Hello,
our security consultants asks me to deactivate 3DES.
If I do so, limesurvey doesn't run anymore, even if I don't use encryption features (as far as I know)
For what exactly is 3DES used in limesurvey?
Is there a way to run limesurvey without 3DES?
Many thanks in advance.
Torsten

iqprGmbH wrote: our security consultants asks me to deactivate 3DES.
If I do so, limesurvey doesn't run anymore, even if I don't use encryption features (as far as I know)

Would you mind to elaborate a bit?

What have you actually done to deactivate 3DES? What does not run exactly mean? Describe the situation.

What version of LimeSurvey?
What environment? Windows/Linux? PHP?

Depending on the version in use i can assure you that LimeSurvey v3 is not using 3DES anywhere.
Our main hashing method is SHA256.

Depending on the version in use i can assure you that LimeSurvey v3 is not using 3DES anywhere.

So you can't guarantee it, or what does the "depending on the version" mean here? Which version use 3DES and which don't?

Why aren't we waiting for an answer? Depending on the version and the server environment there are fallbacks in the code (e.g. Yii-Framework) to provide routines for encryption. To rule out anything without knowing the environment is always risky. Let's wait for more information.

Dear all,
it is (was) limesurvey 2.67.3 on a Win Server 2012.
I disabled triple DES in the Registry ("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168")
and afterwards I coud not open any page (not the login, or any other page). I just get a warning, that 3DES is not available.
BUT: Meanwhile I made some tests with limesurvey 3.15.5. And yes: 3.15.5 runs also when 3DES is disabled.
Nevertheless, in the CSecurityManager.php it still says, that Mcrypt (using 3DES) needs to be loaded.

<?php
/**
* This file contains classes implementing security manager feature.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @link www.yiiframework.com/
* @copyright 2008-2013 Yii Software LLC
* @license www.yiiframework.com/license/
*/

/**
* CSecurityManager provides private keys, hashing and encryption functions.
*
* CSecurityManager is used by Yii components and applications for security-related purpose.
* For example, it is used in cookie validation feature to prevent cookie data
* from being tampered.
*
* CSecurityManager is mainly used to protect data from being tampered and viewed.
* It can generate HMAC and encrypt the data. The private key used to generate HMAC
* is set by {@link setValidationKey ValidationKey}. The key used to encrypt data is
* specified by {@link setEncryptionKey EncryptionKey}. If the above keys are not
* explicitly set, random keys will be generated and used.
*
* To protected data with HMAC, call {@link hashData()}; and to check if the data
* is tampered, call {@link validateData()}, which will return the real data if
* it is not tampered. The algorithm used to generated HMAC is specified by
* {@link validation}.
*
* To encrypt and decrypt data, call {@link encrypt()} and {@link decrypt()}
* respectively, which uses 3DES encryption algorithm. Note, the PHP Mcrypt
* extension must be installed and loaded.


My problem seems to be solved, but if anyone knows, I woud appreciate to know, which features will not work with disabled 3DES (in Version 3.15.5).

Many thanks
Torsten

iqprGmbH wrote: Dear all,
it is (was) limesurvey 2.67.3 on a Win Server 2012.
I disabled triple DES in the Registry ("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168")
and afterwards I coud not open any page (not the login, or any other page). I just get a warning, that 3DES is not available.

My view:
Your public survey website is running LimeSurvey under Microsoft-IIS/8.5.
You were advised to disable certain ciphers to strengthen the SSL/TLS encryption (accessing the webserver via https).


The TLS/SSL connection is totally unrelated to the 3DES mentioned in the Yii sourcecode.
BTW: Depending on your PHP version mcrypt is no longer available.

Your public survey website is announcing PHP/5.3.28 as the used PHP version.
Which is from the 12th Dec 2013.

That's right.
Tanks for your Statements.

BTW: I tried to update PHP many times, but wasn't able to do so.

I will change to limesurvey 3 on a new Installation (because upgrading with comfort update doesn't work) with new PHP.

To the developers: If it's true, that limesurvey 3 doesn't use 3DES (and Mcrypt?) it would be great to update the annotations in the php-files.

Please be careful when updating, LimeSurve 3 needs at least PHP version 5.5!
There may be issues with 5.3.

By the way updating PHP on Windows IIS is as easy as replacing the executables in the php path with the newer version. Since you are running on an older IIS system, I'd recommend to go not higher than 5.6, or update IIS to v10.

The CSecurityManager class is a Yii core class. The encrypt and decrypt methods of that core class are not in use anywhere in the Software, you can safely comment the methods it would not have any effect.

iqprGmbH wrote: BTW: I tried to update PHP many times, but wasn't able to do so.

The PHP/5.3.28 under Windows 2012 is your elephant in the room.
Wonder why the security consulting didn't ask for changing that.

The amount of security issues around PHP over the years:

www.cvedetails.com/product/128/PHP-PHP.html?vendor_id=74

iqprGmbH wrote: To the developers: If it's true, that limesurvey 3 doesn't use 3DES (and Mcrypt?) it would be great to update the annotations in the php-files.

Why should they change annotations of a third party framework (Yii).
It's not coded by LimeSurvey developers. Every installation with the Yii framework of this version contains this comment.

Wonder why the security consulting didn't ask for changing that.

That's what I thought too!