Transcript Secure Password Storage

Secure Password
Storage Raspberry Pi
JOSHUA SMALL
HTTPS://GITHUB.COM/TECHNION/
LHNSKEY - ROOT PASSWORD
GENERATOR FOR
CVE-2013-2352.
HTTPS://LOLWARE.NET/CW.HTML –
CONNECTWISE PASSWORD
“ENCRYPTION” BROKEN
[email protected]
DJB’S CRYPTO SNAKE OIL
COMPETITION SUBMISSION:
HTTP://SNAKEOIL.CR.YP.TO/SUBMISSIO
NS.HTML
Powered NTP
Server
Typical Web Sign Up Form
The Problem
Typical User
shinycatz.com
Email: [email protected]
Password: secret
User: Oh all they can do is
produce fake cats in my
name!
Mybank.com
Email: [email protected]
Password: supersecret
Unique password – good
boy John!
shinycatz.com Compromise
Attacked notices:
“secret” is the password for John’s
hotmail
User: All he can do is read my
email!
Hotmail inbox: Welcome to
mybank.com
Mybank.com: Forgot your
password? Click here and we’ll
email you a new one
Typical Vendor
Terrible Solution
function encryptpass($password)
{
$key = “omgakey”;
Return base64_encode(
mcrypt_encrypt(
MCRYPT_RIJNDAEL_256,
$key, $password,
…
Function decryptpass($secret)
{
$key = “omgakey”;
…
Comically terrible solution
User Solutions

Lastpass and similar apps

Unique passwords everywhere!

Uptake from users: very low
Hash Algorithms!

MD5: Officially Broken! Do not want!

SHA1: Published 1995, theoretical attack: 2^61

SHA256: Brute force at 2^128

This would make SHA256 completely secure for
our purposes, for completely random input

But passwords are not random
Key space

One byte stores eight bit of data

But only 96 ASCII characters are printable

That leaves roughly 6.5 bits of entropy per byte

Average password is 6 characters long

That’s only 39 bits of brute force - feasible
Improvements

Stretching: Literally “perform the hash x times”

Salt: incorporate a random string. This prevents
“rainbow tables”, ie a big database of
precomputed hash values
SHA512crypt

Literally applies the principles of “stretching” and
“salting” to SHA512

Default in several current Linux distributions for
passwords in /etc/shadow
Bitcoin

Uses the SHA algorithm

CPU: Core i7 820: 13.8Mhash/s

GPU: GTX295: 120.70Mhash/s

ASIC: Antminer S1: 180,000Mhash/s
Source: https://en.bitcoin.it/wiki/Mining_hardware_compa
Scrypt

Developed by Colin Percival, presented May 2009

Designed to offer significantly lower advantages to
GPU and ASIC devices

Uses a hard to optimise hash function

Is not only computationally hard- but memory hard

Original paper:
http://www.tarsnap.com/scrypt/scrypt.pdf

Used in Dogecoin

Dogecoin ASICS pushing 70KHash/s a big deal!

Increasing difficulty doesn’t just slow things down, it
can break those ASICS by exceeding their memory
Very short algorithm
summary
Source: https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-0
Problem: Accessibility

Use in applications: Reference app

Implementation function:

Produces a binary string as output
Introducing libscrypt

Simpler API:

Produces one string containing salt, difficulty
operators and hash altogether

Output is already BASE64 encoded, ready for
storage

Simple checking function
Accessibility: Platform
support

Fedora RPM

Debian (and derivatives) package

FreeBSD ports

OpenBSD ports

Homebrew (OS X)

Tested on ARM (Raspbian)

Tested on IBM s390 for some reason
Difficulties

Potential DoS opportunity

Rate limit

Proof of work

Captcha
Future Improvements

HSM

Polypasshash

Questions?