System Unique encryption hash?

[laszlof]

Would anyone find something like this useful? Keep in mind that if this was done, you would not be able to (easily) move your WHMCS between systems. You would be required to update the encryption hash.

[tsiedsma]

Would anyone find something like this useful? Keep in mind that if this was done, you would not be able to (easily) move your WHMCS between systems. You would be required to update the encryption hash.

 

This sounds like a good idea but it depends on the implementation. If someone is skilled enough to hack your server or installation, chances are that the can spoof the unique requirements of the encryption.

 

The better option is to have a database server that isn't hosted on a publicly accessible server and store your credit card details there. The best option is to store the credit card details with the gateway and not put that burden on yourself.

 

If encryption is truly reversible, a unique system identifier won't be impossible spoof or fake. It is still better than the encrypt() and decrypt() functions that WHMCS currently uses.

[laszlof]

Nothing is going to make it 100% hack proof, thats just the nature of 2 way encryption. The idea is to make it as difficult as possible for a hacker to be able to decrypt the data.

 

Obviously, a token based solution would be the best option.

 

My idea is basically this, instead of having a static encryption has, the encryption has would be generated based on a unique identifier on the system. You would ioncube encode both the configuration file, and the special "secure_hash" file that contains the code to build the actual encryption hash. By the time the hacker dumps your database, and downloads the files, you'll hopefully realize that you've been compromised and lock it down, before the hacker has time to decode the secure hash functions and determine what is needed from the host system in order to decrypt the card data.

 

I already have the code to make this work, unfortunately its currently only supported on dedicated linux servers. I tested it on a virtuozzo VPS container and it will not function. The unique ID is generated from something that isnt available in virtuozzo. However, I'm working on a workaround for other platforms (Virtuozzo, Xen, Windows, etc) so that it should work cross platform.

[tsiedsma]

I don't disagree with you at all. Anything is better than the basic reversible encryption WHMCS is using. I'm personally converting to a tokenized gateway and will be completing other PCI compliance tasks in the coming weeks. It may be easier to store CC info in the database and trust the encryption, but I'd rather do it the right way. I know you agree with that!

 

It would be nice to know that cPanel and other passwords like Paypal info and such is properly secured with a better encryption than what is included by default.

 

My question to you is, how do you anticipate replacing the encrypt and decrypt functions without decoding and releasing a revised version of functions.php?

[laszlof]

The built in encrypt/decrypt functions will work as expected. The cc_encryption_hash is still defined in the config file. Maybe posting an excerpt from my config will give you an idea how it works:

 

include('secure_hash.php');
$entropy = 'some_really_long_value_simular_to_the_original_cc_encryption_hash';
$hash = new Hash();
$hash->entropy = $entropy;
$cc_encryption_hash = $hash->getHash();

 

the cc_encryption_hash will be different depending on what server its ran on. So if a hacker just grabs the database and files, he'll be SOL.

 

Obviously it doesnt stop him from creating a file in your WHMCS installation and just echoing the value of cc_encryption_hash, but its a start.

 

The secure_hash.php file will be heavily obfuscated and ioncube encoded to make it even more difficult to decipher.

 

The best method though is tokenized gateways. Everyone should be using them, i know I am.

[Peter M Dodge]

I'd pay for this even Frank, as long as it could work within a cloud environment as I'll likely be putting my WHMCS in a Naxus container so its easy to pull the plug on if the unthinkable happens.

[laszlof]

I'd pay for this even Frank, as long as it could work within a cloud environment as I'll likely be putting my WHMCS in a Naxus container so its easy to pull the plug on if the unthinkable happens.

 

Um, not sure. It relies heavily on the system its installed on. If you have multiple failover systems it might not work correctly.

 

Also, if released, I plan on providing it for free.

[Peter M Dodge]

I think you misunderstand, Naxus is just a CP for Xen-powered cloud servers. I like the idea of being able to hit the reset/nuke button if someone does get in. It's not really a failover system per se.

 

(It also allows me to strictly compartmentalise the other official websites my business has - such as the forum hosting that's essentially a subsidiary - instead of having them alltogether.)

Edited May 26, 2012 by Peter M Dodge

[laszlof]

I've decided to release the code for this. Please feel free to test it out and use it.

 

Please be aware that if you are not on a fresh installation, you will have to update all existing data with the new hash that gets generated. I am working on a module to do this, but it may be a week or two before its available.

 

For now, please feel free to try it out.

 

Heres the info from the included readme file:

 

 

Secure Hash WHMCS script

Author: Frank Laszlo <frank@franksworld.org>, Franksworld Solutions, LLC

Date: 5/28/12

Version: 0.1

 

 

DESCRIPTION

-------------------

This script will build a CC encryption hash that is unique to the machine in which WHMCS is installed on.

The purpose of this is to prevent the encryption hash from being exposed should the configuration.php

file be acquired maliciously.

 

This WILL NOT make you 100% secure. It simply adds another layer of complexity to the process. There are trivial

ways around this should an attacker have prolonged access to your system.

 

 

HOW IT WORKS

-------------------

Without giving away too many details, the basic premise of this script is that it generates a unique system key

based on the hardware installed in your system. It then takes that value, and combines it with the entropy key

you enter in the configuration file, and uses that to encrypt the card data. Since the encryption_hash is salted

with the unique hardware key, it would generate a different value if someone tried to run it on another system.

 

 

REQUIREMENTS

-------------------

WHMCS. (should work for all versions, tested on 5.0.3)

Dedicated server (It does not currently support virtuozzo, though it may work for Xen based systems)

 

 

INSTALLATION

------------------

Copy secure_hash.php to your WHMCS installation directory. View example-configuration.php for usage instructions.

 

Once you have it installed, I highly recommend setting the showHash variable and copying down the generated encryption hash.

This will be needed if you ever move your installation to new hardware.

 

To get the encryption hash, simply set the $hash->showHash = true; in the config file, login to your WHMCS admin interface, then

navigate to http://www.yourdomain.com/whmcs/secure_hash.php. The hash will be displayed to you in plain text. You should write this

down and store it somewhere safe, preferably either on a USB key stored in a safe, or written on a piece of paper.

 

WARNNG: BE SURE TO DISABLE THE showHash VARIABLE AFTER YOU'VE COPIED IT DOWN! LEAVING IT ENABLED ALLOWS OTHER LOGGED IN ADMINS TO VIEW

THE HASH.

 

 

FUTURE FEATURES

-----------------

- Add support for virtualization (virtuozzo, xen, etc)

- Build an admin module to easily allow changing of the encryption hash (rehashing all data)

 

 

SUPPORT

-----------------

Being that this module is released for free, I'll do my best to support it. However, I cannot make any guarantee's that it will not break

in a future version. However, should it stop working, you can easily revert back to the standard cc_encryption_hash using the key you saved

in the installation steps above.

 

The code will remain encoded for security purposes, I will not give out the source. If you do not trust me, than please do not use this.

 

 

Please feel free to ask any questions.

 

 

secure_hash-0.1.zip

[brianoz]

what about using PGP? It's designed for this. One could manually enter the decode password, either each time or it could be cached in memory once entered ... so not ever recorded on the filesystem.

[laszlof]

what about using PGP? It's designed for this. One could manually enter the decode password, either each time or it could be cached in memory once entered ... so not ever recorded on the filesystem.

 

The problem with this, is even if you cached them with memory, you'd have to using some kind of caching daemon (memcached, apc, etc). If those services were restarted, you'd lose the cached passphrase. Any credit card handling, security question checks, etc, would fail until those were updated again.

[disgruntled]

I think to be fair whmcs needs to be overhauled with the inbuilt option to run from two servers, one ring fenced server to hold the database and anything that is risky, (configurations etc) and one that does the grunt work on the front end and only interfaces with tokens or a hashkey. seems like a valuable option that would help, maybe im over estimating what can be done.

[brianoz]

The problem with this, is even if you cached them with memory, you'd have to using some kind of caching daemon (memcached, apc, etc). If those services were restarted, you'd lose the cached passphrase. Any credit card handling, security question checks, etc, would fail until those were updated again.

That's very much the idea though. If the password isn't present in the filesystem, it can't be stolen. And of course with PGP no password is required to encrypt.

 

The problem would be with cron runs, and with reminding the user they needed to reactivate the password after a restart/reboot, before the cron run. This would be pretty much guaranteed security though. And just to clarify - this would only be suitable for credit card security, i wouldn't see it being used for security questions.

 

I apologize - I don't want to take away from your great idea and the module you're doing - sorry for the thread hijack!!

[laszlof]

That's very much the idea though. If the password isn't present in the filesystem, it can't be stolen. And of course with PGP no password is required to encrypt.

 

The problem would be with cron runs, and with reminding the user they needed to reactivate the password after a restart/reboot, before the cron run. This would be pretty much guaranteed security though. And just to clarify - this would only be suitable for credit card security, i wouldn't see it being used for security questions.

 

I apologize - I don't want to take away from your great idea and the module you're doing - sorry for the thread hijack!!

 

The encrypt()/decrypt() internal WHMCS functions are used by MANY things within the system, and within modules. Any replacing of the encryption code would have to be a global replacement for that, you cant just cherry pick the credit card data and be done with it.

 

Also, The encryption routine isnt just used for the cron job. When someone new signs up, their card details are immediately encrypted and stored. If the server was restarted before the key hash could be stored into memory, you'd end up losing orders due to the failure to encrypt the data.

[brianoz]

Also, The encryption routine isnt just used for the cron job. When someone new signs up, their card details are immediately encrypted and stored. If the server was restarted before the key hash could be stored into memory, you'd end up losing orders due to the failure to encrypt the data.

Great points, thanks for educating me.

 

A small point: You don't need a password to encrypt with PGP - that's the whole point of public key encryption. Anyone can encrypt a message; you only need the password to encrypt. Whether this is a good fit for WHMCS is entirely another thing, and at the moment, your solution is what's out there, thanks for providing it.

[laszlof]

Yeah.. I do agree, something more secure needs to be done. I'm just not sure what the best method is right now.

[thevopa]

tks

 

Also, The encryption routine isnt just used for the cron job. When someone new signs up, their card details are immediately encrypted and stored. If the server was restarted before the key hash could be stored into memory, you'd end up losing orders due to the failure to encrypt the data.