- Posts: 5
- Thank you received: 0
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
Deactivation of 3DES
- iqprGmbH
- Topic Author
- Offline
- New Member
our security consultants asks me to deactivate 3DES.
If I do so, limesurvey doesn't run anymore, even if I don't use encryption features (as far as I know)
For what exactly is 3DES used in limesurvey?
Is there a way to run limesurvey without 3DES?
Many thanks in advance.
Torsten
- jelo
- Offline
- Platinum Member
- Posts: 5033
- Thank you received: 1257
Would you mind to elaborate a bit?iqprGmbH wrote: our security consultants asks me to deactivate 3DES.
If I do so, limesurvey doesn't run anymore, even if I don't use encryption features (as far as I know)
What have you actually done to deactivate 3DES? What does not run exactly mean? Describe the situation.
What version of LimeSurvey?
What environment? Windows/Linux? PHP?
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
- markusfluer
- Visitor
Our main hashing method is SHA256.
- holch
- Away
- LimeSurvey Community Team
- Posts: 11659
- Thank you received: 2742
So you can't guarantee it, or what does the "depending on the version" mean here? Which version use 3DES and which don't?Depending on the version in use i can assure you that LimeSurvey v3 is not using 3DES anywhere.
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
- jelo
- Offline
- Platinum Member
- Posts: 5033
- Thank you received: 1257
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
- iqprGmbH
- Topic Author
- Offline
- New Member
- Posts: 5
- Thank you received: 0
it is (was) limesurvey 2.67.3 on a Win Server 2012.
I disabled triple DES in the Registry ("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168")
and afterwards I coud not open any page (not the login, or any other page). I just get a warning, that 3DES is not available.
BUT: Meanwhile I made some tests with limesurvey 3.15.5. And yes: 3.15.5 runs also when 3DES is disabled.
Nevertheless, in the CSecurityManager.php it still says, that Mcrypt (using 3DES) needs to be loaded.
<?php
/**
* This file contains classes implementing security manager feature.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @link www.yiiframework.com/
* @copyright 2008-2013 Yii Software LLC
* @license www.yiiframework.com/license/
*/
/**
* CSecurityManager provides private keys, hashing and encryption functions.
*
* CSecurityManager is used by Yii components and applications for security-related purpose.
* For example, it is used in cookie validation feature to prevent cookie data
* from being tampered.
*
* CSecurityManager is mainly used to protect data from being tampered and viewed.
* It can generate HMAC and encrypt the data. The private key used to generate HMAC
* is set by {@link setValidationKey ValidationKey}. The key used to encrypt data is
* specified by {@link setEncryptionKey EncryptionKey}. If the above keys are not
* explicitly set, random keys will be generated and used.
*
* To protected data with HMAC, call {@link hashData()}; and to check if the data
* is tampered, call {@link validateData()}, which will return the real data if
* it is not tampered. The algorithm used to generated HMAC is specified by
* {@link validation}.
*
* To encrypt and decrypt data, call {@link encrypt()} and {@link decrypt()}
* respectively, which uses 3DES encryption algorithm. Note, the PHP Mcrypt
* extension must be installed and loaded.
My problem seems to be solved, but if anyone knows, I woud appreciate to know, which features will not work with disabled 3DES (in Version 3.15.5).
Many thanks
Torsten
- jelo
- Offline
- Platinum Member
- Posts: 5033
- Thank you received: 1257
iqprGmbH wrote: Dear all,
it is (was) limesurvey 2.67.3 on a Win Server 2012.
I disabled triple DES in the Registry ("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168")
and afterwards I coud not open any page (not the login, or any other page). I just get a warning, that 3DES is not available.
My view:
Your public survey website is running LimeSurvey under Microsoft-IIS/8.5.
You were advised to disable certain ciphers to strengthen the SSL/TLS encryption (accessing the webserver via https).
The TLS/SSL connection is totally unrelated to the 3DES mentioned in the Yii sourcecode.
BTW: Depending on your PHP version mcrypt is no longer available.
Your public survey website is announcing PHP/5.3.28 as the used PHP version.
Which is from the 12th Dec 2013.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
- iqprGmbH
- Topic Author
- Offline
- New Member
- Posts: 5
- Thank you received: 0
Tanks for your Statements.
BTW: I tried to update PHP many times, but wasn't able to do so.
I will change to limesurvey 3 on a new Installation (because upgrading with comfort update doesn't work) with new PHP.
To the developers: If it's true, that limesurvey 3 doesn't use 3DES (and Mcrypt?) it would be great to update the annotations in the php-files.
- markusfluer
- Visitor
There may be issues with 5.3.
By the way updating PHP on Windows IIS is as easy as replacing the executables in the php path with the newer version. Since you are running on an older IIS system, I'd recommend to go not higher than 5.6, or update IIS to v10.
The CSecurityManager class is a Yii core class. The encrypt and decrypt methods of that core class are not in use anywhere in the Software, you can safely comment the methods it would not have any effect.
- jelo
- Offline
- Platinum Member
- Posts: 5033
- Thank you received: 1257
The PHP/5.3.28 under Windows 2012 is your elephant in the room.iqprGmbH wrote: BTW: I tried to update PHP many times, but wasn't able to do so.
Wonder why the security consulting didn't ask for changing that.
The amount of security issues around PHP over the years:
www.cvedetails.com/product/128/PHP-PHP.html?vendor_id=74
Why should they change annotations of a third party framework (Yii).iqprGmbH wrote: To the developers: If it's true, that limesurvey 3 doesn't use 3DES (and Mcrypt?) it would be great to update the annotations in the php-files.
It's not coded by LimeSurvey developers. Every installation with the Yii framework of this version contains this comment.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
- holch
- Away
- LimeSurvey Community Team
- Posts: 11659
- Thank you received: 2742
That's what I thought too!Wonder why the security consulting didn't ask for changing that.
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.