secure password storage

Download Secure Password Storage

Post on 24-Feb-2016

71 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

Secure Password Storage. Raspberry Pi Powered NTP Server. Joshua Small https://github.com/technion/lhnskey - Root password generator for CVE-2013-2352. https:// lolware.net/cw.html Connectwise Password Encryption Broken jsmall@lolware.net - PowerPoint PPT Presentation

TRANSCRIPT

Secure Password Storage

Secure Password StorageJoshua Smallhttps://github.com/technion/lhnskey - Root password generator for CVE-2013-2352.

https://lolware.net/cw.html Connectwise Password Encryption Brokenjsmall@lolware.net

DJBs crypto snake oil competition submission: http://snakeoil.cr.yp.to/submissions.htmlRaspberry Pi Powered NTP Server

Typical Web Sign Up Form

The Problem

Typical Usershinycatz.com Compromise

Attacked notices:secret is the password for Johns hotmail

User: All he can do is read my email!

Hotmail inbox: Welcome to mybank.com

Mybank.com: Forgot your password? Click here and well email you a new oneshinycatz.comEmail: john@hotmail.comPassword: secretUser: Oh all they can do is produce fake cats in my name!

Mybank.comEmail: john@hotmail.comPassword: supersecretUnique password good boy John!

Typical Vendor

Terrible Solutionfunction encryptpass($password){$key = omgakey;Return base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,$key, $password,Function decryptpass($secret){$key = omgakey;

Comically terrible solution

User SolutionsLastpass and similar appsUnique passwords everywhere!Uptake from users: very lowHash Algorithms!MD5: Officially Broken! Do not want!SHA1: Published 1995, theoretical attack: 2^61SHA256: Brute force at 2^128This would make SHA256 completely secure for our purposes, for completely random inputBut passwords are not randomKey spaceOne byte stores eight bit of dataBut only 96 ASCII characters are printableThat leaves roughly 6.5 bits of entropy per byteAverage password is 6 characters longThats only 39 bits of brute force - feasibleImprovementsStretching: Literally perform the hash x timesSalt: incorporate a random string. This prevents rainbow tables, ie a big database of precomputed hash valuesSHA512cryptLiterally applies the principles of stretching and salting to SHA512Default in several current Linux distributions for passwords in /etc/shadowBitcoinUses the SHA algorithmCPU: Core i7 820: 13.8Mhash/sGPU: GTX295: 120.70Mhash/sASIC: Antminer S1: 180,000Mhash/s

Source: https://en.bitcoin.it/wiki/Mining_hardware_comparisonScryptDeveloped by Colin Percival, presented May 2009Designed to offer significantly lower advantages to GPU and ASIC devicesUses a hard to optimise hash functionIs not only computationally hard- but memory hardOriginal paper: http://www.tarsnap.com/scrypt/scrypt.pdfUsed in DogecoinDogecoin ASICS pushing 70KHash/s a big deal!Increasing difficulty doesnt just slow things down, it can break those ASICS by exceeding their memory

Very short algorithm summary

Source: https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-00Problem: AccessibilityUse in applications: Reference appImplementation function:

Produces a binary string as output

Introducing libscryptSimpler API:

Produces one string containing salt, difficulty operators and hash altogetherOutput is already BASE64 encoded, ready for storageSimple checking function

Accessibility: Platform supportFedora RPMDebian (and derivatives) package FreeBSD portsOpenBSD portsHomebrew (OS X)Tested on ARM (Raspbian)Tested on IBM s390 for some reasonDifficultiesPotential DoS opportunityRate limitProof of workCaptchaFuture ImprovementsHSMPolypasshash

Questions?