• Save
A quick rant about Web App crypto
Upcoming SlideShare
Loading in...5
×
 

A quick rant about Web App crypto

on

  • 703 views

A quick rant about Web App crypto

A quick rant about Web App crypto

BruCON 2011 Lightning talk (5 minutes)

http://c22.cc

Statistics

Views

Total Views
703
Views on SlideShare
407
Embed Views
296

Actions

Likes
0
Downloads
0
Comments
0

8 Embeds 296

http://blog.c22.cc 273
http://www.securitybloggersnetwork.com 9
http://www.slideshare.net 5
http://translate.googleusercontent.com 2
http://feeds.feedburner.com 2
http://webcache.googleusercontent.com 2
http://www.linkedin.com 2
http://blog.isvoc.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

A quick rant about Web App crypto A quick rant about Web App crypto Presentation Transcript

  •  
  •  
  •  
  • Just in-case!
    • If you feel nauseous, scared or light-headed
      • Please raise your hand
      • Ask the person next to you for assistance
      • Exit through the marked emergency exits
  • The problem (0)
    • Web App testers are scared by crypto
      • OMGWTFBBQ it’s so complex
      • Yes, it can be…
      • But it isn’t always so complex
  • The problem (1)
    • Developers are scared by crypto
      • OMGWTFBBQ
      • Sometimes they get it wrong
      • Soooo wrong!
  • So what?!??*&!
    • It’s our job as testers to find these bugs
    • It’s not our job to say
      • Well it looks good from here
      • That’s a long number
        • Long numbers are scary
      • Hashed… that’s secure
  •  
  •  
  •  
  • Revealing the stupid (0)
    • <script type=&quot;text/javascript&quot; src=&quot;../md5.js&quot;></script>
    • <script type=&quot;text/javascript”>
    • function generateEncryptionKey(key) {
    • time=new Date();
    • key=MD5(time.getMilliseconds().toString());
    • while(key.length<66)
    • { key=key+MD5(key) };
    • return key; }
    • </script>
  • Revealing the stupid (1)
    • <script type=&quot;text/javascript&quot; src=&quot;../md5.js&quot;></script>
    • <script type=&quot;text/javascript”>
    • function generateEncryptionKey(key) {
    • time=new Date();
    • key=MD5(time.getMilliseconds().toString());
    • while(key.length<66)
    • { key=key+MD5(key) };
    • return key; }
    • </script>
  • Revealing the stupid (2)
    • Breaking it down!
    • Milliseconds
      • (1000 possible values – 0..999)
    • Multiple rounds of MD5
      • This doesn’t make things more secure!
      • Just makes the EncryptionKey longer
  • OMG Maths! (0)
    • Example
      • time.getMilliseconds().toString() = 0
    • First Round
      • Key = MD5(0)
        • cfcd208495d565ef66e7dff9f98764da
      • Length 32
  • OMG Maths! (1)
    • Second Round
      • Key = {Key} + MD5({Key})
        • Cfcd208495d565ef66e7dff9f98764da
        • dcfcd07e645d245babe887e5e2daa016
      • Length 64
  • OMG Maths! (2)
    • Third Round (final round)
      • Key = {Key} + MD5({Key})
        • Cfcd208495d565ef66e7dff9f98764da
        • dcfcd07e645d245babe887e5e2daa016
        • a13c97ca5d73f82f3d62c0f65d414eee
      • Length 96
  •  
  •  
  •  
  •