Discussion - The PHP Session ID is Vulnrable to Brute Force Attack

[ro0bear]

Hello,

I'm just getting back into PHP since I left it 3 years ago, and while going over sessions again, I noticed that the session key is only 32 bits long. This seems to leave websites susceptible to brute force attacks where the session id can be guessed by a cracker. Using the following equation highlights the apparent problem:

((2^NumberOfBits)+1)/(2*NumberOfGuessesPerSecond*NumberOfActiveSessionsAtOneTime) = expected number of seconds required to guess a valid session identifier
As defined here: https://www.owasp.org/index.php/Insu...sion-ID_Length

Active Sessions	Seconds to guess with 1000 guesses per second	Represented in Hours	in Days	in Weeks	in Months	in Years
1	2147483.6	35791.4	1491.3	213.0	53.3	4.4
2	1073741.8	17895.7	745.7	106.5	26.6	2.2
4	536870.9	8947.8	372.8	53.3	13.3	1.1
8	268435.5	4473.9	186.4	26.6	6.7	0.6
16	134217.7	2237.0	93.2	13.3	3.3	0.3
32	67108.9	1118.5	46.6	6.7	1.7	0.1
64	33554.4	559.2	23.3	3.3	0.8	0.1
128	16777.2	279.6	11.7	1.7	0.4	0.0
256	8388.6	139.8	5.8	0.8	0.2	0.0
512	4194.3	69.9	2.9	0.4	0.1	0.0
1024	2097.2	35.0	1.5	0.2	0.1	0.0
2048	1048.6	17.5	0.7	0.1	0.0	0.0
4096	524.3	8.7	0.4	0.1	0.0	0.0
8192	262.1	4.4	0.2	0.0	0.0	0.0
16384	131.1	2.2	0.1	0.0	0.0	0.0
32768	65.5	1.1	0.0	0.0	0.0	0.0
65536	32.8	0.5	0.0	0.0	0.0	0.0
131072	16.4	0.3	0.0	0.0	0.0	0.0
262144	8.2	0.1	0.0	0.0	0.0	0.0
524288	4.1	0.1	0.0	0.0	0.0	0.0
1048576	2.0	0.0	0.0	0.0	0.0	0.0
2097152	1.0	0.0	0.0	0.0	0.0	0.0

I'm guessing the security community are already well aware of this, as a result, is there an easy fix other than not using native PHP sessions?

I'm interested to see what people think about this.

Thanks,
ro0bear

[ro0bear]

Just realised, the forum where I read that it was 32 bits long was wrong, he meant 32 bytes long, or 128 bits.

[ro0bear]

The same table as in the original post except using 128 bits instead of 32 and ignoring seconds, days, weeks, and months is the following:

Active Sessions	Years to guess with 1000 guesses per second
1	351647617932517000000000000000.0
2	175823808966259000000000000000.0
4	87911904483129400000000000000.0
8	43955952241564700000000000000.0
16	21977976120782300000000000000.0
32	10988988060391200000000000000.0
64	5494494030195580000000000000.0
128	2747247015097790000000000000.0
256	1373623507548900000000000000.0
512	686811753774448000000000000.0
1024	343405876887224000000000000.0
2048	171702938443612000000000000.0
4096	85851469221806000000000000.0
8192	42925734610903000000000000.0
16384	21462867305451500000000000.0
32768	10731433652725800000000000.0
65536	5365716826362880000000000.0
131072	2682858413181440000000000.0
262144	1341429206590720000000000.0
524288	670714603295359000000000.0
1048576	335357301647680000000000.0
2097152	167678650823840000000000.0

Much safer!

[logic_earth]

Here are some settings from php.ini that will help make the Session ID a lot stronger: (Entropy length and file are the most important, depending on the system they will use a CSPRNG)

Code:

; How many bytes to read from the file.
; http://php.net/session.entropy-length
session.entropy_length = 1024


; Specified here to create the session id.
; http://php.net/session.entropy-file
; Defaults to /dev/urandom
; On systems that don't have /dev/urandom but do have /dev/arandom,
; this will default to /dev/arandom
; If neither are found at compile time, the default is no entropy file.
; On windows, setting the entropy_length setting will activate the
; Windows random source (using the CryptoAPI)
session.entropy_file = /dev/urandom

; Select a hash function for use in generating session ids.
; Possible Values
;   0  (MD5 128 bits)
;   1  (SHA-1 160 bits)
; This option may also be set to the name of any hash function supported by
; the hash extension. A list of available hashes is returned by the hash_algos()
; function.
; http://php.net/session.hash-function
session.hash_function = 1 ; or sha256 sha512 etc


; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
; Possible values:
;   4  (4 bits: 0-9, a-f)
;   5  (5 bits: 0-9, a-v)
;   6  (6 bits: 0-9, a-z, A-Z, "-", ",")
; Default Value: 4
; Development Value: 5
; Production Value: 5
; http://php.net/session.hash-bits-per-character
session.hash_bits_per_character = 6

[ro0bear]

Here are some settings from php.ini that will help make the Session ID a lot stronger: (Entropy length and file are the most important, depending on the system they will use a CSPRNG)

Code:

; How many bytes to read from the file.
; http://php.net/session.entropy-length
session.entropy_length = 1024


; Specified here to create the session id.
; http://php.net/session.entropy-file
; Defaults to /dev/urandom
; On systems that don't have /dev/urandom but do have /dev/arandom,
; this will default to /dev/arandom
; If neither are found at compile time, the default is no entropy file.
; On windows, setting the entropy_length setting will activate the
; Windows random source (using the CryptoAPI)
session.entropy_file = /dev/urandom

; Select a hash function for use in generating session ids.
; Possible Values
;   0  (MD5 128 bits)
;   1  (SHA-1 160 bits)
; This option may also be set to the name of any hash function supported by
; the hash extension. A list of available hashes is returned by the hash_algos()
; function.
; http://php.net/session.hash-function
session.hash_function = 1 ; or sha256 sha512 etc


; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
; Possible values:
;   4  (4 bits: 0-9, a-f)
;   5  (5 bits: 0-9, a-v)
;   6  (6 bits: 0-9, a-z, A-Z, "-", ",")
; Default Value: 4
; Development Value: 5
; Production Value: 5
; http://php.net/session.hash-bits-per-character
session.hash_bits_per_character = 6