ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for...
Transcript of ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for...
ìCryptographic Hash Functions
Fall2017SecureSoftwareSystems
1
Cryptographic Hash Functions
ì Input:Messageofarbitrarysize
ì Output:“Digest”(hashedoutput)offixedsize
Fall2017SecureSoftwareSystems
2
Loreum ipsum 23sdfw83x8mjyacd6HashFunction
(messageofarbitrarysize) (digestoffixedsize)
Cryptographic Hash Functions
ì DesignGoalsì Computinghashshouldbecomputationallycheapì Reversinghashshouldbecomputationally
expensive(“impossible”)– One-wayfunction
Fall2017SecureSoftwareSystems
3
Loreum ipsum 23sdfw83x8mjyacd6HashFunction
(messageofarbitrarysize) (digestoffixedsize)
Cryptographic Hash Functions
ì DesignGoalsì Changingthemessageasmallamountshould
producealargechangeinthedigestì Eachbitindigesthas50%chanceofflipping
Fall2017SecureSoftwareSystems
4
Loreum ipsum 4ddf71e68243fb48HashFunction
Loreum Ipsum ce9c25cef29a8ea2HashFunction
Cryptographic Hash Functions
ì DesignGoalsì Itshouldbevery(veryveryVERY)hardtofindtwo
differentmessagesthathavethesamedigest
Fall2017SecureSoftwareSystems
5
Cryptographic Hash Uses
ì Securityì Digitalsignaturesì Messageauthentication
ì Generalcomputingì Detectduplicatefilesì Detectfilechanges/corruptionì Indexdatainhashtables
Fall2017SecureSoftwareSystems
6
Cryptographic Hash Functions
ì MD5– Don’tuse!ì Input→128bitdigest
ì SHA-1– Don’tuse!ì Input→160-bitdigestì Google,Apple,Microsoft,Mozillaretiredsupportfor
SHA-1signedSSL/TSL certificatesin‘16-’17
ì Vulnerabletocollisionattacksì AttackershavemadefakeSSLcertificates
Fall2017SecureSoftwareSystems
7
Fall2017SecureSoftwareSystems
8
https://shattered.io/February2017
Fall2017SecureSoftwareSystems
9
Googleproducedtwodifferent PDFswithsameSHA-1hash asproofofdangerRequired9,223,372,036,854,775,808SHA1computations110yearsofSingle-GPUcomputation(butGooglehasmorethanoneGPU...)
https://shattered.io/February2017
Cryptographic Hash Functions
ì SHA-2family– Safe(exceptforlengthextension)ì SHA-256(256-bitdigest,optimizedfor32-bitCPUs)ì SHA-512(512-bitdigest,optimizedfor64-bitCPUs)
ì SHA-3– Safe(including againstlengthextension)ì NIST Hashfunctioncompetition(2007-2012)
ì 51entriesround1,14round2,5finalistsì Winner:Keccakalgorithm
ì Efficientinhardwarebutslowinsoftwareì SHA3-256,SHA3-512,…
ì Blake2– Safeì AnotherSHA-3finalist
Fall2017SecureSoftwareSystems
10
Length Extension Attacks
ì Olderhashalgorithmsoutputtheirentireinternalstateasthehashdigestì Attack:Pickupexactlywheretheyleftoff!
(Reconstructinternalstatefromhashdigest)
Fall2017SecureSoftwareSystems
11
Plaintext Hash(md5,SHA-1,SHA-2)FundsXfer:Account123456:Amount:123
4ddf71e68243fb48ce9c25cef29a8ea2
FundsXfer:Account123456:Amount:123000
Load hashfunctionwithstateof4ddf71e68243fb48ce9c25cef29a8ea2Continuerunninghashfunctionoverextensionattackdigits 000Newhash:30c6ae0de5369c2637d5c541ef0095d8
😈
Length Extension Attacks
ì HashPump:Atooltoexploitthehashlengthextensionattackinvarioushashingalgorithms.ì Currentlysupportedalgorithms:MD5,SHA1,
SHA256,SHA512(i.e.SHA2variants)ì https://github.com/bwall/HashPump
ì Real-worldattacksrequireabitofbruteforcing(trialanderror)toreconstructhashstatebutnothingimpossible
Fall2017SecureSoftwareSystems
12
ìPassword Storage
Fall2017SecureSoftwareSystems
13
Password Storage
Fall2017SecureSoftwareSystems
14
Weagreethatit’shorrible tostoreplaintextpasswordsinadatabase,yes?
ì DatabasetheftinstantlygivesattackeralluserpasswordsLì Attackercouldberoguesystemadministrator…L
ì Humansre-usepasswordsacrossmanysitesL
ì Doesawebsitepasswordresettoolemailyouyouroriginalpassword?RUN!!!
🙀
Password Storage
ì Encryptingtheentiredatabasedoesn’thelpì Attackercouldeasilystealencryptionkeysalong
withdatabasedata– keysmustbeinthesystemsomewhere
ì Encryptingindividualpasswordsisasimilarheadacheì Wheretostorethekeys?ì Howtokeepthekeyssafe?ì Somanykeys!!
Fall2017SecureSoftwareSystems
15
🤕
Warning!
Fall2017SecureSoftwareSystems
16
Warning:CryptographicHashesforpasswordstoragearewrong!
Canhasheshelpus?
Password Storage
Fall2017SecureSoftwareSystems
17
“Swordfish” 4ddf71e68243fb4HashFunction
ì Alice’splaintextpasswordcan’tbeinstantlyreversedfromthehashifdatabasestolen✔
ì ButwhatifBobhasthesamepassword?HewillhavethesamehashL
Password Storage
ì Humanschooseterrible passwords:ì password,swordfish,
passw0rd,etc…
ì Thereareonlyafewplausiblehashfunctionsinwidespreaduse
ì Attackerscanpre-compute hashesforlikelypasswords(dictionarywordsandpermutations)ì Savein“rainbowtable”ì Searchforaquickmatch!
Fall2017SecureSoftwareSystems
18
Password Lists
ì Largelistsoflikelypasswordsareassembledbyattackersfrompriorpasswordleaks(real-worlddata)
ì Free/cheapoptionforyourdownloadingconvenienceì https://crackstation.net/buy-crackstation-wordlist-
password-cracking-dictionary.htmì 15GBuncompressedì Startingguessingat“password123”insteadof
“aaaaaaaa”
Fall2017SecureSoftwareSystems
19
Password Storage
ì Improvement:Don’thash{password}ì Insteadhash{salt|password}
ì “Salt”islarge(160bit)cryptographicallyrandomnumberappended/prependedtopassword
ì Bestpracticeì Uniquesaltperuser,notper-systemì Storethisindatabasealongwithhash
ì Rainbowtablesnowworthlessì Wouldneedarainbowtableforeach
2160 saltvalues)
Fall2017SecureSoftwareSystems
20
Fall2017SecureSoftwareSystems
21
Password Storage
ì Manysystemsusejustasinglesalt,soanattackeronlyneedstocomputeonerainbowtableL
ì Per-usersaltsarestillfundamentallybroken,justharder tocrackLì Cryptographichashfunctionsareintendedtobefastì Attackersthatstealyourdatabasealsohaveyour
salt.WithGPUs theycanbrute-forceallpossiblepasswords(followingthepasswordlistandpermutations)
ì Broken? Notinstantly.Butvulnerable?Yes
Fall2017SecureSoftwareSystems
22
Password Storage
Fall2017SecureSoftwareSystems
23
“Pleasestophashingpasswords”https://blog.tjll.net/please-stop-hashing-passwords/
🙏
Password Storage
ì PasswordstorageshoulduseaKeyDerivationFunction (KDF)insteadì Itlookslikeahashfunction,buthasacompletely
differentdesigngoal
ì Designgoalsì KDF:hard tocompute
ì Ideally,asslowasyouruserswilltoleratewithoutswitchingtoacompetitorproduct!
ì Cryptographichash:Easytocompute
Fall2017SecureSoftwareSystems
24
Key Derivation Functions
ì Bcrypt – goodì Tunabletime-hard– youcanconfigurehowmuch
CPUtimeittakestocalculateahash keyì CPUsgettingfaster?Tunebcrypt totakemoretime!
ì Scrypt – goodì Tunabletime(CPU)andspace(memory)hardì GPUsbrute-forcingishamperedduetomemory
requirements
ì Important:StillusesaltwithKDF algorithms
Fall2017SecureSoftwareSystems
25
Key Derivation Functions
Fall2017SecureSoftwareSystems
26
https://blog.tjll.net/please-stop-hashing-passwords/(CORS policyrequireschangingJavaScripttoloadJSON
overHTTPStogetinteractivegraphtoappear…)
Comparinghashfunctionsbytimetogeneratedigestmd5,sha1,sha2,sha3,pbkdf2
Howdoyouthinkbcrypt andscrypt willcompare?
Key Derivation Functions
Fall2017SecureSoftwareSystems
27
https://blog.tjll.net/please-stop-hashing-passwords/(CORS policyrequireschangingJavaScripttoloadJSON
overHTTPStogetinteractivegraphtoappear…)
Originalhashes(md5,sha1,sha2,sha3,pbkdf2)arenotevenvisibleatthebottom!
Y-axis (original):0.00– 0.25sY-axis(new):0-600s
Key Derivation Functions
ì Rubyscripttogenerateyourowndatasetì https://gist.github.com/tylerjl/10802499
Fall2017SecureSoftwareSystems
28