SlideShare a Scribd company logo

Crypto workshop 4 - Hashing, Tokens, Randomness

H
hannob

Slides from a workshop I held on cryptography for web developers. Part 4 is about common misconceptions around random number generators, token generation and hashing. https://blog.hboeck.de/archives/849-Slides-from-cryptography-workshop-for-web-developers.html

InternetTechnologyEducation
1 of 13
Download to read offline
Random numbers Hashes Cryptography for Software and Web Developers Part 4: randomness, hashing, tokens Hanno B¨ock 2014-05-28 1 / 13
Random numbers Hashes Bad random numbers Random fails Example: Factoring RSA keys Good / bad randomness In security (not just crypto) we often need random numbers Examples: CSRF-tokens, one-time-action tokens, password salts, key generation, ... There’s even crypto out there that needs good random numbers to run or it’ll completely break: DSA, ECDSA (but better avoid that). Good randomness is hard 2 / 13
Random numbers Hashes Bad random numbers Random fails Example: Factoring RSA keys Good / bad randomness OS or programming language default random functions often not secure random numbers. Rounding problems, conversion problems can reduce space of possible random numbers vastly. 2008 Debian OpenSSL bug. PRNGs need a seed or they don’t work. NSA managed to make a backdoored RNG an official standard and payed RSA Inc. 10 Million $ to make it the default in BSAFE No way to test random numbers reliably. 3 / 13
Random numbers Hashes Bad random numbers Random fails Example: Factoring RSA keys Good / bad randomness An RSA public key consists of an exponent e and a modulus N which is the product of two primes If you know the primes you can get the private key What happens if we have two RSA keys with a shared prime, e. g. N1 = p ∗ q1, N2 = p ∗ q2? You can break this key with the greatest common divisor algorithm. Some people tried this with lots of SSH and TLS keys and found over 50 embedded devices that created such factorable keys. [url] Linux seed sources: HD timings, keyboard strokes, mouse movements. Embedded devices often have no HD, no keyboard, no mouse. 4 / 13
Random numbers Hashes Bad random numbers Random fails Example: Factoring RSA keys Good / bad randomness PHP good: openssl random pseudo bytes(), PHP bad: mt rand(), rand(), uniqid() JavaScript good: window.crypto.getRandomValues(), bad: Math.random() (only latest browser support window.crypto.getRandomValues()) /dev/urandom is good if it is properly seeded. For embedded devices: Better create the keys on a desktop PC. 5 / 13
Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources So many people have wrong ideas about hashes... Completely typical situation: I write about cryptographic hashes, people in the comments discuss about password hashes and salting Hashes used in many contexts: error detection (CRC32), signatures (SHA256, SHA516), passwords (bcrypt, scrypt) If you use a hash function you need to know what it should do 6 / 13
Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources CRC32: Very fast, no security at all Reliably detects errors, but trivial to construct another input for an existing hash Usable only for errors and if no attacker is involved (e. g. error detection on hard disks or file comparison over otherwise secure network connections). 7 / 13
Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources Cryptographic hashes need to be collision resistant and preimage resistant Collision: It should be practically impossible to create two different inputs with same hash Preimage: It should be practically impossible to create an input for a given hash value. Used in many places, e. g. signatures Some crypto protocols need hashes and don’t have collision resistance requirement (e. g. HMAC), but that’s usually not something that should bother you 8 / 13
Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources In 2004/2005 big breakthroughs on hash attacks, mostly the work of a Chinese team led by Wang Xiaoyun. Most important results: practical collision attacks on MD5, almost practical attacks on SHA1 2008: MD5 attack on RapidSSL leads to fake CA, 2012: Flame worm uses MD5 attack to create rogue code signing cert SHA-2 functions (SHA256, SHA512) considered safe today, SHA-3 will come soon. 9 / 13
Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources Idea: We don’t save passwords, we just save hashes so if our database gets stolen the attacker has no direct access to the passwords Attackers can brute force Salting makes it harder Security requirements for password hashes completely different from cryptographic hash functions Collision resistance doesn’t matter, they should ideally not be fast 10 / 13
Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources glibc uses several iterations of cryptographic hashes (default SHA512) and a salt. bcrypt and scrypt are functions designed to be password hashes. bcrypt is designed to be slow, scrypt is designed to be slow and use lots of memory. There’s a Password Hashing Competition (PHC), results expected in 2015. 11 / 13
Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources The importance of secure password hashing is IMHO vastly overstated. glibc-type SHA512, bcrypt, scrypt are all ”good enough”, just make sure you have a salt. Password hashing only gives you a tiny little bit of extra protection if your database gets stolen. But if that happens you’re screwed anyway. Make sure nobody steals your database. That’s much more important. 12 / 13
Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources Factorable RSA keys https://factorable.net/ http://media.ccc.de/browse/congress/2012/ 29c3-5275-en-facthacks_h264.html Password Hashing Competition https://password-hashing.net/ 13 / 13

Recommended

Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012
Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012
Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012Jose L. Quiñones-Borrero
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Symantec SMB File Sharing Flash Poll
Symantec SMB File Sharing Flash PollSymantec SMB File Sharing Flash Poll
Symantec SMB File Sharing Flash PollSymantec
 
Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLShannob
 
rdp remotefx spice arm-linux thin client
rdp remotefx spice arm-linux thin clientrdp remotefx spice arm-linux thin client
rdp remotefx spice arm-linux thin clientliwu.dong
 
Breaking out of restricted RDP
Breaking out of restricted RDPBreaking out of restricted RDP
Breaking out of restricted RDPSecurity BSides London
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)hannob
 
The Fuzzing Project - 32C3
The Fuzzing Project - 32C3The Fuzzing Project - 32C3
The Fuzzing Project - 32C3hannob
 

Recommended

Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012
Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012
Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012Jose L. Quiñones-Borrero
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Symantec SMB File Sharing Flash Poll
Symantec SMB File Sharing Flash PollSymantec SMB File Sharing Flash Poll
Symantec SMB File Sharing Flash PollSymantec
 
Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLShannob
 
rdp remotefx spice arm-linux thin client
rdp remotefx spice arm-linux thin clientrdp remotefx spice arm-linux thin client
rdp remotefx spice arm-linux thin clientliwu.dong
 
Breaking out of restricted RDP
Breaking out of restricted RDPBreaking out of restricted RDP
Breaking out of restricted RDPSecurity BSides London
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)hannob
 
The Fuzzing Project - 32C3
The Fuzzing Project - 32C3The Fuzzing Project - 32C3
The Fuzzing Project - 32C3hannob
 
Crypto workshop part 3 - Don't do this yourself
Crypto workshop part 3 - Don't do this yourselfCrypto workshop part 3 - Don't do this yourself
Crypto workshop part 3 - Don't do this yourselfhannob
 
Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Cryptohannob
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?hannob
 
Papierlos
PapierlosPapierlos
Papierloshannob
 
Gehackte Webapplikationen und Malware
Gehackte Webapplikationen und MalwareGehackte Webapplikationen und Malware
Gehackte Webapplikationen und Malwarehannob
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverhannob
 
Stromsparen
StromsparenStromsparen
Stromsparenhannob
 
Wirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak OilWirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak Oilhannob
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 

More Related Content

More from hannob

Crypto workshop part 3 - Don't do this yourself
Crypto workshop part 3 - Don't do this yourselfCrypto workshop part 3 - Don't do this yourself
Crypto workshop part 3 - Don't do this yourselfhannob
 
Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Cryptohannob
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?hannob
 
Papierlos
PapierlosPapierlos
Papierloshannob
 
Gehackte Webapplikationen und Malware
Gehackte Webapplikationen und MalwareGehackte Webapplikationen und Malware
Gehackte Webapplikationen und Malwarehannob
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverhannob
 
Stromsparen
StromsparenStromsparen
Stromsparenhannob
 
Wirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak OilWirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak Oilhannob
 

More from hannob (8)

Crypto workshop part 3 - Don't do this yourself
Crypto workshop part 3 - Don't do this yourselfCrypto workshop part 3 - Don't do this yourself
Crypto workshop part 3 - Don't do this yourself
 
Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Crypto
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?
 
Papierlos
PapierlosPapierlos
Papierlos
 
Gehackte Webapplikationen und Malware
Gehackte Webapplikationen und MalwareGehackte Webapplikationen und Malware
Gehackte Webapplikationen und Malware
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
 
Stromsparen
StromsparenStromsparen
Stromsparen
 
Wirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak OilWirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak Oil
 

Recently uploaded

Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 

Recently uploaded (20)

young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 

Crypto workshop 4 - Hashing, Tokens, Randomness

  • 1. Random numbers Hashes Cryptography for Software and Web Developers Part 4: randomness, hashing, tokens Hanno B¨ock 2014-05-28 1 / 13
  • 2. Random numbers Hashes Bad random numbers Random fails Example: Factoring RSA keys Good / bad randomness In security (not just crypto) we often need random numbers Examples: CSRF-tokens, one-time-action tokens, password salts, key generation, ... There’s even crypto out there that needs good random numbers to run or it’ll completely break: DSA, ECDSA (but better avoid that). Good randomness is hard 2 / 13
  • 3. Random numbers Hashes Bad random numbers Random fails Example: Factoring RSA keys Good / bad randomness OS or programming language default random functions often not secure random numbers. Rounding problems, conversion problems can reduce space of possible random numbers vastly. 2008 Debian OpenSSL bug. PRNGs need a seed or they don’t work. NSA managed to make a backdoored RNG an official standard and payed RSA Inc. 10 Million $ to make it the default in BSAFE No way to test random numbers reliably. 3 / 13
  • 4. Random numbers Hashes Bad random numbers Random fails Example: Factoring RSA keys Good / bad randomness An RSA public key consists of an exponent e and a modulus N which is the product of two primes If you know the primes you can get the private key What happens if we have two RSA keys with a shared prime, e. g. N1 = p ∗ q1, N2 = p ∗ q2? You can break this key with the greatest common divisor algorithm. Some people tried this with lots of SSH and TLS keys and found over 50 embedded devices that created such factorable keys. [url] Linux seed sources: HD timings, keyboard strokes, mouse movements. Embedded devices often have no HD, no keyboard, no mouse. 4 / 13
  • 5. Random numbers Hashes Bad random numbers Random fails Example: Factoring RSA keys Good / bad randomness PHP good: openssl random pseudo bytes(), PHP bad: mt rand(), rand(), uniqid() JavaScript good: window.crypto.getRandomValues(), bad: Math.random() (only latest browser support window.crypto.getRandomValues()) /dev/urandom is good if it is properly seeded. For embedded devices: Better create the keys on a desktop PC. 5 / 13
  • 6. Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources So many people have wrong ideas about hashes... Completely typical situation: I write about cryptographic hashes, people in the comments discuss about password hashes and salting Hashes used in many contexts: error detection (CRC32), signatures (SHA256, SHA516), passwords (bcrypt, scrypt) If you use a hash function you need to know what it should do 6 / 13
  • 7. Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources CRC32: Very fast, no security at all Reliably detects errors, but trivial to construct another input for an existing hash Usable only for errors and if no attacker is involved (e. g. error detection on hard disks or file comparison over otherwise secure network connections). 7 / 13
  • 8. Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources Cryptographic hashes need to be collision resistant and preimage resistant Collision: It should be practically impossible to create two different inputs with same hash Preimage: It should be practically impossible to create an input for a given hash value. Used in many places, e. g. signatures Some crypto protocols need hashes and don’t have collision resistance requirement (e. g. HMAC), but that’s usually not something that should bother you 8 / 13
  • 9. Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources In 2004/2005 big breakthroughs on hash attacks, mostly the work of a Chinese team led by Wang Xiaoyun. Most important results: practical collision attacks on MD5, almost practical attacks on SHA1 2008: MD5 attack on RapidSSL leads to fake CA, 2012: Flame worm uses MD5 attack to create rogue code signing cert SHA-2 functions (SHA256, SHA512) considered safe today, SHA-3 will come soon. 9 / 13
  • 10. Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources Idea: We don’t save passwords, we just save hashes so if our database gets stolen the attacker has no direct access to the passwords Attackers can brute force Salting makes it harder Security requirements for password hashes completely different from cryptographic hash functions Collision resistance doesn’t matter, they should ideally not be fast 10 / 13
  • 11. Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources glibc uses several iterations of cryptographic hashes (default SHA512) and a salt. bcrypt and scrypt are functions designed to be password hashes. bcrypt is designed to be slow, scrypt is designed to be slow and use lots of memory. There’s a Password Hashing Competition (PHC), results expected in 2015. 11 / 13
  • 12. Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources The importance of secure password hashing is IMHO vastly overstated. glibc-type SHA512, bcrypt, scrypt are all ”good enough”, just make sure you have a salt. Password hashing only gives you a tiny little bit of extra protection if your database gets stolen. But if that happens you’re screwed anyway. Make sure nobody steals your database. That’s much more important. 12 / 13
  • 13. Random numbers Hashes Simple hashes Cryptographic hashes Problems with MD5, SHA1 Passwords Password hash functions A note on password hashes Sources Factorable RSA keys https://factorable.net/ http://media.ccc.de/browse/congress/2012/ 29c3-5275-en-facthacks_h264.html Password Hashing Competition https://password-hashing.net/ 13 / 13