[TYPO3-dev] md5 encryption with kb_md5fepw

[Bernhard Kraft]

Christoph Koehler wrote:
> Hey guys,
> 
> I couldn't figure this one out from the code:
> How are the passwords actually stored in the db when one uses  
> sr_feuser_register with the md5 extension? Is it just plain md5, and 
> it's  just hashed with the challenge var from the db and then compared 
> to the  same thing generated by JS?
> Or is the superchallened string stored in the db?
> If it's the latter, could someone point me to the exact algorithm for that?

The clue with md5 hashed passwords is that they are only safe if you use some
kind of challenge response.

In T3 this is called challended and superchallenged.

The difference is that the superchallenged variant get's md5'ed once again altogether.
I didn't ever find out what the sense behind this is :)


In the database the md5 strings are stored those are required to generate the (super)challenged
hash on the server side. On the client side this value is generated using the server supplied
challenge and the usersupplied password (which is md5'ed first). Then the generated response
get's sent to the server and compared to the there generated value.

There was a security issue before 3.8.0 that the challenge didn't get stored and the server respone
value generated using this but rather the challenge got transmitted back to the server via get/post
and this value was used to generate the server side response (to compare the user supplied value to).

This allowed one to send his own pherhaps already used, sniffed, challenge and response and get a login
by that (so by sniffing it was possible to have a continous login to a site).

This is now inhibited by storing the challenge value on the server in the user-session variable (sessions
are stored on server side and only a identifier is sent to the client - this doesn't affect security as it
just "identifies" the client. A php-session by default lasts until the browser is closed (this can get
changed.)


greets,
Bernhard