Rev 1282 | Go to most recent revision | Details | Last modification | View Log | RSS feed
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 1207 | daniel-mar | 1 | |
| 2 | SERVER_SECRET |
||
| 3 | ============= |
||
| 4 | |||
| 5 | In the base configuration, you will see something like this: |
||
| 6 | |||
| 7 | OIDplus::baseConfig()->setValue('SERVER_SECRET', '................................'); |
||
| 8 | |||
| 9 | This value is chosen randomly by the configuration file generator (setup). |
||
| 10 | |||
| 11 | Where is SERVER_SECRET being used? |
||
| 12 | ---------------------------------- |
||
| 13 | |||
| 14 | System: |
||
| 15 | - Auth content Store (OIDplusAuthContentStoreJWT.class.php): |
||
| 16 | Key to sign JWT tokens (used for Automated AJAX requests and logins with "Remember me") using PBKDF2+HMAC |
||
| 17 | (ONLY if the server does not have a Public/Private key pair!) |
||
| 18 | `JWT = HS512(hash_pbkdf2('sha512', SERVER_SECRET+"/OIDplusAuthContentStoreJWT", '', 10000, 64/*256bit*/, false))` |
||
| 19 | - Session Handler (OIDplusSessionHandler.class.php): |
||
| 20 | Encryption of session contents (regular logins) |
||
| 21 | if OpenSSL is installed: sha512-pbkdf2 + AES-256-CBC + sha3-512-hmac |
||
| 22 | if OpenSSL is not installed: sha3-512-hmac |
||
| 23 | - Auth utils: Generation of auth keys |
||
| 24 | `makeAuthKey(data) = sha3_512_hmac(data, "authkey:"+SERVER_SECRET);` |
||
| 25 | used at plugin forgot RA password (public/091): |
||
| 26 | `makeAuthKey("reset_password;" + email + ";" + timestamp) |
||
| 27 | = sha3_512_hmac("reset_password;" + email + ";" + timestamp, "authkey:"+SERVER_SECRET);` |
||
| 28 | used at plugin ViaThinkSoft FreeOID activation (public/200): |
||
| 29 | `makeAuthKey("com.viathinksoft.freeoid.activate_freeoid;" + email + ";" + timestamp) |
||
| 30 | = sha3_512_hmac("com.viathinksoft.freeoid.activate_freeoid;" + email + ";" + timestamp, "authkey:"+SERVER_SECRET);` |
||
| 31 | used at plugin invite RA (ra/092): |
||
| 32 | `makeAuthKey("activate_ra;" + email + ";" + timestamp) |
||
| 33 | = sha3_512_hmac("activate_ra;" + email + ";" + timestamp, "authkey:"+SERVER_SECRET);` |
||
| 34 | used at plugin change RA email (ra/102): |
||
| 35 | `makeAuthKey("activate_new_ra_email;" + old_email + ";" + new_email + ";" + timestamp) |
||
| 36 | = sha3_512_hmac("activate_new_ra_email;" + old_email + ";" + new_email + ";" + timestamp, "authkey:"+SERVER_SECRET);` |
||
| 37 | |||
| 38 | Plugin WHOIS (public/100): |
||
| 39 | - Authentication token for hidden OIDs = `smallhash(SERVER_SECRET + "/WHOIS/" + id);` |
||
| 40 | |||
| 41 | Plugin VNag version check (admin/901): |
||
| 42 | - Webreader password = `sha3_512(SERVER_SECRET + "/VNAG")` |
||
| 43 | |||
| 44 | --- |
||
| 45 | |||
| 46 | Important: Please never use SERVER_SECRET alone for any hashing/HMAC without adding any context to it. |
||
| 47 | |||
| 48 | - Example: Bad `hmac(message, SERVER_SECRET)` |
||
| 49 | - Example: Good `hmac(message, 'xyz:'.SERVER_SECRET)` |
||
| 50 | |||
| 51 | Reason: Since the SERVER_SECRET is used at many different places, we must make sure that the calculated values do not reveal information about the SERVER_SECRET in any kind. |