oidplusalarmingautosfxaysaliacalllibchecksum-toolscolormanagercryptochatcurrency_converterdecoderdelphiutilsdistributeddpcstudiodpg2fastphpfileformatsfilter_foundryforestgridgameht46f47_simulatorindexer_suiteipe_artfile_utilsjavautilsjumperlightgamelogviewermusikboxmystic_houseoidconverteroidinfo_apioidinfo_new_designpersonal-webbasephp_antispamphp_clientchallengephp_guestbookphp_utilsplumbersprependrecyclebinunitsimple_log_eventsokobanspacemissionstackmanuserdetect2uuid_mac_utilsvgwhoisvnagwebcounterwinbugtrackeryt_downloader

BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → /trunk/doc/developer_notes/server_secret.md @ 1206

  → /trunk/doc/developer_notes/server_secret.md @ 1207

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

Regard whitespace Rev 1206 → Rev 1207

/trunk/doc/developer_notes/server_secret.md
0,0 → 1,51
SERVER_SECRET
=============
In the base configuration, you will see something like this:
OIDplus::baseConfig()->setValue('SERVER_SECRET', '................................');
This value is chosen randomly by the configuration file generator (setup).
Where is SERVER_SECRET being used?
----------------------------------
System:
- Auth content Store (OIDplusAuthContentStoreJWT.class.php):
Key to sign JWT tokens (used for Automated AJAX requests and logins with "Remember me") using PBKDF2+HMAC
(ONLY if the server does not have a Public/Private key pair!)
`JWT = HS512(hash_pbkdf2('sha512', SERVER_SECRET+"/OIDplusAuthContentStoreJWT", '', 10000, 64/*256bit*/, false))`
- Session Handler (OIDplusSessionHandler.class.php):
Encryption of session contents (regular logins)
if OpenSSL is installed: sha512-pbkdf2 + AES-256-CBC + sha3-512-hmac
if OpenSSL is not installed: sha3-512-hmac
- Auth utils: Generation of auth keys
`makeAuthKey(data) = sha3_512_hmac(data, "authkey:"+SERVER_SECRET);`
used at plugin forgot RA password (public/091):
`makeAuthKey("reset_password;" + email + ";" + timestamp)
= sha3_512_hmac("reset_password;" + email + ";" + timestamp, "authkey:"+SERVER_SECRET);`
used at plugin ViaThinkSoft FreeOID activation (public/200):
`makeAuthKey("com.viathinksoft.freeoid.activate_freeoid;" + email + ";" + timestamp)
= sha3_512_hmac("com.viathinksoft.freeoid.activate_freeoid;" + email + ";" + timestamp, "authkey:"+SERVER_SECRET);`
used at plugin invite RA (ra/092):
`makeAuthKey("activate_ra;" + email + ";" + timestamp)
= sha3_512_hmac("activate_ra;" + email + ";" + timestamp, "authkey:"+SERVER_SECRET);`
used at plugin change RA email (ra/102):
`makeAuthKey("activate_new_ra_email;" + old_email + ";" + new_email + ";" + timestamp)
= sha3_512_hmac("activate_new_ra_email;" + old_email + ";" + new_email + ";" + timestamp, "authkey:"+SERVER_SECRET);`
Plugin WHOIS (public/100):
- Authentication token for hidden OIDs = `smallhash(SERVER_SECRET + "/WHOIS/" + id);`
Plugin VNag version check (admin/901):
- Webreader password = `sha3_512(SERVER_SECRET + "/VNAG")`
---
Important: Please never use SERVER_SECRET alone for any hashing/HMAC without adding any context to it.
- Example: Bad `hmac(message, SERVER_SECRET)`
- Example: Good `hmac(message, 'xyz:'.SERVER_SECRET)`
Reason: Since the SERVER_SECRET is used at many different places, we must make sure that the calculated values do not reveal information about the SERVER_SECRET in any kind.