < 2^256^. We'd need to do `wp_generate_password( 43 )` to
saturate SHA-256. I have no idea if that's important.
Doesn't matter. It just needs to be unguessable. Way over 2^128^
possibilities as is, so it's safe.
> 2. The patch uses SHA-256. It also breaks all previously generated
cookies. Should we use it as an excuse to move from `hash_hmac( 'md5' )`
to `hash_hmac( 'sha256' )`? HMAC-MD5 isn't broken, so I don't know if
matters.
Sure. As you say, it's not broken, but why not.
> 3. In the
[http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf paper the
current implementation is based on], the HMAC key is generated by doing
`key = HMAC( user_name | expiration_time, server_secret )`. The reason
it's not just `key = server_secret` is to protect against possible future
volume attacks on HMAC: each new cookie is signed with a unique key. If
that's the only reason, adding the token to the key generation isn't
necessary. It's possible it hurts since it's not necessarily secret.
Indeed, it's not necessary. But doesn't hurt either since both user and
expiration are also known. However, I didn't have any reason for adding to
key computation, so happy to take away for simplicity.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/20276#comment:24>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list