checksums are not secure
TRANSCRIPT
![Page 1: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/1.jpg)
Checksum != SecurityAn example hacking into bad Javascript authentication
![Page 2: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/2.jpg)
What’s so Bad?
The Enemy
Breaking Bad Closing
Found in the wild: a web app testing environment
![Page 3: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/3.jpg)
function promptUserForPassword(pass) { if (jesChecksum(pass) != 9887) { pass = prompt("Please enter the passkey","");
if (pass == null) { document.location.href = defaultHref; } else { verifyPassword(pass); } } else { successfulLogin(pass); } }
What’s so Bad?
The Enemy
Breaking Bad Closing
![Page 4: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/4.jpg)
function jesChecksum(str) { var primes = [ 2, 3, 5, 7,11, 13,17,19,23,29, 31,37,41,43,47, 53,59,61,67,71, 73,79,83,89,97]; var rtn = 0;
for (i = 0; i < (str.length); i++) { tmp = str.charCodeAt(i) * primes[i]; rtn = rtn + tmp; }
return rtn; }
What’s so Bad?
The Enemy
Breaking Bad Closing
![Page 5: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/5.jpg)
What’s so Bad?
The Enemy
Breaking Bad Closing
A hash function is any function that can be used to map digital data of any size to digital data of a fixed size.
![Page 6: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/6.jpg)
“checksums are often used to verify data integrity, but should not be relied upon to also verify data authenticity"
What’s so Bad?
The Enemy
Breaking Bad Closing
![Page 7: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/7.jpg)
“It is infeasible to find two different messages with the same [cryptographic] hash”
What’s so Bad?
The Enemy
Breaking Bad Closing
![Page 8: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/8.jpg)
It should be feasible to find two different messages with the same checksum.
What’s so Bad?
The Enemy
Breaking Bad Closing
![Page 9: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/9.jpg)
What’s so Bad?
The Enemy
Breaking Bad Closing
jesChecksum(pass) == 9887
Find “pass” such that
![Page 10: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/10.jpg)
function jesChecksum(str) { … for (i = 0; i < (str.length); i++) { tmp = str.charCodeAt(i) * primes[i]; rtn = rtn + tmp; } … }
The simplicity of this algorithm makes it very easy to solve.
What’s so Bad?
The Enemy
Breaking Bad Closing
![Page 11: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/11.jpg)
Thanks to Unicode: Solve 2x + 3y = 9887 over integers
One such solution is “Ŏఁ” Ŏఁ = String.fromCharCode(334, 3073);
What’s so Bad?
The Enemy
Breaking Bad Closing
![Page 12: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/12.jpg)
Using the right tool for the job requires you to understand the tools available
What’s so Bad?
The Enemy
Breaking Bad Closing
![Page 13: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/13.jpg)
Don’t roll your own security either
What’s so Bad?
The Enemy
Breaking Bad Closing
![Page 14: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/14.jpg)
And definitely don’t do security client side in Javascript
What’s so Bad?
The Enemy
Breaking Bad Closing
![Page 15: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/15.jpg)
Thanks
Justin Mancinelli
@piannaf http://piannaf.github.io
https://www.linkedin.com/in/justinmancinelli
![Page 16: Checksums are not secure](https://reader030.vdocuments.site/reader030/viewer/2022032711/5a6d03d97f8b9aff418b49fd/html5/thumbnails/16.jpg)
Slide 5:http://en.wikipedia.org/wiki/Hash_function
Slide 6:http://en.wikipedia.org/wiki/Checksum
Slide 7:http://en.wikipedia.org/wiki/Cryptographic_hash_function
Slide 8:http://blog.codinghorror.com/checksums-and-hashes/
Slide 13: http://xkcd.com/1286/http://www.explainxkcd.com/wiki/index.php/Encryptic