[Tickets #8425] Poor salt generation for crypt-*

bugs at horde.org bugs at horde.org
Fri Jul 10 05:50:12 UTC 2009


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/8425
------------------------------------------------------------------------------
  Ticket             | 8425
  Created By         | lowzl at hotmail.com
  Summary            | Poor salt generation for crypt-*
  Queue              | Horde Framework Packages
  Version            | FRAMEWORK_3
  Type               | Bug
  State              | Unconfirmed
  Priority           | 2. Medium
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


lowzl at hotmail.com (2009-07-10 01:50) wrote:

In lib/Horde/Auth.php, the function getSalt uses a poor algorithm for  
generating salts for crypt-*. crypt allows, at the very least, all  
Base64 characters in the salt, but the current algorithm only  
generates hexadecimal digits. Furthermore, for crypt-md5, 8 bytes of  
salt is permitted, so there are 64^8 = 2^48 possible salt values (if  
we only allow Base64 characters), but on most systems, mt_rand() only  
generates 2^31 different values, so the current algorithm generates at  
most 2^31 different salt values.

A better algorithm would use, for example,  
base64_encode(md5(sprintf('%08X%08X', mt_rand(), mt_rand()), TRUE))  
instead of just md5(mt_rand()).






More information about the bugs mailing list