phpgroupware-developers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Phpgroupware-developers] Re: [ phpgroupware-Bugs-445721 ] email

From: Del
Subject: Re: [Phpgroupware-developers] Re: [ phpgroupware-Bugs-445721 ] email password not saved.
Date: Fri, 21 Dec 2001 10:02:01 +1100 
Miles Lott wrote:
> 
> I have just committed the ability to configure the mcrypt
> algorithm and mode in setup.  To get this, you need to update
> phpgwapi/inc/class.crypto.inc.php, admin/inc/hook_config.inc.php,
> admin/templates/default/config.tpl, and setup/lang/phpgw_en.lang.
> 
> You also need the newer common and sessions classes committed
> earlier today.
> 
> Of course, you also need to know what you are doing.  But, the
> default is mentioned and also set, making behavior the same as
> before unless you change it.
> 
> It detects if mcrypt is available, and lists the algos/modes,
> checking for duplicates (some of mine were listing twice).
> 
> If not, it then sets the default anyway to tripledes/cbc.
> This shouldn't hurt the non-mcrypt folks.
> 
> I was able to switch on the fly being logged into setup and
> into phpGroupWare, and with debugging enabled in crypto class
> I could see the working results.

Thanks Miles, looks good.

A point for anyone who's interested (or maybe for inclusion in
the "help" files):  CBC mode is more secure than ECB mode if a
different IV is used each time a string is encrypted.  Because
the IV is generated once for phpgroupware and used for all
encryption from that point onwards, it's no safer than ECB.
ECB mode is smaller and faster than CBC mode.

Although the default encryption type is 3DES for backwards
compatibility with previous versions of phpgroupware, RIJNDAEL-128
will give better security and performance.  3DES uses a 192 bit
key and gives you 112 bits of security (performance is decided by
the key length), and Rijndael uses 128 bit keys for 128 bits
of security.

People probably should be warned against using ARCFOUR as it's
a stream cipher not a block cipher and is only really suitable
for encrypting constant streams of data.  In any case if you
are going to choose ARCFOUR as a cipher then you must pick STREAM
as a cipher mode -- is there any way of enforcing this in setup?

If I find a "rough guide to crypto" anywhere on the net I'll
produce a URL.  The best reference for all of the above info is
"Applied Cryptography" by Bruce Schneier, from Wiley publishing.

Also, I get warnings in the config screen as follows:

Warning: Wrong datatype for second argument in call to in_array in 
/home/del/develop/sourceforge/phpgroupware/admin/inc/hook_config.inc.php on
                                                              line 28

  Warning: Wrong datatype for second argument in call to in_array in 
/home/del/develop/sourceforge/phpgroupware/admin/inc/hook_config.inc.php on
                                                              line 65

I think that's because you are checking in_array($value, $listed)
but need to do $listed = array(); at some point before the first time
through the loop to make sure that $listed is an empty array rather
than just an undefined variable.

--
Del
reply via email to
[Prev in Thread] Current Thread [Next in Thread]