tags:

views:

257

answers:

5
Q: 

Ultimate Hash Protection - Discussion of Concepts

Ok, so the whole problem with hashes is that users don't enter passwords over 15 characters long. Most only use 4-8 characters making them easy for attackers to crack with a rainbow table.

Solution, use a user salt to make hash input more complex and over 50chars so that they will never be able to generate a table (way to big for strings that size). plus, they will have to create a new table for each user. Problem: if they download the db they will get the user salt so you are back to square one if they care enough.

Solution, use a site "pepper" plus the user salt, then even if they get the DB they will still have to know the config file. Problem: if they can get into your DB chances are they might also get into your filesystem and discover your site pepper.

So, with all of this known - lets assume that an attacker makes it into your site and gets everything, EVERYTHING. So what do you do now?

At this point in the discussion, most people reply with "who cares at this point?". But that is just a cheap way of saying "I don't know what to do next so it can't be that important". Sadly, everywhere else I have asked this question that has been the reply. Which shows that most programmers miss a very important point.

Lets image that your site is like the other 95% of sites out there and the user data - or even full sever access - isn't worth squat. The attacker happens to be after one of your users "Bob" because he knows that "Bob" uses the same password on your site as he does on the banks site. He also happens to know Bob has his life savings in there. Now, if the attacker can just crack our sites hashes the rest will be a piece of cake.

So here is my question - How do you extend the length of the password without any traceable path? Or how do you make the hashing process to complex to duplicate in a timely manner? The only thing that I have come up with is that you can re-hash a hash several thousand times and increase the time it would take to create the final rainbowtable by a factor of 1,000. This is because the attacker must follow that same path when creating his tables.

Any other ideas?

+2  A: 

"The only thing that I have come up with is that you can re-hash a hash several thousand times and increase the time it would take to create the final rainbowtable by a factor of 1,000."

Isn't that exactly what the Blowfish-based BCrypt hash is about? Increasing the time it takes to compute a hash so that brute force cracking (and rainbow table creation) becomes undoable?

"We present two algorithms with adaptable cost (...)"

More about adaptable cost hashing algorithms: http://www.usenix.org/events/usenix99/provos.html

Jacco  2009-05-02 18:38:00
The BCrypt link you sent is for file encryption - not hashing. However, the BCrypt methods are also available in hashing algorithms aswell. The problem is that rainbow tables can be generated using Bcrypt just as easily as MD5. What you are referring to is the fact that it is harder to CRACK the BCrypt algorithm which is true - but we aren't trying to crack it - only match it to an easy to build rainbowtable.
Xeoncross  2009-05-03 16:59:35
Blowfish has an expensive key setup this is used as a basic building block for BCrypt. BCypt is design to be computationally expensive. So building your hash table takes far more time than for example building your MD5 hashtable.
Jacco  2009-05-03 19:36:29
Yes, I was assuming that you already knew that BCrypt is a more complex algorithm which means it naturally takes longer to create. Just like SHA512 takes longer than BCrypt. However, all of these algorithms are still incredibly fast and PC's can create thousands to hundreds of thousands of hashes every minute - which means that now matter which one you chose - creating a rainbow table isn't a big deal if an attacker wants your users password.
Xeoncross  2009-05-04 04:17:30
Did you even read the paper about adaptable cost hashing?
Jacco  2009-05-04 11:54:55
lol, yes - long before you posted that link in fact. ;)
Xeoncross  2009-05-04 17:15:31
Oh, and thanks for sharing that link. More people should know about it.
Xeoncross  2009-05-04 17:28:50
There's nothing new in suggesting thousands of iterations of hashing. That's why algorithm identifiers for key derivation include "salt" *and* "iterations" parameters. The purpose of bcrypt for one-way hashes is the same. +1
erickson  2009-05-04 19:48:59
+1  A: 

How about taking the "pepper" idea and implementing it on a separate server dedicated to hashing passwords - and locked down except for this one simple and secure-as-possible service - possibly even with rate-limits to prevent abuse. Gives the attacker one more hurdle to overcome, either gaining access to this server or reverse engineering the pepper, custom RNG and cleartext extension algorithm.

Of course if they have access to EVERYTHING they could just evesdrop on user activity for a little while..

Chris Thornhill  2009-05-02 18:42:43
That's actually a great idea. +1
Zifre  2009-05-02 19:15:08
Yes, this has been mentioned before - the more layers to your system the better. However, I am not sure about the feasibility of this implementation for most people. I am looking for a concept that can be taught and used by many people across the board. Also, you are right. If they have access to EVERYTHING then they could also monitor POST data sent to the sever and gain the clear text passwords.
Xeoncross  2009-05-03 16:55:53
Adding more layers to the system also increases the change of making mistakes and opening up new security holes.
Jacco  2009-05-03 20:04:41
+1  A: 

uhmm... Okay, my take on this:

  • You can't get the original password back from a hash. I I have your hash, I may find a password that fits that hash, but I can not log in to any other site that uses this password, assuming they all use salting. No no real issue here.
  • If someone gets your DB or even your site to get your config, you're screwed anyway.
  • For Admin or other Super Accounts, implement a second mean of verification, i.e. limit logins to certain IP ranges, use Client-Side-SSL Certificates etc.
  • For normal users, you won't have much chance. Everything you do with their password needs to be stored in some config or database, so if have your site, I have your magic snake oil as well.
  • Strong Password limitations don't always work. Some sites require passwords to have a numeric character - and as a result, most users add 1 to their usual password.

So I'm not entirely sure what you want to achieve here? Adding a Salt to the front of the users password and protecting Admin accounts with a second mean of authentication seems to be the best way, given the fact that users simply don't pick proper passwords and can't be forced to either.

Michael Stum  2009-05-02 18:51:45
Covering your points starting with the first one. First, I am not sure how you came to the idea that I cannot login using the password. I think you had better rethink that. Second, again I'm not worried about my site being trashed - it's the users I'm am trying to protect. Third, those precautions have to do with user logins - that is not what we are discussing. We are talking about an attacker gaining your hashes, salts, and pepper. Then visiting Bank of America and logging in as Bob on the first try with the matched password hash. Forth, that is the point of this topic - to find a better way
Xeoncross  2009-05-03 17:06:47
Fifth, yes people entering passwords shorter and easier than 15 alphanumeric + symbol passwords again is the problem - we are tring to find a solution.
Xeoncross  2009-05-03 17:06:50
I'm not saying that people can't log in to your site - I'm just saying that it possibly does not matter anymore because I already have everything. And I'd expect Bank of America to have a proper second mean of authentication for any important action, which is usually a second secret number to transfer funds, backed in a separate place. I don't see much alternative if it has to withstand complete theft of your site and database while still keeping the data more secure than a salted hash.
Michael Stum  2009-05-03 18:39:38
Again, I'm afraid relying on the security of the 3rd party's is out of the scope of this hashing problem. They can use a 3 level challenge or a simple login form - that's none of our business. What we need to do is make our password hashes resent to brute forcing with rainbow tables EVEN AFTER our site and all data is laid bare for all to see.
Xeoncross  2009-05-03 19:40:09
Good Luck with that.
Michael Stum  2009-05-03 19:45:59
+6  A: 

Solution, use a user salt to make hash input more complex and over 50chars so that they will never be able to generate a table (way to big for strings that size). plus, they will have to create a new table for each user. Problem: if they download the db they will get the user salt so you are back to square one if they care enough.

This reasoning is fallacious.

A rainbow table (which is a specific implementation of the general dictionary attack) trades space for time. However, generating a dictionary (rainbow or otherwise) takes a lot of time. It is only worthwhile when it can be used against multiple hashes. Salt prevents this. The salt does not need to be secret, it just needs to be unpredictable for a given password. This makes the chance of an attacker having a dictionary generated for that particular salt negligibly small.

erickson  2009-05-02 18:55:07
See also: http://stackoverflow.com/questions/348109/is-double-hashing-a-password-less-secure-than-just-hashing-it-once/348140#348140
erickson  2009-05-03 07:28:49
I'm afraid you are incorrect. If I have the user salt then I only have to spend a day or so generating a rainbow table of the values 0-12chars and append the user salt to each one. User Hash Cracked.
Xeoncross  2009-05-03 16:52:32
There's no need to guess. Why don't you prove it? Use "erickson" as a salt, append a password, and use one iteration of SHA-1. For example, if the password is ABCDEFGHIJKL, one could use the following command `echo -n 'ericksonABCDEFGHIJKL' | openssl sha1` to produce the hash "9c1121a99b6b5afeaa02684093f4c766f94212d2". I've chosen a secret password, which, together with the salt "erickson", produces the SHA-1 hash "0c67c6eb301bb6df94af524f98305cb2648d25eb". If you can find any password that produces the correct hash as outline above within 72 hours, I'll upvote your posts for a week.
erickson  2009-05-03 18:57:40
I'm afraid I don't have the time to spend just to demonstrate this to you. If you don't believe that it can be done then I recommend that you do a quick search in google for some of the test cases. Generating a rainbowtable takes XX long for given XX hash algo * character length. If you know the user salt than you just append it to each test string created. It's just common sense.
Xeoncross  2009-05-03 19:37:08
Sometimes real understanding takes more than just a quick search in Google. I think if you were to take on the challenge, you would find the knowledge gained worth the time you spend.
erickson  2009-05-03 19:56:55
Keep in mind that you would have to append it to each test string BEFORE hashing. So you would have to create a rainbow table for _every_ salt.
Jacco  2009-05-03 20:01:24
@Jacco Yes, but if our hapless user "Bob" is who the attacker is after - he wouldn't mind that fact.@erickson I wasn't refering to a quick search on google - there is much miss-information as I am sure you know. However, you are right that I should take the time to act out the attack so that I don't have to take cryptoligists word for it. Never-the-less, for the time being I don't have the time or desire to spend repeating the already proven wheel. In the future I am hoping to fully test this as an example lesson to newer programmers.
Xeoncross  2009-05-04 04:12:41
@Xeoncross Although you position yourself as an expert, your answers are based upon false assumptions. If you do not intend to listen and learn, you maybe should not ask a question.
Jacco  2009-05-04 12:02:34
I am not the one who is not listing. I have pointed out the problem and the quest for a solution. I have also addressed the short-comings of each answer. The only things mentioned here are referenced to solutions either A) not related to the topic or B) miss-informed. I find that on the contrary the people replying to this question are assuming their answers are naturally correct given that fact that they themselves posted them. I would venture to rephrase your statement as such. "If you do not intend to help or offer correct ideas, maybe you should not reply to the question." Nothing personal
Xeoncross  2009-05-04 17:22:21
Xeoncross: From your statements, I gather that you believe building a rainbow table for a given key space is faster than brute-force searching of the space. This is false. Building the table is actually slower, and it requires storage. The payoff is in being able to re-use it. A 64-bit salt from a cryptographic RNG effectively prevents re-use. While searching the "bad password space" (7 or 8 characters, alpha-numeric only) can be done in hours or days when a single round of hashing is used, following the "best practice" of thousands of rounds stretches this to months or years.
erickson  2009-05-04 19:34:40
Yes, searching off the space can be much faster without a salt. The problem is that creating a rainbow table is already a fairly fast task. It takes less that a week (sometimes a couple days) to do and is well worth if the user password is valuable. This is the problem.
Xeoncross  2009-05-04 21:02:06
No, creating a rainbow table is slow. Even with the concerted efforts of many contributors working in a distributed architecture, creating an 8 character mixed alphanumeric table is a big undertaking. It only takes a week if one round of hashing is used. You can't create a table for even a simple 7 character mixed-alpha-numeric password in a week if a few thousand iterations of a good hash are used. I know that my telling you so is not convincing, so I urge you to try it yourself.
erickson  2009-05-04 21:21:55
Yes, perfect! That is my point. As I first stated above, re-hashing a thousand plus times was the only answer I could think of to slow the creation of these tables to a crawl. It is this theory that I wanted feedback on and I also (knowing I don't know everything) wanted an expert in this field to possibly show ANOTHER way that perhaps must programmers aren't aware of. However, after posting this question many other places online it appears that there, sadly, is no other answer. Perhaps some time soon in the future another security percausion will be discovered
Xeoncross  2009-05-05 16:36:57
A: 

I was hoping that someone might have a solution but sadly I am no better off then when I first posted the question. It seems that there is nothing that can be done but to find a time-costly algorithm or re-hash 1,000's of times to slow down the whole process of generating rainbow tables (or brute-forcing) a hash.

Xeoncross  2009-06-18 22:56:52

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security