Download - Password Storage and Attacking in PHP

Password Storage(And Attacking)

In PHP

Anthony Ferrara

Github URL

Follow Along:

github.com/ircmaxell/password-bad-web-app

A "Bad Web App" - Has Known Vulnerabilities - Only Use For Education!!! - Requires only Apache + PHP - Has Composer Dependencies

Let's StartFrom The Beginning

Plain-Text Storagegit checkout plaintext

Stores passwords in Plain-Text

What's wrong with this picture?

Plain-Text Storage

What happens if we have a SQL-Injection Vulnerability?

localhost/sqli

Simulates:

?offset=0'+UNION+SELECT+*+FROM+users

Plain-Text Storage

Problem!

Any attack vector results in leakage of ALL credentials!

We Can Do Better

MD5git checkout md5

Uses the MD5 Cryptographic Hash function.

md5($password)

hash('md5', $password)

Wait,What Is A Hash?

What's A Cryptographic Hash?

Like a fingerprint.

One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)

MD5

What's the problem now?

SQL-Injection still gives us hash

But the hash is one-way, how can we attack it?

Enter:Lookup Tables

Lookup Table

Google is a great example

Maps hash to password directly

Database Table:hash | password--------------+-----------"5f4dcc3b..." | "password""acbd18db..." | "foo"

Lookup Table

Lookups are CPU efficient.

Require a LOT of storage space - (Very space inefficient)

All passwords <= 7 chars (95^7, 70 Trillion)Requires 1.5 PetaBytes - In Most Optimal Storage Format

We Can Do Better

Rainbow Table

Seed

Hash

Reduce

Hash

Rainbow Table

Seed

Hash

Reduce

Hash

a4fef...

Reduce

NewPassword

Rainbow Table

Seed 1 Hash Reduce Hash Reduce Hash Reduce Hash






Rainbow Table

Time/Space Tradeoff - Slower than a Lookup Table - Uses Much less storage

Most (99.9%) passwords <= 7 charsRequires only 64 GB - Chain length of 71,000

Defense!

Salted MD5git checkout salted-md5

Uses the MD5 Cryptographic Hash function.But adds a random salt UNIQUE per user.

md5($salt . $password)

hash('md5', $salt . $password)

Salts

Must be unique! - Per Hash - Globally

Should be random - Strong!!! - Reasonably long (at least 64 bits)

Salted MD5

What's the problem now?

SQL-Injection still gives us hash - And the salt

But the salt defeats rainbow tables...

Can Anyone See The Problem?


Like a fingerprint.

One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)


Like a fingerprint.

One-way.

- Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)

Hash FunctionsAre Made To Be

FAST

Brute Forcing

Several Tools Available - John The Ripper - OCIHashCat

A Lot Faster Than You May Think

Brute Forcing

Multiple Ways To Attack - Mask Based (permutations) - Dictionary Based - Combinator Based - Combinations of dictionary words - Fingerprint Based - Combinators applied with permutations - Rule Based - Takes input password and transforms it

Brute ForcingSalted MD5

2012 Macbook Pro: - md5: 33 million per second - sha256: 20 million per second

Mask Attack:6 char passwords: 5 hours7 char passwords: 22 daysEntire English Language: 1.8 seconds"LEET" Permutations: 1 hour

We Can Do Better


25 GPU Cluster - md5: 180 Billion per second - < $50,000

6 char passwords: 4 seconds7 char passwords: 6 minutes8 char passwords: 10 hoursEntire English Language:"LEET" Permutations:


25 GPU Cluster - md5: 180 Billion per second - < $50,000

6 char passwords: 4 seconds7 char passwords: 6 minutes8 char passwords: 10 hoursEntire English Language: yeah..."LEET" Permutations: 0.7 seconds

But Wait,I Thought MD5 Was Broken?

MD5 IS Broken!

But No Other Primitive Hash Is Not!!!

sha1≈ md5 sha256 ≈ md5sha512 ≈ md5whirlpool ≈ md5

ALL raw primitive hashes are broken for password storage.

So, How Can We Combat Such

Hardware?

Iterated MD5git checkout iterated-md5

Uses the MD5 Cryptographic Hash function.But adds a random salt UNIQUE per user.And iterates a lot of times

do { $h = md5($h . $salt . $password)} while($i++ < 1000);

We're Intentionally

Slowing It Down

Brute ForcingIterated MD5

25 GPU Cluster - md5: 70 million per second

6 char passwords: 17 minutes7 char passwords: 1 day8 char passwords: 124 days

Entire English Language: 0.8 seconds

We Can Do Better

PBKDF2git checkout pbkdf2

Uses the standard PBKDF2 algo - With SHA512 primitive

Slower, and harder to use on GPU

pbkdf2($pass, $salt, 10000, 40)

Brute ForcingPBKDF2

25 GPU Cluster - PBKDF2(sha512): 300,000 per second

6 char passwords: 28 days7 char passwords: 7 years8 char passwords: 700 years

Entire English Language: 3 minutes

We Can StillDo Better

BCryptgit checkout bcrypt

Uses the standard BCrypt algo - based on Blowfish cipher

Same execution time,Much harder to run on GPU

crypt $2a$

Brute ForcingBCrypt

25 GPU Cluster - BCrypt: 70,000 per second

6 char passwords: 120 days7 char passwords: 31 years8 char passwords: 3000 years

Entire English Language: 14 minutes

A Note On Cost

BCrypt accepts a "cost" parameter

Must be tuned per server! - Target about 0.25 to 0.5 second runtime - Cost of 10 is a good baseline - Cost of 11 or 12 is better - If you have decent hardware.

PHP 5.5 Password Hashing APIgit checkout password-compat

A thin wrapper over crypt() - Simplifies implmentation - Strong random salt generation - Can specify cost as int option

password_hash($pass, $algo, $opts)password_verify($pass, $hash)

github.com/ircmaxell/password_compat

We Can DoEven Better!

Let's Encrypt Instead!

Encrypted BCryptgit checkout bcrypt-with-encryption

Hash with BCrypt,Then encrypt result with AES-128.

Requires key storage for the app. - Not trivial

Use only if needed! - BCrypt alone is typically sufficient

Brute ForcingEncrypted BCrypt

Attack requires low level server compromise! - SQL Injection is not enough!

localhost/codeinject - Simulates code injection that reads source

Any low level compromiseIs No Worse than raw BCrypt - BCrypt is the baseline.

The Future

The Future

scrypt - Sequential Memory Hard - Uses a LOT of memory (32mb / hash) - Harder to brute-force than bcrypt

But it's VERY new - In cryptography terms at least - Not proven enough for use (yet)

The Future

Password Hashing Competition - Currently being setup - Aims to pick "standard" password hashing algorithm - A community effort

The Future

Brute Forcing Word Lists - Complex combinations of words - "horse correct battery staple"

Brute Forcing Grammar - "I don't want no cookies"

Brute Forcing Structures - URLs, Email Addresses, URLs, etc

Anthony Ferrarajoind.in/7792@ircmaxell

[email protected]/ircmaxell

Download - Password Storage and Attacking in PHP

Top Related