Secure Password Storage
Download
Report
Transcript Secure Password Storage
Secure Password
Storage Raspberry Pi
JOSHUA SMALL
HTTPS://GITHUB.COM/TECHNION/
LHNSKEY - ROOT PASSWORD
GENERATOR FOR
CVE-2013-2352.
HTTPS://LOLWARE.NET/CW.HTML –
CONNECTWISE PASSWORD
“ENCRYPTION” BROKEN
[email protected]
DJB’S CRYPTO SNAKE OIL
COMPETITION SUBMISSION:
HTTP://SNAKEOIL.CR.YP.TO/SUBMISSIO
NS.HTML
Powered NTP
Server
Typical Web Sign Up Form
The Problem
Typical User
shinycatz.com
Email: [email protected]
Password: secret
User: Oh all they can do is
produce fake cats in my
name!
Mybank.com
Email: [email protected]
Password: supersecret
Unique password – good
boy John!
shinycatz.com Compromise
Attacked notices:
“secret” is the password for John’s
hotmail
User: All he can do is read my
email!
Hotmail inbox: Welcome to
mybank.com
Mybank.com: Forgot your
password? Click here and we’ll
email you a new one
Typical Vendor
Terrible Solution
function encryptpass($password)
{
$key = “omgakey”;
Return base64_encode(
mcrypt_encrypt(
MCRYPT_RIJNDAEL_256,
$key, $password,
…
Function decryptpass($secret)
{
$key = “omgakey”;
…
Comically terrible solution
User Solutions
Lastpass and similar apps
Unique passwords everywhere!
Uptake from users: very low
Hash Algorithms!
MD5: Officially Broken! Do not want!
SHA1: Published 1995, theoretical attack: 2^61
SHA256: Brute force at 2^128
This would make SHA256 completely secure for
our purposes, for completely random input
But passwords are not random
Key space
One byte stores eight bit of data
But only 96 ASCII characters are printable
That leaves roughly 6.5 bits of entropy per byte
Average password is 6 characters long
That’s only 39 bits of brute force - feasible
Improvements
Stretching: Literally “perform the hash x times”
Salt: incorporate a random string. This prevents
“rainbow tables”, ie a big database of
precomputed hash values
SHA512crypt
Literally applies the principles of “stretching” and
“salting” to SHA512
Default in several current Linux distributions for
passwords in /etc/shadow
Bitcoin
Uses the SHA algorithm
CPU: Core i7 820: 13.8Mhash/s
GPU: GTX295: 120.70Mhash/s
ASIC: Antminer S1: 180,000Mhash/s
Source: https://en.bitcoin.it/wiki/Mining_hardware_compa
Scrypt
Developed by Colin Percival, presented May 2009
Designed to offer significantly lower advantages to
GPU and ASIC devices
Uses a hard to optimise hash function
Is not only computationally hard- but memory hard
Original paper:
http://www.tarsnap.com/scrypt/scrypt.pdf
Used in Dogecoin
Dogecoin ASICS pushing 70KHash/s a big deal!
Increasing difficulty doesn’t just slow things down, it
can break those ASICS by exceeding their memory
Very short algorithm
summary
Source: https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-0
Problem: Accessibility
Use in applications: Reference app
Implementation function:
Produces a binary string as output
Introducing libscrypt
Simpler API:
Produces one string containing salt, difficulty
operators and hash altogether
Output is already BASE64 encoded, ready for
storage
Simple checking function
Accessibility: Platform
support
Fedora RPM
Debian (and derivatives) package
FreeBSD ports
OpenBSD ports
Homebrew (OS X)
Tested on ARM (Raspbian)
Tested on IBM s390 for some reason
Difficulties
Potential DoS opportunity
Rate limit
Proof of work
Captcha
Future Improvements
HSM
Polypasshash
Questions?