All geek questions in one place

Use a temporary, rotating hash or string for security

In a CMS application, I sometimes need to open an iframe of another domain. I am currently setting the URL for this iframe to something very obscure. Like http://domain.com/iframe/jhghjg34787386/ . This works, but in theory, the iframe URL will be saved in the user's history and can be accessed from the outside world.

Therefore, I am interested in using a time-based approach to a constantly changing hash or string, which is processed on the request side and checked on the source side of the iframe. However, I would like it to be based on time.

I could do this to get my hash:

<?php $seed = '123456789'; // a password that both the parent and source have $string = md5(time().$seed); ?>

But then the two servers must be exactly synchronized. Is there a way to make the time limit more blurry?

I am also open to other approaches. Is there a way to verify that the parent window for the iframe has a specific domain?

+5
source share
4 answers

You can add a key to your hash and send a timestamp with a request, for example:

 $key = "YOUR_SECRET_KEY"; $time = time(); $hash = hash_hmac('sha256', $time, $key); $url = "https://example.com/iframe?hash=$hash&time=$time";

On the other hand, you must first check if the timestamp is within (for example, no older than five minutes), and then double-check with the key and the sent timestamp. If you get the same hash, the request is valid.

Notes:

+7
source

You should not use plain MD5; MD5 is not intended to provide message authenticity. Instead, you can simply publish the timestamp along with other information (message) encoded by base64 so that it does not contain the ":" character. Then you can compute the HMAC message code, for example using

 $hmac = hash_hmac("md5", $message, $secret) $signed_message = $message . ":" . $hmac

At the other end, you can verify this signature by first splitting the ":", getting $ message and $ hmac, then you can verify authenticity with

 $hmac == hash_hmac("md5", $message, $secret)

If the codes match, check to see if the timestamp in $message is kept within.

+3
source

Be careful using MD5 for hashing - it is cryptographically broken. There are many websites that help create conflict. Rather, use something like SHA256 and always include a long string of pickles.

If the user does not need to interact with the site in an iframe, you can think about clearing the site code and inserting it directly into your code. Several libraries are available for this.

How about using something like

 $hash = hash ( "sha256" , date("h") . 'myverylongsaltstring' );

As long as the servers have the correct timestamps and synchronize with them for an hour, this approach will work as your time hash ().

Alternatively, you can use something like TinyUrl to confuse the link a bit. Something like http://www.technabled.com/2008/12/create-your-own-tinyurl-with-php-and.html

+1
source

If it depends on time, then the number of possible keys that a person would have to guess will be tiny . Since I would know that when URl can be generated, and I know how you hash it, I can just create hundreds of thousands of links and check them.

You should use a UUID or something similar. The probability of a collision is almost impossible.

0
source

Source: https://habr.com/ru/post/1379124/

More articles:


All Articles