tags:

views:

398

answers:

5
+2  Q: 

Shared Secret Key Length

I'm trying to create an authenticated HTTP service endpoint by using shared secret.

A good example is Flickr signing scheme.

I'd like to know what is the best public key and secret key length? I'm almost sure people will say arbitrary, but would like to know what are the general opinion and why.

Another question, Flickr uses MD5 to generate the "signature". I read that MD5 is no longer secure, what are the alternatives to MD5? And since consumers of the service will need to generate this signature, bonus point for ease of use and multi-platform library support.

+2  A: 

As for alternatives to MD5 goes, I think the SHA family of hash functions are considered the de-facto replacements. They come in different flavours with different hash sizes:

  • SHA1
  • SHA256
  • SHA512

Obviously the newer versions (with longer hashes), will provide more security. There has been reports that SHA1 is broken, but for most practical applications, I would still consider it secure.

When selecting a shared key length, I would go for a length around the same length as the length of the hash value, in order to have a sufficient space of possible keys. It seems to me that choosing a longer key would give no added benefit. If someone where to brute-force attack your application, theoretically they would have found the key when they have tried as many keys as there are possible hash values. (Disclaimer : I am not a cryptographics expert and might be wrong on the previous statement).

Today, SHA is supported on most platforms, including .NET and Java.

driis  2009-07-23 11:37:32
SHA1 is almost broken. Do not use it.
Pedro d'Aquino  2009-07-23 11:38:51
@Pedro; I would say it depends on the application, but of course you should choose one of the newer hash functions if possible. To quote Schneier's article: _"They can find collisions in SHA-1 in 2^69 calculations, about 2,000 times faster than brute force. Right now, that is just on the far edge of feasibility with current technology."_ I would say that 2^69 calculations is still pretty secure for "the common web application". If you are developing an online banking site, you should probably not use SHA1 :-)
driis  2009-07-23 11:52:05
+1  A: 

An alternative to MD5 is would be the MD6 Hash Algorithm but it is not ready yet.
Meanwhile, here is a good read on secure hashing from Bruce Schneier.

Also, look at the NIST cryptographic hash project and
their tentative timeline of development of New Hash Functions
Another recent discussion -- SHA-3 Second Round Candidates Released, July 2009

nik  2009-07-23 12:01:40
Nice list of pointers.MD6 has been submitted to the SHA-3 competition, but was not selected for the second round, so MD6 wouldn't be my first choice.And of course Bruce Schneiers blog is biased.
Accipitridae  2009-09-29 06:51:59
A: 

How secure does your service have to be? What will happen if someone brute-forces the key? And if you're truly concerned, why aren't you using SSL with client-side certificates?

These are the general questions that you need to answer for your particular project, before you can decide the best approach to encryption.

Case study: In an application that I'm developing, I encrypt (not hash) key data using DES (yes, plain DES), and decrypt by the service. All URLs have to be generated by the server, which holds the shared key. There's an optional timestamp to limit validity of the URL: if you access the service with an expired URL, you get a 403 back. The data in question is relatively low value, and there will be no fiduciary considerations if the encryption is broken.

Can it be broken by consumer equipment? Sure.

Is there a high payoff to breaking it? Not at all.

Why not just send the data in plaintext? Because we want to ensure some level of control. My primary goal is keeping script kiddies from creating a denial-of-service attack with constant inserts/updates.

Incidentally, the data in the plaintext never appears anywhere else in the communication between client and server. Which means that, even if someone brute forces the key, they have to apply some sort of heuristic to learn that they've broken the key. Security via Obscurity, yes, but sometimes obscurity is useful.

kdgregory  2009-07-23 12:08:42
Recommending to use DES is bad advice. Even if security is not your highest priority, you still want to select an accepted standard (e.g. AES). Since AES implementations are usually faster than DES there is nothing to gain from using weak encryption. But you have to constantly reevaluate the security of your scheme against potential breaks. Using a strong algorithm like AES, simplifies your design and analysis. And simplicity is certainly what you want for something that isn't your top priority.
Accipitridae  2009-09-29 06:46:08
My recommendation was that the OP evaluate his/her security needs and pick something appropriate, not to use a specific technology. But hey, thanks for the downvote.
kdgregory  2009-09-29 11:42:00
+1  A: 

When choosing key sizes, NIST Special Publication 800‑57 (Part 1), §5.6 is a useful guide. The credit card industry's recommendation is for "strong" security, which I interpret as 112 "bits of security" or better. The NIST guidelines show that corresponds to triple-DES (or a small bump up to 128-bit AES) for symmetric ciphers and a 2048-bit key for RSA. See Table 2 for a rough equivalence.

For hash algorithms, it depends on the application. If you don't need interoperability with widely deployed cryptographic applications, try to use SHA-224 or better. In some cases, though, interoperability might require SHA-1, in spite of its emerging vulnerability to collision attacks.

erickson  2009-07-23 16:31:36
+1  A: 

Flickr signing scheme is completely broken. Never use it gain.

http://netifera.com/research/flickr%5Fapi%5Fsignature%5Fforgery.pdf

 2009-09-28 19:21:38
OMG, Flickr makes almost every mistake there is. The advisory is really helpful.
Accipitridae  2009-09-29 06:58:27

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.