Once I implemented RSA Cookie Encryption in phpMyBitTorrent. I know that fake cookies are a huge problem for PHP-Nuke Admins. This is why I had this idea for my PHP software.
As you may know, PHP Nuke cookies are base64 encoded, so it’s easy to encode fake ones and try to bypass security. Once I made myself a UNION fix on admin.php, for an attack that submitted via HTTP POST a fake Admin cookie. Then I just blocked GET and POST submissions of $admin. I knew it was not enough. What if hackers open a socket and submit a fake cookie through there?
The final solution is to ENCRYPT authentication cookies using RSA algorithm by Rivest/Shamir/Adelman. RSA, for those who don’t know, is based on two keys, one for encoding a text string, and one for decoding it.
The encryption key is usually made public. I won’t deal with this matter more…
What if you encrypt a cookie with two PRIVATE keys? Nobody will be able, because they haven’t the public key, to submit cookies made by them. Only webserver, after logging the user in, can generate a valid key. Like the activation key on PHP Nuke itself.
I found a PHP RSA library and I converted it into a class called “RSA” . I added a few parameters on config.php (I mean phpMyBitTorrent’s one) and edited cookie functions. These are
If RSA engine is enabled, cookies are encrypted that way!
I’m also providing phpMyBitTorrent of a smart and simple key generator, needed to use the engine. UNFORTUNATELY, I noticed that key length cannot be like the 3072 bits ones we can use on SSH, since PHP seems to not accept numbers coded on more than 24 bits for the key product.
A 24 bits key is really weak if compared even to 128 bits length. The primes array is also small so a hacker with a brute force attack can easily discover the key after a number of attempts I haven’t computed yet, but I can assure to be not so long… Still, this encryption, because of the keys, helps reducing the effects of a new cookie attack if discovered. Unlike the HTML page used to hack my PHP Nuke, it will be more complicated to use a cookie attack since nobody is provided with the public key.
It can be an idea to port that script, after testing it for a while, to PHP Nuke. At this time you WON’T find ANY RSA on phpMyBitTorrent Release Package nor CVS Repository. Even if tests are going excellent, this is still experimental, and won’t be commited to CVS until some days.
Meanwhile, I ask PHP Nuke Community’s opinion on this encryption system. I’ll take care of porting it to PHP Nuke in the most transparent way, if you help me find the files to edit.