Is there a bruteforce-proof hashing algorithm?

views:

243

answers:

Is there a bruteforce-proof hashing algorithm?

Well, from the discussion of hashing methods weaknesses, I've got that the only ol' good brute-force is efficient to break.

So, the question is:
Is there a hashing algorithm which is more rigid against brute-force than others?
In case of hashing passwords.

+12 A:

The only protection against brute force is the fact that it takes an inordinately long time to perform a brute force.

Brute force works by simply going through every possible input string and trying it, one at a time. There's no way to protect against simply trying every possible combination.

Dean Harding 2010-05-05 08:11:31

I agree with @codeka, but you can make it even more difficult by implementing a time-delay after say, 3 unsuccessful login attempts in a row. Even though attempting to brute-force a password hash will take an extremely long time under normal circumstances, you can delay that by an order of magnitude simply by imposing a delay in your authentication routines of several seconds...

Richard 2010-05-05 08:40:01

@Richard: you are talking about a login *process* - but the question was about the *algorithm* itself. You can not slow down a MD5/SHA.

tanascius 2010-05-05 09:04:31

@tanascius my bad :)

Richard 2010-05-05 13:16:52

Consider the output of the hash algorithms.

A MD5 (128 bit) or SHA-1 (160 bit) is certainly easier to brute-force than a SHA-2 (224, 384 or even 512 bit).

Of course, there can be other flaws (like in MD5 or a bit less in SHA-1) which weaken the algorithm a lot more.

tanascius 2010-05-05 08:14:28

what's the difference? As far as I understand brute-force, We have a string s, returned by a function f(x), and we want to find x. So, we just go over all variants of x. So, does it matter the form of s, if it's being used just to compare?

Col. Shrapnel 2010-05-05 08:23:10

Well, you don't need to find **x**. It is sufficient to find *any* **y**, so that **f(x) = f(y)** ... It means that you don't have to enter the original password, but you can rather input any string as a password that will hash to the same value ... access will be given. Therefore as an attacker you don't attack the input space (which is arbitrary large), but the output of the hash to find *any* collision.

tanascius 2010-05-05 08:33:47

@tanascius: the input space of passwords is arbitrarily large *in theory*. In practice, even when there are no explicit limitations on password length, nobody can remember a password that actually has 128 bits of entropy. So in practice, attacking the input space is much easier when it's passwords.

Michael Borgwardt 2010-05-05 08:40:06

@Col. Shrapnel, @Michael: My point is, that an algorithm that outputs only 10 different values as a hash is easier to brute force than an algorithm that outputs 2^512 different values ... @Michael: isn't that what you wrote? *Any additional bit in the output format makes the algorithm twice as strong against a straightforward brute force attack.*

tanascius 2010-05-05 08:40:55

@tanascius: yes, but that only applies when your input space is larger then the hash result.

Michael Borgwardt 2010-05-05 08:55:21

As Codeka said, no hashing algorithm is 100% secure against brute force attacks. However, even with hardware-assisted password cracking (using the GPU to try passwords), the time it takes to crack a sufficiently long password is astronomical. If you have a password of 8ish characters, you could be vulnerable to a brute force attack. But if you add a few more characters, the time it takes to crack increases radically.

Of course, this doesn't mean you're safe from rainbow attacks. The solution to that is to add a salt to your password and use a hashing algorithm that isn't vulnerable to preimage attacks.

If you use a salted password of 12-14 characters, preferably hashed with an sha2 algo (or equivalent), you've got a pretty secure password.

Carson Myers 2010-05-05 08:21:32

Nothing about passwords in the question - there are other uses for hashing.

Michael Borgwardt 2010-05-05 08:24:31

@Michael it is my bad, because I *meant* passwords. I'm gonna edit the question

Col. Shrapnel 2010-05-05 08:25:49

Hmm... I read Col. Shrapnel's previous question (mentioned in this one) and I remembered it being about passwords. I guess I just assumed this one was as well

Carson Myers 2010-05-05 08:33:12

If you know that the input space is small enough for a brute force attack to be feasible, then there are two options for protecting against brute-force attacks:

Artificially enlarging the input space. This isn't really feasible - Password salting looks like that at first glance, but it really only prevents attackers from amortizing the cost of a brute force attack across multiple targets.
Artificially slowing down the hashing through key strengthening or using a hash algorithm that is inherently slow to compute - presumably, it's only a small extra cost to have the hash take a relatively long time (say, a tenth of a second) in production. But a brute-force attacker incurs this cost billions of times.

So that's the answer: the slower a hash algorithm is to compute, the less susceptible it is against brute-forcing the input space

(Original Answer follows)

Any additional bit in the output format makes the algorithm twice as strong against a straightforward brute force attack.

But consider that if you had a trillion computers that could each try a trillion hashes per second, it would still take you over 100 trillion years to brute-force a 128 bit hash, and you'll realize that a straightforward brute-force attack on the output is simply not worth wasting any throughts on.

Of course, if the input of the hash has less than 128bits of entropy, then you can brute-force the input - this is why it's often feasible to brute-force password cracking (Nobody can actually remember a password with 128 bits of entropy).

Michael Borgwardt 2010-05-05 08:37:47

In practice, there are *password safes* around - you have to remember the master password only. The single passwords you are using to authenticate can have a very high entropy (and should have).

tanascius 2010-05-05 08:46:18

@tanascius: in practice, only a tiny fraction of people know about those and are willing to deal with the extra hassle.

Michael Borgwardt 2010-05-05 08:54:35

Unfortunately ... but the original question is still about *bruteforce-proof hashing algorithm* ... and the output length is in my opinion the most important parameter. Yes, slowing down the hashing will increase security (and yes, adding salt will do so, too). But any algorithm itself *is* fast (as will always be, this is a design goal) - you can slow down the authentication process - but that is a good answer for another question. I hope I can clarify my point - and I still hope that my answer is that wrong.

tanascius 2010-05-05 09:01:15

@tanascius: people are coming around to the realization that with a hashing algorithm, *slowness* can be a desirable design goal.

Michael Borgwardt 2010-05-05 09:04:39

I don't think so ... I read a bit about the http://en.wikipedia.org/wiki/NIST_hash_function_competition. Skein for instance explicitly states that speed is a design goal (*"Skein is fast."*, http://www.skein-hash.info/about). And again: the authentication *process* should be slow, no question, but the *algorithm* should be fast.

tanascius 2010-05-05 09:08:06

@tanascius: Wrong. When you're hashing passwords, it's the *algorithm* that should be slow, because that cannot be circumvented - even when the attacker has a DB dump and does the brute-force attack offline. But of course passwords are not the only thing that is hashed - there can be different hashing algorithms design for different applications.

Michael Borgwardt 2010-05-05 09:15:28

Did you look at the links I posted? Speed is a design goal. And SHA-3 will certainly be used for passwords, too. So a plain *wrong* is not enough, here. You are right - when the attacker has a db dump it is the time he needs to crack the passwords that matters. But that can be increased by using hashes with more bits, too. Of course you could use 1000 concatenated SHA hashed instead of one SHA. That will slow him down by factor 1000, too. But just 10 more bits will slow him down by factor 1024 (given "perfect" entropy) ... For a raw brute force attack the bit values do matter.

tanascius 2010-05-05 09:29:24

@tanascius: Wrong again. A brute force attack on the hash output is already utterly impossible for 128bit. But with passwords, you attack the input, and that makes the size of the hash output irrelevant. And sure, you *can* use a hash algorithm designed for speed to hash passwords - it's just a *bad choice* for that purpose. For an example of an algorithm designed for slowness, see http://www.usenix.org/event/usenix99/provos/provos_html/node4.html

Michael Borgwardt 2010-05-05 12:17:00

But may I remind you that MD5 is considered to be broken, not because a brute force attack on the input space is possible. But rather for the flaws in the algorithm that reduce the output space from 128bit to less? So the output space matters ... It maybe irrelevant if you have 128 or 160 bits today, but in the future it can be a huge difference. Nevertheless, I admit, that your answer "use a slow algorithm" is right, too.

tanascius 2010-05-05 13:34:46

@tanascius: sure, weaknesses in the algorithm are a different matter. But I don't think you can assume that a larger output means the algorithm will remain more secure when weaknesses are found. And I'm not sure it's correct to say the weaknesses in MD5 are equivalent to a reduction of the output space.

Michael Borgwardt 2010-05-05 13:38:22

+1 A:

All cryptographic systems are vulnerable to brute force. Another term for this is a "Trivial Attack".

A simple explanation for hashing is that all hashing algorithms we use accept an infinitely sized input and have a fixed sized output. This is an unavoidable collision, and for something like sha256 it takes 2^256 operations to find one naturally. md5() has a shortcut making it 2^39th operations to find a collision.

One thing you can do to make your passwords stronger is to hide your salt. A password hash cannot be broken until its salt is retrieved. John The Ripper can be given a Dictionary, a Salt and a Password to recover password hashes of any type. In this case sha256() and md5() will break in about the same amount of time. If the attacker doesn't have the salt he will have to make significantly more guesses. If your salt is the same size as sha256 (32 bytes) it will take (dictionary size)*2^256 guesses to break one password. This property of salts is the basis of CWE-760.

Rook 2010-05-05 08:39:35

Trying to hide the salt is IMO a fool's game. The system has to know the salt to verify logins, so anyone who breaks into the system can find out the salt. Any attempt to make that more difficult will only complicate the system needlessly, and complicated systems are vulnerable systems. Sure, it might be a good idea to have one component to the salt that's not in the database itself, just in case someone gets their hands on a DB dump, but beyond that it's not worth it.

Michael Borgwardt 2010-05-05 09:01:06

ansaurus

tags:

views:

answers:

Is there a bruteforce-proof hashing algorithm?

related questions