Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Deactivation of 3DES

  • iqprGmbH
  • iqprGmbH's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 4 months ago - 5 years 4 months ago #177306 by iqprGmbH
Deactivation of 3DES was created by iqprGmbH
Hello,
our security consultants asks me to deactivate 3DES.
If I do so, limesurvey doesn't run anymore, even if I don't use encryption features (as far as I know)
For what exactly is 3DES used in limesurvey?
Is there a way to run limesurvey without 3DES?
Many thanks in advance.
Torsten
Last edit: 5 years 4 months ago by iqprGmbH.
The topic has been locked.
More
5 years 4 months ago - 5 years 4 months ago #177307 by jelo
Replied by jelo on topic Deactivation of 3DES

iqprGmbH wrote: our security consultants asks me to deactivate 3DES.
If I do so, limesurvey doesn't run anymore, even if I don't use encryption features (as far as I know)

Would you mind to elaborate a bit?

What have you actually done to deactivate 3DES? What does not run exactly mean? Describe the situation.

What version of LimeSurvey?
What environment? Windows/Linux? PHP?

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Last edit: 5 years 4 months ago by jelo.
The topic has been locked.
  • markusfluer
  • markusfluer's Avatar
  • Visitor
  • Visitor
5 years 4 months ago #177309 by markusfluer
Replied by markusfluer on topic Deactivation of 3DES
Depending on the version in use i can assure you that LimeSurvey v3 is not using 3DES anywhere.
Our main hashing method is SHA256.
The topic has been locked.
  • holch
  • holch's Avatar
  • Away
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 4 months ago #177312 by holch
Replied by holch on topic Deactivation of 3DES

Depending on the version in use i can assure you that LimeSurvey v3 is not using 3DES anywhere.

So you can't guarantee it, or what does the "depending on the version" mean here? Which version use 3DES and which don't?

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

The topic has been locked.
More
5 years 4 months ago #177318 by jelo
Replied by jelo on topic Deactivation of 3DES
Why aren't we waiting for an answer? Depending on the version and the server environment there are fallbacks in the code (e.g. Yii-Framework) to provide routines for encryption. To rule out anything without knowing the environment is always risky. Let's wait for more information.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • iqprGmbH
  • iqprGmbH's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 4 months ago #177320 by iqprGmbH
Replied by iqprGmbH on topic Deactivation of 3DES
Dear all,
it is (was) limesurvey 2.67.3 on a Win Server 2012.
I disabled triple DES in the Registry ("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168")
and afterwards I coud not open any page (not the login, or any other page). I just get a warning, that 3DES is not available.
BUT: Meanwhile I made some tests with limesurvey 3.15.5. And yes: 3.15.5 runs also when 3DES is disabled.
Nevertheless, in the CSecurityManager.php it still says, that Mcrypt (using 3DES) needs to be loaded.

<?php
/**
* This file contains classes implementing security manager feature.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @link www.yiiframework.com/
* @copyright 2008-2013 Yii Software LLC
* @license www.yiiframework.com/license/
*/

/**
* CSecurityManager provides private keys, hashing and encryption functions.
*
* CSecurityManager is used by Yii components and applications for security-related purpose.
* For example, it is used in cookie validation feature to prevent cookie data
* from being tampered.
*
* CSecurityManager is mainly used to protect data from being tampered and viewed.
* It can generate HMAC and encrypt the data. The private key used to generate HMAC
* is set by {@link setValidationKey ValidationKey}. The key used to encrypt data is
* specified by {@link setEncryptionKey EncryptionKey}. If the above keys are not
* explicitly set, random keys will be generated and used.
*
* To protected data with HMAC, call {@link hashData()}; and to check if the data
* is tampered, call {@link validateData()}, which will return the real data if
* it is not tampered. The algorithm used to generated HMAC is specified by
* {@link validation}.
*
* To encrypt and decrypt data, call {@link encrypt()} and {@link decrypt()}
* respectively, which uses 3DES encryption algorithm. Note, the PHP Mcrypt
* extension must be installed and loaded.


My problem seems to be solved, but if anyone knows, I woud appreciate to know, which features will not work with disabled 3DES (in Version 3.15.5).

Many thanks
Torsten
The topic has been locked.
More
5 years 4 months ago #177323 by jelo
Replied by jelo on topic Deactivation of 3DES

iqprGmbH wrote: Dear all,
it is (was) limesurvey 2.67.3 on a Win Server 2012.
I disabled triple DES in the Registry ("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168")
and afterwards I coud not open any page (not the login, or any other page). I just get a warning, that 3DES is not available.


My view:
Your public survey website is running LimeSurvey under Microsoft-IIS/8.5.
You were advised to disable certain ciphers to strengthen the SSL/TLS encryption (accessing the webserver via https).


The TLS/SSL connection is totally unrelated to the 3DES mentioned in the Yii sourcecode.
BTW: Depending on your PHP version mcrypt is no longer available.

Your public survey website is announcing PHP/5.3.28 as the used PHP version.
Which is from the 12th Dec 2013.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • iqprGmbH
  • iqprGmbH's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 4 months ago #177329 by iqprGmbH
Replied by iqprGmbH on topic Deactivation of 3DES
That's right.
Tanks for your Statements.

BTW: I tried to update PHP many times, but wasn't able to do so.

I will change to limesurvey 3 on a new Installation (because upgrading with comfort update doesn't work) with new PHP.

To the developers: If it's true, that limesurvey 3 doesn't use 3DES (and Mcrypt?) it would be great to update the annotations in the php-files.
The topic has been locked.
  • markusfluer
  • markusfluer's Avatar
  • Visitor
  • Visitor
5 years 4 months ago #177332 by markusfluer
Replied by markusfluer on topic Deactivation of 3DES
Please be careful when updating, LimeSurve 3 needs at least PHP version 5.5!
There may be issues with 5.3.

By the way updating PHP on Windows IIS is as easy as replacing the executables in the php path with the newer version. Since you are running on an older IIS system, I'd recommend to go not higher than 5.6, or update IIS to v10.

The CSecurityManager class is a Yii core class. The encrypt and decrypt methods of that core class are not in use anywhere in the Software, you can safely comment the methods it would not have any effect.
The topic has been locked.
More
5 years 4 months ago #177333 by jelo
Replied by jelo on topic Deactivation of 3DES

iqprGmbH wrote: BTW: I tried to update PHP many times, but wasn't able to do so.

The PHP/5.3.28 under Windows 2012 is your elephant in the room.
Wonder why the security consulting didn't ask for changing that.

The amount of security issues around PHP over the years:

www.cvedetails.com/product/128/PHP-PHP.html?vendor_id=74

iqprGmbH wrote: To the developers: If it's true, that limesurvey 3 doesn't use 3DES (and Mcrypt?) it would be great to update the annotations in the php-files.

Why should they change annotations of a third party framework (Yii).
It's not coded by LimeSurvey developers. Every installation with the Yii framework of this version contains this comment.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • holch
  • holch's Avatar
  • Away
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 4 months ago #177355 by holch
Replied by holch on topic Deactivation of 3DES

Wonder why the security consulting didn't ask for changing that.

That's what I thought too!

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose