Tell me more ×
IT Security Stack Exchange is a question and answer site for IT security professionals. It's 100% free, no registration required.
up vote 3 down vote favorite

My entropy gathering system works by serializing user inputs:

$entropy=sha1(microtime().$pepper.$_SERVER['REMOTE_ADDR'].$_SERVER['REMOTE_PORT'].
$_SERVER['HTTP_USER_AGENT'].serialize($_POST).serialize($_GET).serialize($_COOKIE));

only serialization is done. no unserialization is performed.

someone had said:

your serializing user inputs your database is free lunch.

is that true?

are there any security problems with serializing user inputs?

share|improve this question

1 Answer

up vote 3 down vote

There are a lot of things wrong here, but to answer your question; no, there is no problem with calling serialize(); on user-submitted data. The only problem is what you then do with the output.

Your entropy gathering essentially boils down to: microtime() which will give you about 12 bits of entropy given typical TCP latency noise to a remote server, which is not a lot...

If you use $entropy to seed an encryption key, that key will be known to whoever submitted the HTTP request. This might not be a problem in your system, but it is something you should be aware of.

In short; if I submit a request to the page above, I will be able to predict the value of $entropy down to about 1 in 4000.

You are much better off reading a few bytes from an entropy generating stream such as /dev/urandom on unix systems, or the crypto-api on Windows systems.

share|improve this answer
yes i know all of that. that entropy is just an extra, not the main entropy source. also it is stored in db and is combined with each new request's entropy from every user. so the main extra entropy source (the combined entropy of all requests to the time) becomes completely unpredictable soon after enough distinct users visit the site. also i agree with u that user knows his request parameters, these parameters can't protect the server against user, but that entropy still is of use for protecting user against attackers. e.g it is used in generating users' login key, anti-csrf token, etc. – H M Apr 30 at 17:35

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.