ì cryptographic hash functions · cryptographic hash functions ì sha-2 family –safe (except for...
TRANSCRIPT
![Page 1: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/1.jpg)
ìCryptographic Hash Functions
Fall2017SecureSoftwareSystems
1
![Page 2: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/2.jpg)
Cryptographic Hash Functions
ì Input:Messageofarbitrarysize
ì Output:“Digest”(hashedoutput)offixedsize
Fall2017SecureSoftwareSystems
2
Loreum ipsum 23sdfw83x8mjyacd6HashFunction
(messageofarbitrarysize) (digestoffixedsize)
![Page 3: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/3.jpg)
Cryptographic Hash Functions
ì DesignGoalsì Computinghashshouldbecomputationallycheapì Reversinghashshouldbecomputationally
expensive(“impossible”)– One-wayfunction
Fall2017SecureSoftwareSystems
3
Loreum ipsum 23sdfw83x8mjyacd6HashFunction
(messageofarbitrarysize) (digestoffixedsize)
![Page 4: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/4.jpg)
Cryptographic Hash Functions
ì DesignGoalsì Changingthemessageasmallamountshould
producealargechangeinthedigestì Eachbitindigesthas50%chanceofflipping
Fall2017SecureSoftwareSystems
4
Loreum ipsum 4ddf71e68243fb48HashFunction
Loreum Ipsum ce9c25cef29a8ea2HashFunction
![Page 5: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/5.jpg)
Cryptographic Hash Functions
ì DesignGoalsì Itshouldbevery(veryveryVERY)hardtofindtwo
differentmessagesthathavethesamedigest
Fall2017SecureSoftwareSystems
5
![Page 6: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/6.jpg)
Cryptographic Hash Uses
ì Securityì Digitalsignaturesì Messageauthentication
ì Generalcomputingì Detectduplicatefilesì Detectfilechanges/corruptionì Indexdatainhashtables
Fall2017SecureSoftwareSystems
6
![Page 7: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/7.jpg)
Cryptographic Hash Functions
ì MD5– Don’tuse!ì Input→128bitdigest
ì SHA-1– Don’tuse!ì Input→160-bitdigestì Google,Apple,Microsoft,Mozillaretiredsupportfor
SHA-1signedSSL/TSL certificatesin‘16-’17
ì Vulnerabletocollisionattacksì AttackershavemadefakeSSLcertificates
Fall2017SecureSoftwareSystems
7
![Page 8: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/8.jpg)
Fall2017SecureSoftwareSystems
8
https://shattered.io/February2017
![Page 9: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/9.jpg)
Fall2017SecureSoftwareSystems
9
Googleproducedtwodifferent PDFswithsameSHA-1hash asproofofdangerRequired9,223,372,036,854,775,808SHA1computations110yearsofSingle-GPUcomputation(butGooglehasmorethanoneGPU...)
https://shattered.io/February2017
![Page 10: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/10.jpg)
Cryptographic Hash Functions
ì SHA-2family– Safe(exceptforlengthextension)ì SHA-256(256-bitdigest,optimizedfor32-bitCPUs)ì SHA-512(512-bitdigest,optimizedfor64-bitCPUs)
ì SHA-3– Safe(including againstlengthextension)ì NIST Hashfunctioncompetition(2007-2012)
ì 51entriesround1,14round2,5finalistsì Winner:Keccakalgorithm
ì Efficientinhardwarebutslowinsoftwareì SHA3-256,SHA3-512,…
ì Blake2– Safeì AnotherSHA-3finalist
Fall2017SecureSoftwareSystems
10
![Page 11: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/11.jpg)
Length Extension Attacks
ì Olderhashalgorithmsoutputtheirentireinternalstateasthehashdigestì Attack:Pickupexactlywheretheyleftoff!
(Reconstructinternalstatefromhashdigest)
Fall2017SecureSoftwareSystems
11
Plaintext Hash(md5,SHA-1,SHA-2)FundsXfer:Account123456:Amount:123
4ddf71e68243fb48ce9c25cef29a8ea2
FundsXfer:Account123456:Amount:123000
Load hashfunctionwithstateof4ddf71e68243fb48ce9c25cef29a8ea2Continuerunninghashfunctionoverextensionattackdigits 000Newhash:30c6ae0de5369c2637d5c541ef0095d8
😈
![Page 12: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/12.jpg)
Length Extension Attacks
ì HashPump:Atooltoexploitthehashlengthextensionattackinvarioushashingalgorithms.ì Currentlysupportedalgorithms:MD5,SHA1,
SHA256,SHA512(i.e.SHA2variants)ì https://github.com/bwall/HashPump
ì Real-worldattacksrequireabitofbruteforcing(trialanderror)toreconstructhashstatebutnothingimpossible
Fall2017SecureSoftwareSystems
12
![Page 13: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/13.jpg)
ìPassword Storage
Fall2017SecureSoftwareSystems
13
![Page 14: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/14.jpg)
Password Storage
Fall2017SecureSoftwareSystems
14
Weagreethatit’shorrible tostoreplaintextpasswordsinadatabase,yes?
ì DatabasetheftinstantlygivesattackeralluserpasswordsLì Attackercouldberoguesystemadministrator…L
ì Humansre-usepasswordsacrossmanysitesL
ì Doesawebsitepasswordresettoolemailyouyouroriginalpassword?RUN!!!
🙀
![Page 15: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/15.jpg)
Password Storage
ì Encryptingtheentiredatabasedoesn’thelpì Attackercouldeasilystealencryptionkeysalong
withdatabasedata– keysmustbeinthesystemsomewhere
ì Encryptingindividualpasswordsisasimilarheadacheì Wheretostorethekeys?ì Howtokeepthekeyssafe?ì Somanykeys!!
Fall2017SecureSoftwareSystems
15
🤕
![Page 16: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/16.jpg)
Warning!
Fall2017SecureSoftwareSystems
16
Warning:CryptographicHashesforpasswordstoragearewrong!
Canhasheshelpus?
![Page 17: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/17.jpg)
Password Storage
Fall2017SecureSoftwareSystems
17
“Swordfish” 4ddf71e68243fb4HashFunction
ì Alice’splaintextpasswordcan’tbeinstantlyreversedfromthehashifdatabasestolen✔
ì ButwhatifBobhasthesamepassword?HewillhavethesamehashL
![Page 18: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/18.jpg)
Password Storage
ì Humanschooseterrible passwords:ì password,swordfish,
passw0rd,etc…
ì Thereareonlyafewplausiblehashfunctionsinwidespreaduse
ì Attackerscanpre-compute hashesforlikelypasswords(dictionarywordsandpermutations)ì Savein“rainbowtable”ì Searchforaquickmatch!
Fall2017SecureSoftwareSystems
18
![Page 19: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/19.jpg)
Password Lists
ì Largelistsoflikelypasswordsareassembledbyattackersfrompriorpasswordleaks(real-worlddata)
ì Free/cheapoptionforyourdownloadingconvenienceì https://crackstation.net/buy-crackstation-wordlist-
password-cracking-dictionary.htmì 15GBuncompressedì Startingguessingat“password123”insteadof
“aaaaaaaa”
Fall2017SecureSoftwareSystems
19
![Page 20: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/20.jpg)
Password Storage
ì Improvement:Don’thash{password}ì Insteadhash{salt|password}
ì “Salt”islarge(160bit)cryptographicallyrandomnumberappended/prependedtopassword
ì Bestpracticeì Uniquesaltperuser,notper-systemì Storethisindatabasealongwithhash
ì Rainbowtablesnowworthlessì Wouldneedarainbowtableforeach
2160 saltvalues)
Fall2017SecureSoftwareSystems
20
![Page 21: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/21.jpg)
Fall2017SecureSoftwareSystems
21
![Page 22: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/22.jpg)
Password Storage
ì Manysystemsusejustasinglesalt,soanattackeronlyneedstocomputeonerainbowtableL
ì Per-usersaltsarestillfundamentallybroken,justharder tocrackLì Cryptographichashfunctionsareintendedtobefastì Attackersthatstealyourdatabasealsohaveyour
salt.WithGPUs theycanbrute-forceallpossiblepasswords(followingthepasswordlistandpermutations)
ì Broken? Notinstantly.Butvulnerable?Yes
Fall2017SecureSoftwareSystems
22
![Page 23: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/23.jpg)
Password Storage
Fall2017SecureSoftwareSystems
23
“Pleasestophashingpasswords”https://blog.tjll.net/please-stop-hashing-passwords/
🙏
![Page 24: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/24.jpg)
Password Storage
ì PasswordstorageshoulduseaKeyDerivationFunction (KDF)insteadì Itlookslikeahashfunction,buthasacompletely
differentdesigngoal
ì Designgoalsì KDF:hard tocompute
ì Ideally,asslowasyouruserswilltoleratewithoutswitchingtoacompetitorproduct!
ì Cryptographichash:Easytocompute
Fall2017SecureSoftwareSystems
24
![Page 25: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/25.jpg)
Key Derivation Functions
ì Bcrypt – goodì Tunabletime-hard– youcanconfigurehowmuch
CPUtimeittakestocalculateahash keyì CPUsgettingfaster?Tunebcrypt totakemoretime!
ì Scrypt – goodì Tunabletime(CPU)andspace(memory)hardì GPUsbrute-forcingishamperedduetomemory
requirements
ì Important:StillusesaltwithKDF algorithms
Fall2017SecureSoftwareSystems
25
![Page 26: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/26.jpg)
Key Derivation Functions
Fall2017SecureSoftwareSystems
26
https://blog.tjll.net/please-stop-hashing-passwords/(CORS policyrequireschangingJavaScripttoloadJSON
overHTTPStogetinteractivegraphtoappear…)
Comparinghashfunctionsbytimetogeneratedigestmd5,sha1,sha2,sha3,pbkdf2
Howdoyouthinkbcrypt andscrypt willcompare?
![Page 27: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/27.jpg)
Key Derivation Functions
Fall2017SecureSoftwareSystems
27
https://blog.tjll.net/please-stop-hashing-passwords/(CORS policyrequireschangingJavaScripttoloadJSON
overHTTPStogetinteractivegraphtoappear…)
Originalhashes(md5,sha1,sha2,sha3,pbkdf2)arenotevenvisibleatthebottom!
Y-axis (original):0.00– 0.25sY-axis(new):0-600s
![Page 28: ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for length extension) ì SHA-256 (256-bit digest, optimized for 32-bit CPUs) ì SHA-512](https://reader033.vdocuments.net/reader033/viewer/2022051809/6011af53c698f57d91634f48/html5/thumbnails/28.jpg)
Key Derivation Functions
ì Rubyscripttogenerateyourowndatasetì https://gist.github.com/tylerjl/10802499
Fall2017SecureSoftwareSystems
28