Using a time-based, rotating hash or string for security

Question

In a CMS app I occasionally need to open an iframe of another domain. At the moment I am setting the URL for that iframe to something very obscure. Like http://domain.com/if

Answer 1

You shouldn't use plain MD5 that; MD5 is not designed for ensuring message authenticity. Instead you can just give the timestamp publicly, alongside with other information (message), base64 encoded, so that it does not contain the ':' character. Then you can calculate the HMAC code of the message for example with

$hmac = hash_hmac("md5", $message, $secret)
$signed_message = $message . ":" . $hmac

On the other end you can then check this signature, by first splitting with ":", getting $message and $hmac, then you can check authenticity with

$hmac == hash_hmac("md5", $message, $secret)

If codes match, then check if the timestamp in the $message is still within the limits.

Answer 2

You could add a key to your hash and send the timestamp with the query, e.g.:

$key = "YOUR_SECRET_KEY";
$time = time();
$hash = hash_hmac('sha256', $time, $key);
$url = "https://example.com/iframe?hash=$hash&time=$time";

On the other side you should first check if the timestamp is in the limits (e.g. not older than five minutes) and than rehash with the key and the submitted timestamp. If you get the same hash the request is valid.

Notes:

• don't use MD5: the algorithm is completely broken and doesn't provide any security anymore (although it's supposed to still be ok when used with an HMAC…)
• you should use hash_equals for comparing hashes to prevent timing attacks
• we use an HMAC to guarantee data integrity and authentication. See https://crypto.stackexchange.com/questions/1070/why-is-hkx-not-a-secure-mac-construction for why we mustn't just concatenate time & key

Answer 3

Be careful of using MD5 for hashing - it is cryptographically broken. There are any number of online sites to help create collisions. Rather use something like SHA256 and always include a long salting string.

If the user does not have to interact with the site in the iframe you could consider scraping the site code and inserting it directly into your code. There are a number of libraries available for this.

What about using something like

$hash = hash ( "sha256" , date("h") . 'myverylongsaltstring' );

So long as the servers have their timezones correct and are synchronized to within an hour this approach will work like your time() hash.

Additionally you could use something like TinyUrl to obfuscate the link a little further. Something along the lines of http://www.technabled.com/2008/12/create-your-own-tinyurl-with-php-and.html

Answer 4

If it is time based, then the amount of possible keys that a person would have to guess would be tiny. Since I would know approximately when a URl might be generated, and I know how you are hashing it, then I can just create hundreds of thousands of links and test them out.

You should use UUID or something equivalent. The probability of a collission would be essentially impossible.