A quick rant about Web App crypto

689 views
689 views

Published on

A quick rant about Web App crypto

BruCON 2011 Lightning talk (5 minutes)

http://c22.cc

Published in: Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
689
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

A quick rant about Web App crypto

  1. 4. Just in-case! <ul><li>If you feel nauseous, scared or light-headed </li></ul><ul><ul><li>Please raise your hand </li></ul></ul><ul><ul><li>Ask the person next to you for assistance </li></ul></ul><ul><ul><li>Exit through the marked emergency exits </li></ul></ul>
  2. 5. The problem (0) <ul><li>Web App testers are scared by crypto </li></ul><ul><ul><li>OMGWTFBBQ it’s so complex </li></ul></ul><ul><ul><li>Yes, it can be… </li></ul></ul><ul><ul><li>But it isn’t always so complex </li></ul></ul>
  3. 6. The problem (1) <ul><li>Developers are scared by crypto </li></ul><ul><ul><li>OMGWTFBBQ </li></ul></ul><ul><ul><li>Sometimes they get it wrong </li></ul></ul><ul><ul><li>Soooo wrong! </li></ul></ul>
  4. 7. So what?!??*&! <ul><li>It’s our job as testers to find these bugs </li></ul><ul><li>It’s not our job to say </li></ul><ul><ul><li>Well it looks good from here </li></ul></ul><ul><ul><li>That’s a long number </li></ul></ul><ul><ul><ul><li>Long numbers are scary </li></ul></ul></ul><ul><ul><li>Hashed… that’s secure </li></ul></ul><ul><ul><li>… </li></ul></ul>
  5. 11. Revealing the stupid (0) <ul><li><script type=&quot;text/javascript&quot; src=&quot;../md5.js&quot;></script> </li></ul><ul><li><script type=&quot;text/javascript”> </li></ul><ul><li>function generateEncryptionKey(key) { </li></ul><ul><li>time=new Date(); </li></ul><ul><li>key=MD5(time.getMilliseconds().toString()); </li></ul><ul><li>while(key.length<66) </li></ul><ul><li>{ key=key+MD5(key) }; </li></ul><ul><li>return key; } </li></ul><ul><li></script> </li></ul>
  6. 12. Revealing the stupid (1) <ul><li><script type=&quot;text/javascript&quot; src=&quot;../md5.js&quot;></script> </li></ul><ul><li><script type=&quot;text/javascript”> </li></ul><ul><li>function generateEncryptionKey(key) { </li></ul><ul><li>time=new Date(); </li></ul><ul><li>key=MD5(time.getMilliseconds().toString()); </li></ul><ul><li>while(key.length<66) </li></ul><ul><li>{ key=key+MD5(key) }; </li></ul><ul><li>return key; } </li></ul><ul><li></script> </li></ul>
  7. 13. Revealing the stupid (2) <ul><li>Breaking it down! </li></ul><ul><li>Milliseconds </li></ul><ul><ul><li>(1000 possible values – 0..999) </li></ul></ul><ul><li>Multiple rounds of MD5 </li></ul><ul><ul><li>This doesn’t make things more secure! </li></ul></ul><ul><ul><li>Just makes the EncryptionKey longer </li></ul></ul>
  8. 14. OMG Maths! (0) <ul><li>Example </li></ul><ul><ul><li>time.getMilliseconds().toString() = 0 </li></ul></ul><ul><li>First Round </li></ul><ul><ul><li>Key = MD5(0) </li></ul></ul><ul><ul><ul><li>cfcd208495d565ef66e7dff9f98764da </li></ul></ul></ul><ul><ul><li>Length 32 </li></ul></ul>
  9. 15. OMG Maths! (1) <ul><li>Second Round </li></ul><ul><ul><li>Key = {Key} + MD5({Key}) </li></ul></ul><ul><ul><ul><li>Cfcd208495d565ef66e7dff9f98764da </li></ul></ul></ul><ul><ul><ul><li>dcfcd07e645d245babe887e5e2daa016 </li></ul></ul></ul><ul><ul><li>Length 64 </li></ul></ul>
  10. 16. OMG Maths! (2) <ul><li>Third Round (final round) </li></ul><ul><ul><li>Key = {Key} + MD5({Key}) </li></ul></ul><ul><ul><ul><li>Cfcd208495d565ef66e7dff9f98764da </li></ul></ul></ul><ul><ul><ul><li>dcfcd07e645d245babe887e5e2daa016 </li></ul></ul></ul><ul><ul><ul><li>a13c97ca5d73f82f3d62c0f65d414eee </li></ul></ul></ul><ul><ul><li>Length 96 </li></ul></ul>

×