Deactivation of 3DES

More
3 weeks 1 day ago - 3 weeks 1 day ago #177306 by iqprGmbH
iqprGmbH created the topic: Deactivation of 3DES
Hello,
our security consultants asks me to deactivate 3DES.
If I do so, limesurvey doesn't run anymore, even if I don't use encryption features (as far as I know)
For what exactly is 3DES used in limesurvey?
Is there a way to run limesurvey without 3DES?
Many thanks in advance.
Torsten
Last Edit: 3 weeks 1 day ago by iqprGmbH.

Please Log in or Create an account to join the conversation.

More
3 weeks 1 day ago - 3 weeks 1 day ago #177307 by jelo
jelo replied the topic: Deactivation of 3DES

iqprGmbH wrote: our security consultants asks me to deactivate 3DES.
If I do so, limesurvey doesn't run anymore, even if I don't use encryption features (as far as I know)

Would you mind to elaborate a bit?

What have you actually done to deactivate 3DES? What does not run exactly mean? Describe the situation.

What version of LimeSurvey?
What environment? Windows/Linux? PHP?

Are you a student conducting a survey? If yes, tell me why you use LimeSurvey?
www.limesurvey.org/forum/development/116...y-you-use-limesurvey
Last Edit: 3 weeks 1 day ago by jelo.

Please Log in or Create an account to join the conversation.

More
3 weeks 1 day ago #177309 by markusfluer
markusfluer replied the topic: Deactivation of 3DES
Depending on the version in use i can assure you that LimeSurvey v3 is not using 3DES anywhere.
Our main hashing method is SHA256.

Please Log in or Create an account to join the conversation.

More
3 weeks 1 day ago #177312 by holch
holch replied the topic: Deactivation of 3DES

Depending on the version in use i can assure you that LimeSurvey v3 is not using 3DES anywhere.

So you can't guarantee it, or what does the "depending on the version" mean here? Which version use 3DES and which don't?

I'm not a LimeSurvey GmbH member. I answer at the LimeSurvey forum in my spare time. No support via private message.
Some helpful links: Manual (EN) | Question Types | Workarounds

Please Log in or Create an account to join the conversation.

More
3 weeks 1 day ago #177318 by jelo
jelo replied the topic: Deactivation of 3DES
Why aren't we waiting for an answer? Depending on the version and the server environment there are fallbacks in the code (e.g. Yii-Framework) to provide routines for encryption. To rule out anything without knowing the environment is always risky. Let's wait for more information.

Are you a student conducting a survey? If yes, tell me why you use LimeSurvey?
www.limesurvey.org/forum/development/116...y-you-use-limesurvey

Please Log in or Create an account to join the conversation.

More
3 weeks 1 day ago #177320 by iqprGmbH
iqprGmbH replied the topic: Deactivation of 3DES
Dear all,
it is (was) limesurvey 2.67.3 on a Win Server 2012.
I disabled triple DES in the Registry ("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168")
and afterwards I coud not open any page (not the login, or any other page). I just get a warning, that 3DES is not available.
BUT: Meanwhile I made some tests with limesurvey 3.15.5. And yes: 3.15.5 runs also when 3DES is disabled.
Nevertheless, in the CSecurityManager.php it still says, that Mcrypt (using 3DES) needs to be loaded.

<?php
/**
* This file contains classes implementing security manager feature.
*
* @author Qiang Xue <This email address is being protected from spambots. You need JavaScript enabled to view it.>
* @link www.yiiframework.com/
* @copyright 2008-2013 Yii Software LLC
* @license www.yiiframework.com/license/
*/

/**
* CSecurityManager provides private keys, hashing and encryption functions.
*
* CSecurityManager is used by Yii components and applications for security-related purpose.
* For example, it is used in cookie validation feature to prevent cookie data
* from being tampered.
*
* CSecurityManager is mainly used to protect data from being tampered and viewed.
* It can generate HMAC and encrypt the data. The private key used to generate HMAC
* is set by {@link setValidationKey ValidationKey}. The key used to encrypt data is
* specified by {@link setEncryptionKey EncryptionKey}. If the above keys are not
* explicitly set, random keys will be generated and used.
*
* To protected data with HMAC, call {@link hashData()}; and to check if the data
* is tampered, call {@link validateData()}, which will return the real data if
* it is not tampered. The algorithm used to generated HMAC is specified by
* {@link validation}.
*
* To encrypt and decrypt data, call {@link encrypt()} and {@link decrypt()}
* respectively, which uses 3DES encryption algorithm. Note, the PHP Mcrypt
* extension must be installed and loaded.


My problem seems to be solved, but if anyone knows, I woud appreciate to know, which features will not work with disabled 3DES (in Version 3.15.5).

Many thanks
Torsten

Please Log in or Create an account to join the conversation.

More
3 weeks 1 day ago #177323 by jelo
jelo replied the topic: Deactivation of 3DES

iqprGmbH wrote: Dear all,
it is (was) limesurvey 2.67.3 on a Win Server 2012.
I disabled triple DES in the Registry ("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168")
and afterwards I coud not open any page (not the login, or any other page). I just get a warning, that 3DES is not available.


My view:
Your public survey website is running LimeSurvey under Microsoft-IIS/8.5.
You were advised to disable certain ciphers to strengthen the SSL/TLS encryption (accessing the webserver via https).


The TLS/SSL connection is totally unrelated to the 3DES mentioned in the Yii sourcecode.
BTW: Depending on your PHP version mcrypt is no longer available.

Your public survey website is announcing PHP/5.3.28 as the used PHP version.
Which is from the 12th Dec 2013.

Are you a student conducting a survey? If yes, tell me why you use LimeSurvey?
www.limesurvey.org/forum/development/116...y-you-use-limesurvey

Please Log in or Create an account to join the conversation.

More
3 weeks 18 hours ago #177329 by iqprGmbH
iqprGmbH replied the topic: Deactivation of 3DES
That's right.
Tanks for your Statements.

BTW: I tried to update PHP many times, but wasn't able to do so.

I will change to limesurvey 3 on a new Installation (because upgrading with comfort update doesn't work) with new PHP.

To the developers: If it's true, that limesurvey 3 doesn't use 3DES (and Mcrypt?) it would be great to update the annotations in the php-files.

Please Log in or Create an account to join the conversation.

More
3 weeks 17 hours ago #177332 by markusfluer
markusfluer replied the topic: Deactivation of 3DES
Please be careful when updating, LimeSurve 3 needs at least PHP version 5.5!
There may be issues with 5.3.

By the way updating PHP on Windows IIS is as easy as replacing the executables in the php path with the newer version. Since you are running on an older IIS system, I'd recommend to go not higher than 5.6, or update IIS to v10.

The CSecurityManager class is a Yii core class. The encrypt and decrypt methods of that core class are not in use anywhere in the Software, you can safely comment the methods it would not have any effect.

Please Log in or Create an account to join the conversation.

More
3 weeks 17 hours ago #177333 by jelo
jelo replied the topic: Deactivation of 3DES

iqprGmbH wrote: BTW: I tried to update PHP many times, but wasn't able to do so.

The PHP/5.3.28 under Windows 2012 is your elephant in the room.
Wonder why the security consulting didn't ask for changing that.

The amount of security issues around PHP over the years:

www.cvedetails.com/product/128/PHP-PHP.html?vendor_id=74

iqprGmbH wrote: To the developers: If it's true, that limesurvey 3 doesn't use 3DES (and Mcrypt?) it would be great to update the annotations in the php-files.

Why should they change annotations of a third party framework (Yii).
It's not coded by LimeSurvey developers. Every installation with the Yii framework of this version contains this comment.

Are you a student conducting a survey? If yes, tell me why you use LimeSurvey?
www.limesurvey.org/forum/development/116...y-you-use-limesurvey
Attachments:

Please Log in or Create an account to join the conversation.

More
3 weeks 14 hours ago #177355 by holch
holch replied the topic: Deactivation of 3DES

Wonder why the security consulting didn't ask for changing that.

That's what I thought too!

I'm not a LimeSurvey GmbH member. I answer at the LimeSurvey forum in my spare time. No support via private message.
Some helpful links: Manual (EN) | Question Types | Workarounds

Please Log in or Create an account to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now
Join our Newsletter!