tags:

views:

339

answers:

9
+2  Q: 

Crypto, hashes and password questions, total noob?

I've read several stackoverflow posts about this topic, particularly this one:

http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords

but I still have a few questions, I need some clarification, please let me know if the following statements are true and explain your comments:

  1. If someone has access to your database/data, then they would still have to figure out your hashing algorithm and your data would still be somewhat secure, depending on your algorithm? All they would have is the hash and the salt.

  2. If someone has access to your database/data and your source code, then it seems like no matter what your do, your hashing algorithm can be reversed engineered, the only thing you would have on your side would be how complex and time consuming your algorithm is?

  3. It seems like the weakest link is: how secure your own systems are and who has access to it?

Lasse V. Karlsen ... brings up a good point, if your data is compromised then game over ... my follow up question is: what types of attacks are these hashes trying to protect against? I've read about rainbow table and dictionary attacks (brute force), but how are these attacks administered?

+6  A: 

The security of cryptographic algorithms is always in their secret input. Reasonable cryptanalysis is based on an assumption that any attacker knows what algorithm you use. Good cryptographic hashes are non-invertible and collision resistant. This means that there's still a lot of work to do going from a hash to the value that generated it, regardless of whether you know the algorithm applied.

  1. If you used a secure hash, access to the hash, salt, and algorithm will still leave a lot of work for a would-be attacker.
  2. Yes, a secure hash puts a very hard to invert algorithm on your side. Note that this inversion is not 'reverse-engineering'
  3. The weak link is probably the processes and procedures that get those password hashes into the database. There are all sorts of ways to screw up and store sensitive data in the clear.

As I noted in a comment, there are attacks that these measures defend against. First, knowing the password may lead to authorization to do things beyond what the contents of the database suggest. Second, those passwords may be used elsewhere, and you expose your users to risk by revealing their passwords as a result of a break-in. Third, with hashing, an insider can't exploit read-only access to the database (subject to less auditing, etc.) to impersonate a user.

Dictionaries and rainbow tables are techniques for accelerating hash inversion.

Novelocrat  2009-09-25 19:47:25
A: 

When hashing a password, it is one way. So it is very difficult to get the password even if you have the salt, source and alot of cpu cyles to burn.

Byron Whitlock  2009-09-25 19:48:44
Actually, there are hash dictionaries which store common passwords and such. So given the salt, a dictionary, and a poorly chosen password -- you can acquire that password. This is why it's good to use a salt and enforce password constraints (letters, numbers, etc).
Nazadus  2009-09-25 19:56:58
why all the down-votes?
Byron Whitlock  2009-09-25 20:24:11
Because you glibly failed to acknowledge the threats to hashing itself, and the risks surrounding it. I'm guessing it's mostly the glibness. (I'm not one of the down-votes)
Novelocrat  2009-09-25 23:05:19
A: 

Here are my thoughts to your points:

  1. If people have access to your database you have bigger security concerns than your hash algorithm and salt phrase. Hashes are somewhat secure, however there are problems such as hash collisions and hash lookups.
  2. Hashes are one-way, so unless they can guess the input there is no way to reverse out the original text even with the algorithm and salt; hence the name one-way hash.
  3. Security is about obscurity and layers of defense. If you layer your defenses and make determining what those defenses are you stand a much better chance of staving off an attack than if you relied on a single approach to security such as password hashing and running OS/network hardware updates. Throw in some curveballs like obsfucation of the web server platform and clear boundaries between the prod web and database environments. Layers and hiding implementation details buy you valuable time.
Nissan Fan  2009-09-25 19:55:33
You're advocating security by obscurity, to "buy time". Good security is, qualitatively, "timeless". An attacker should not be able to beat your measures in any amount of time within which the attack would have valuable results.
Novelocrat  2009-09-25 20:05:34
+3  A: 

what types of attacks are these hashes trying to protect against?

That type when someone gets your password from poorly secured site, reverses it, and then tries to access your bank/PayPal/etc. account. It happens all the time, and many people are still using same (and often weak) passwords everywhere.

As a side note, from what I've read, key derivation functions (PBKDF2/scrypt/bcrypt) are considered better/more secure (#1, #2) than plain salted SHA-1/SHA-2 hashes by crypto people.

PiotrLegnica  2009-09-25 20:05:25
+1 for mentioning cryptographically stronger approaches.
Novelocrat  2009-09-25 20:07:44
the the sake of clarity: how would someone get your password from a poorly secured site without also being able to acquire other data from that site (hacking into more data)
farinspace  2009-09-25 20:11:11
I guess the question is how would someone go about doing that, through the frontend, trial and error? I understand that, thats basically what a brute force attack is, but how is it administered?
farinspace  2009-09-25 20:16:31
SQL injection would be the most basic attack, I guess. There are way too many sites vulnerable to that. Poor DB server security is another - not so long ago we had this on rather big Polish site - a staging/development MySQL installation allowed outside connections and had no root password; attacker (by pure luck, as he was portscanning several public IP) was able to dump the user database, with hashed passwords. Many were weak - they got reversed and were used to access unrelated sites (auctions, email accounts, social networks, etc.).
PiotrLegnica  2009-09-25 20:26:22
+1  A: 

If you have just a hash, no salt, then once they know your data (and algorithm) they can get your password via a rainbow table lookup. If you have a hash and a salt, they can get your password by burning a lot of CPU cycles and building a rainbow table.

If your salt is the same for all your data, they only need to burn a lot of CPU cycles once to build the table and then they have all the passwords. If your salt is not always the same, they need to burn through the CPU cycles to make a unique rainbow table for each record.

If the salt is long enough, the CPU cycles they need become very cost-prohibitive.

If you know your data security is breached, of course, you need to reset all the passwords immediately anyway, because as far as you know the attacker is willing to spend that time.

Brian Schroth  2009-09-25 20:15:59
There's no point making a rainbow table just to break a single hash - it's the same effort as just bruteforcing that hash. It's only worth doing if you can re-use the rainbow table for other hashes (as you point out, because the salt has been reused).
caf  2009-09-26 01:59:55
+1  A: 

If someone has access to your database/data, then they would still have to figure out your hashing algorithm and your data would still be somewhat secure, depending on your algorithm? All they would have is the hash and the salt.

This might be all a really dedicated opponent would need. Much of this answer depends on how valuable the data is, which would tell you how motivated the opponent is. Credit card numbers are going to be extremely valuable, and criminal attackers seem to have plenty of time and accomplices to do their dirty work. Some bad guys have been known to farm out key decryption tasks to botnets!

If someone has access to your database/data and your source code, then it seems like no matter what your do, your hashing algorithm can be reversed engineered, the only thing you would have on your side would be how complex and time consuming your algorithm is?

If they have access to your source and all the data, the question is going to be "how did you load your key into the memory of the server in the first place?" If it's embedded in the data or in the program code, it's game over and you've lost. If it was hand-keyed by an operator at the machine's boot time, it should be as secure as your trust in your operator. If it is stored in an HSM*, it should still be secure.

And if they have root-level authority access to your running machine, then they can probably trigger and recover a memory dump that will reveal the secret key.

It seems like the weakest link is: how secure your own systems are and who has access to it?

This is true. But there are alternatives that help improve security.

For bank-like protection, the kind that passes security and industry audits, it's recommended that you use a *Hardware Security Module (HSM) to perform key storage and encryption/decryption functions. The commercial strength HSMs we're looking at cost 10s of thousands of dollars or more each, depending on capacity. But I have seen hardware encryption cards that plug into a PCI slot that cost substantially less.

The idea behind an HSM is that the encryption happens on a secure, hardened platform that nobody has access to without the secret keys. Most of them have cabinets with intrusion detection switches, trip wires, epoxied chips, and memory that will self-destruct if tampered with. Not even the legitimate owner or the factory should be able to recover the database key from an HSM without the set of authorized crypto keys (usually carried on smart cards.)

For a very small installation, an HSM can be as simple as a smart card. Smart cards aren't high performance encryption devices, though, so you can't pump more than about one decryption transaction per second through them. Systems using smart cards usually just store the root key, then decrypt the working database key on the smart card and send it back to the database accessing system. These will still yield the working database key if the attacker can access running memory, or if the attacker can sniff the USB traffic to and from the smart card.

And I have no experience getting TPM chips to work (yet), but theoretically they can be used to securely store keys on a machine. Again, it is still no defense against an attacker taking a memory dump while the key is loaded in memory, but they would prevent a stolen hard drive containing code and data from revealing its secrets.

John Deters  2009-09-28 04:09:48
Excellent, excellent work. One point stands clearly to my experience based on your work - that of "Ring of Deception" If Coder Clyde hires on at Some Business and does not join or do as told, it's Ruiniation Nation for that person career, no?So, as poster asked, it's all access control. There is in crypto known voting systems, the key is distributed - only by council can proof be obtained. Strong proof of credentials would suggest a similar approach, reliant on hardware encipher - and compartmentalized verification scheme( s )Recent economic woes suggest to me challenges remain.
Nicholas Jordan  2009-10-02 06:23:16
+3  A: 

You question is about using passwords as an authentication mechanism and how to securely store these passwords in a database using a hash. As you probably already know the goal is to be able to verify passwords without storing these passwords i clear text in the database. In this context let me try to answer each of your questions:

If someone has access to your database/data, then they would still have to figure out your hashing algorithm and your data would still be somewhat secure, depending on your algorithm? All they would have is the hash and the salt.

The basic idea of hashing passwords is that the attacker has knowledge of the hashing algorithm and has access to both the hash and the salt. By selecting a cryptographic strong hash function and a suitable salt value that is different for each password the computational effort required to guess the password is so high that the cost exceeds the possible gain the attacker can get from guessing the password. So to answer your question, hiding the hash function does not improve the security.

If someone has access to your database/data and your source code, then it seems like no matter what your do, your hashing algorithm can be reversed engineered, the only thing you would have on your side would be how complex and time consuming your algorithm is?

You should always use a well-known (and suitably strong) hashing algorithm, and reverse engineering this algorithm is not meaningful as there is nothing hidden in your code. If you didn't mean reverse engineer but actually reverse then, yes, the passwords are protected by the complexity of reversing the hash function (or guessing a password that matches a hash value). Good hash functions makes this very hard.

It seems like the weakest link is: how secure your own systems are and who has access to it?

In general this is true, but when it comes to securing passwords by storing them as hashes you should still assume that the attacker has full access to the hashes and design your system accordingly by choosing an appropriate hash function and using salts.

What types of attacks are these hashes trying to protect against? I've read about rainbow table and dictionary attacks (brute force), but how are these attacks administered?

The basic attack that password hashing protects against is when the attacker gets access to your database. The clear text password cannot be read from the database and the password is protected.

A more sophisticated attacker can generate a list of possible passwords and compute the hash using the same algorithm as you. He can then compare the computed hash to the stored hash and if he finds a match he has a valid password. This is a brute force attack and it is generally assumed that the attacker has "offline" access to your database. By requiring the users to use long and complex passwords the effort required to "brute force" a password is significantly increased.

When the attacker wants to attack not one password, but all the passwords in the database a large table of passwords and hash value pairs can be precomputed and further improved by using what is called hash chains. Rainbow tables is an application of this idea and can be used to brute force many passwords simultaneously without increasing the effort significantly. However, if a unique salt is used to compute the hash for each password a precomputed table becomes useless as it is different for each salt and cannot be reused.

To sum it up: Security by obscurity is not a good strategy for protecting sensitive information and modern cryptography allows you to secure information without having to resort to obscurity.

Martin Liversage  2009-09-28 05:38:48
A: 

( OP )

brings up a good point, if your data is compromised then game over ... my follow up question is: what types of attacks are these hashes trying to protect against? I've read about rainbow table and dictionary attacks (brute force), but how are these attacks administered

( discussion )

It's not a game, except to the attacker. Research these terms:

  • Sarbanes-Oxley
  • Gramm-Leach-Bliley Act (GLBA)
  • HIPAA
  • Digital Millenium Copyright Act (DMCA)
  • PATRIOT Act

Then tell us ( as thought provocation for you ) how do we protect against whom? For one thing, it is the efforts of innocents vis-a-vis intruders - and for another it is data-recovery if part of the system fails.

It is an interesting experiment that the original intent of tcp/ip and so on is advertised as being a weapon of war, survivability under attacks. Okay, so passwords are hashed - no one can recover them ...

Which, duh, includes the owner-operator of the system.

So you build a robust record locking tool that implements key controls, then political pressures force the use of brand-x tools.

You can read Federal Information Security Management Act (FISMA) and by the time you have read it some governmental entity somewhere will have had an entire disk either stolen or compromised.

How would you protect that disk if it was your personal identity information on that disk.

I can tell you from the caliber of Martin Liversage and jadeters they will be paying attention.

Nicholas Jordan  2009-10-02 06:50:38
A: 

A hash cannot be reversed. Conceptually, think of a hash as taking the value to be hashed as the seed to a random number generator, then taking the 500th number that it generates. This is a repeatable process, but it is not a reversible process.

If you store a hashed password in your database, when your user logs in, you take his password from the input to the login page, you apply the same hash to it, and then you compare the result of that operation to what you have stored in the database. If they match, the user typed the right password. (Or, in theory, they could have typed something that happens to hash to the same value, but in practice, you can completely ignore this.)

The purpose of the salt is so that even if users have the same password, you can't tell, and also lots of other things which are equivalent to this idea. If the user's password is "secret", and the salt is "abc", then instead of making a hash of "secret", you hash "secretabc" and store the results of that in your database. You also store the salt, but this is perfectly safe to store -- you can't figure out any information about the password from it.

The only reason to safeguard the hashed passwords and salt is that if an attacker has a copy of it, he can test passwords offline on his own machine, rather than repeatedly trying to log in to your server, which you would probably lock him out after three attempts or something like that. Even if you don't lock him out, it's much faster to test locally than to wait for the network round-trip.

Kevin Peterson  2009-10-02 07:12:11

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security