secure password storage joshua small https://github.com/technion/...

Secure Password StorageJOSHUA SMALLHTTPS://GITHUB.COM/TECHNION/LHNSKEY - ROOT PASSWORD GENERATOR FOR CVE-2013-2352.

HTTPS://LOLWARE.NET/CW.HTML – CONNECTWISE PASSWORD “ENCRYPTION” BROKEN

JSMALL@LOLWARE.NET

DJB’S CRYPTO SNAKE OIL COMPETITION SUBMISSION: HTTP://SNAKEOIL.CR.YP.TO/SUBMISSIONS.HTML

Raspberry Pi Powered NTP

Server

Typical Web Sign Up Form

The Problem

Typical Usershinycatz.com Compromise

Attacked notices:

“secret” is the password for John’s hotmail

User: All he can do is read my email!

Hotmail inbox: Welcome to mybank.com

Mybank.com: Forgot your password? Click here and we’ll email you a new one

shinycatz.comEmail: john@hotmail.comPassword: secretUser: Oh all they can do is produce fake cats in my name!

Mybank.comEmail: john@hotmail.comPassword: supersecretUnique password – good boy John!

Typical Vendor

Terrible Solution

function encryptpass($password)

{

$key = “omgakey”;

Return base64_encode(

mcrypt_encrypt(

MCRYPT_RIJNDAEL_256,

$key, $password,

…

Function decryptpass($secret)

{

$key = “omgakey”;

…

Comically terrible solution

User Solutions

Lastpass and similar apps

Unique passwords everywhere!

Uptake from users: very low

Hash Algorithms!

MD5: Officially Broken! Do not want!

SHA1: Published 1995, theoretical attack: 2^61

SHA256: Brute force at 2^128

This would make SHA256 completely secure for our purposes, for completely random input

But passwords are not random

Key space

One byte stores eight bit of data

But only 96 ASCII characters are printable

That leaves roughly 6.5 bits of entropy per byte

Average password is 6 characters long

That’s only 39 bits of brute force - feasible

Improvements

Stretching: Literally “perform the hash x times”

Salt: incorporate a random string. This prevents “rainbow tables”, ie a big database of precomputed hash values

SHA512crypt

Literally applies the principles of “stretching” and “salting” to SHA512

Default in several current Linux distributions for passwords in /etc/shadow

Bitcoin

Uses the SHA algorithm

CPU: Core i7 820: 13.8Mhash/s

GPU: GTX295: 120.70Mhash/s

ASIC: Antminer S1: 180,000Mhash/s

Source: https://en.bitcoin.it/wiki/Mining_hardware_comparison

Scrypt

Developed by Colin Percival, presented May 2009

Designed to offer significantly lower advantages to GPU and ASIC devices

Uses a hard to optimise hash function

Is not only computationally hard- but memory hard

Original paper: http://www.tarsnap.com/scrypt/scrypt.pdf

Used in Dogecoin

Dogecoin ASICS pushing 70KHash/s a big deal!

Increasing difficulty doesn’t just slow things down, it can break those ASICS by exceeding their memory

Very short algorithm summary

Source: https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-00

Problem: Accessibility

Use in applications: Reference app

Implementation function:

Produces a binary string as output

Introducing libscrypt

Simpler API:

Produces one string containing salt, difficulty operators and hash altogether

Output is already BASE64 encoded, ready for storage

Simple checking function

Accessibility: Platform support

Fedora RPM

Debian (and derivatives) package

FreeBSD ports

OpenBSD ports

Homebrew (OS X)

Tested on ARM (Raspbian)

Tested on IBM s390 for some reason

Difficulties

Potential DoS opportunity

Rate limit

Proof of work

Captcha

Future Improvements

HSM

Polypasshash

Questions?