Password Storage (And Attacking)     In PHP    Anthony Ferrara
Github URLFollow Along:github.com/ircmaxell/password-bad-web-appA "Bad Web App"- Has Known Vulnerabilities- Only Use For E...
Lets StartFrom TheBeginning
Plain-Text Storage        git checkout plaintextStores passwords in Plain-TextWhats wrong with this picture?
Plain-Text StorageWhat happens if we have a SQL-InjectionVulnerability?localhost/sqliSimulates:?offset=0+UNION+SELECT+*+FR...
Plain-Text StorageProblem!Any attack vector results in leakage of ALLcredentials!
We Can Do Better
MD5           git checkout md5Uses the MD5 Cryptographic Hash function.md5($password)hash(md5, $password)
Wait,What Is A Hash?
Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse  - (Pra...
MD5Whats the problem now?SQL-Injection still gives us hashBut the hash is one-way, how can we attack it?
Enter:Lookup Tables
Lookup TableGoogle is a great exampleMaps hash to password directlyDatabase Table:hash            | password--------------...
Lookup TableLookups are CPU efficient.Require a LOT of storage space- (Very space inefficient)All passwords <= 7 chars (95...
We Can Do Better
Rainbow Table    Seed     Hash    Reduce     Hash
Rainbow Tablea4fef...       Seed                Hash Reduce               Reduce  New           HashPassword
Rainbow TableSeed 1   Hash   Reduce   Hash   Reduce   Hash   Reduce   HashSeed 2   Hash   Reduce   Hash   Reduce   Hash   ...
Rainbow TableTime/Space Tradeoff- Slower than a Lookup Table- Uses Much less storageMost (99.9%) passwords <= 7 charsRequi...
Defense!
Salted MD5       git checkout salted-md5Uses the MD5 Cryptographic Hash function.But adds a random salt UNIQUE per user.md...
SaltsMust be unique!- Per Hash- GloballyShould be random- Strong!!!- Reasonably long (at least 64 bits)
Salted MD5Whats the problem now?SQL-Injection still gives us hash- And the saltBut the salt defeats rainbow tables...
Can Anyone See The Problem?
Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse  - (Pra...
Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse  - (Pra...
Hash FunctionsAre Made To Be     FAST
Brute ForcingSeveral Tools Available- John The Ripper- OCIHashCatA Lot Faster Than You May Think
Brute ForcingMultiple Ways To Attack- Mask Based (permutations)- Dictionary Based- Combinator Based  - Combinations of dic...
Brute Forcing               Salted MD52012 Macbook Pro:- md5: 33 million per second- sha256: 20 million per secondMask Att...
We Can Do Better
Brute Forcing               Salted MD525 GPU Cluster- md5: 180 Billion per second- < $50,0006 char passwords: 4 seconds7 c...
Brute Forcing               Salted MD525 GPU Cluster- md5: 180 Billion per second- < $50,0006 char passwords: 4 seconds7 c...
But Wait,I Thought MD5  Was Broken?
MD5 IS Broken!But No Other Primitive Hash Is Not!!!sha1≈ md5sha256 ≈ md5sha512 ≈ md5whirlpool ≈ md5ALL raw primitive hashe...
So, How Can We Combat Such  Hardware?
Iterated MD5      git checkout iterated-md5Uses the MD5 Cryptographic Hash function.But adds a random salt UNIQUE per user...
Were  IntentionallySlowing It Down
Brute Forcing              Iterated MD525 GPU Cluster- md5: 70 million per second6 char passwords: 17 minutes7 char passwo...
We Can Do Better
PBKDF2          git checkout pbkdf2Uses the standard PBKDF2 algo- With SHA512 primitiveSlower, and harder to use on GPUpbk...
Brute Forcing                PBKDF225 GPU Cluster- PBKDF2(sha512): 300,000 per second6 char passwords: 28 days7 char passw...
We Can Still Do Better
BCrypt          git checkout bcryptUses the standard BCrypt algo- based on Blowfish cipherSame execution time,Much harder ...
Brute Forcing                 BCrypt25 GPU Cluster- BCrypt: 70,000 per second6 char passwords: 120 days7 char passwords: 3...
A Note On CostBCrypt accepts a "cost" parameterMust be tuned per server!- Target about 0.25 to 0.5 second runtime- Cost of...
PHP 5.5 Password Hashing API    git checkout password-compatA thin wrapper over crypt()- Simplifies implmentation- Strong ...
We Can DoEven Better!
Lets Encrypt  Instead!
Encrypted BCryptgit checkout bcrypt-with-encryptionHash with BCrypt,Then encrypt result with AES-128.Requires key storage ...
Brute Forcing            Encrypted BCryptAttack requires low level server compromise!- SQL Injection is not enough!localho...
The Future
The Futurescrypt - Sequential Memory Hard - Uses a LOT of memory (32mb / hash) - Harder to brute-force than bcryptBut its ...
The FuturePassword Hashing Competition- Currently being setup- Aims to pick "standard" password hashingalgorithm- A commun...
The FutureBrute Forcing Word Lists- Complex combinations of words- "horse correct battery staple"Brute Forcing Grammar- "I...
Anthony Ferrara joind.in/7792  @ircmaxellircmaxell@php.netblog.ircmaxell.comyoutube.com/ircmaxell
Password Storage and Attacking in PHP
Password Storage and Attacking in PHP
Password Storage and Attacking in PHP
Password Storage and Attacking in PHP
Upcoming SlideShare
Loading in...5
×

Password Storage and Attacking in PHP

8,558

Published on

These slides are from a talk that I did at PHP Benelux 2013 ( http://conference.phpbenelux.eu/2013/ ).

In this talk, I go over the progression of password storage techniques, and weaknesses of each method. Eventually, we build up to the final secure implementations, and the current methods used to attack them.

0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
8,558
On Slideshare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
88
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Password Storage and Attacking in PHP

  1. 1. Password Storage (And Attacking) In PHP Anthony Ferrara
  2. 2. Github URLFollow Along:github.com/ircmaxell/password-bad-web-appA "Bad Web App"- Has Known Vulnerabilities- Only Use For Education!!!- Requires only Apache + PHP- Has Composer Dependencies
  3. 3. Lets StartFrom TheBeginning
  4. 4. Plain-Text Storage git checkout plaintextStores passwords in Plain-TextWhats wrong with this picture?
  5. 5. Plain-Text StorageWhat happens if we have a SQL-InjectionVulnerability?localhost/sqliSimulates:?offset=0+UNION+SELECT+*+FROM+users
  6. 6. Plain-Text StorageProblem!Any attack vector results in leakage of ALLcredentials!
  7. 7. We Can Do Better
  8. 8. MD5 git checkout md5Uses the MD5 Cryptographic Hash function.md5($password)hash(md5, $password)
  9. 9. Wait,What Is A Hash?
  10. 10. Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse - (Practically impossible)- Very hard to create collision - (new input with same output)
  11. 11. MD5Whats the problem now?SQL-Injection still gives us hashBut the hash is one-way, how can we attack it?
  12. 12. Enter:Lookup Tables
  13. 13. Lookup TableGoogle is a great exampleMaps hash to password directlyDatabase Table:hash | password--------------+-----------"5f4dcc3b..." | "password""acbd18db..." | "foo"
  14. 14. Lookup TableLookups are CPU efficient.Require a LOT of storage space- (Very space inefficient)All passwords <= 7 chars (95^7, 70 Trillion)Requires 1.5 PetaBytes- In Most Optimal Storage Format
  15. 15. We Can Do Better
  16. 16. Rainbow Table Seed Hash Reduce Hash
  17. 17. Rainbow Tablea4fef... Seed Hash Reduce Reduce New HashPassword
  18. 18. Rainbow TableSeed 1 Hash Reduce Hash Reduce Hash Reduce HashSeed 2 Hash Reduce Hash Reduce Hash Reduce HashSeed 3 Hash Reduce Hash Reduce Hash Reduce HashSeed 4 Hash Reduce Hash Reduce Hash Reduce HashSeed 5 Hash Reduce Hash Reduce Hash Reduce HashSeed 6 Hash Reduce Hash Reduce Hash Reduce Hash
  19. 19. Rainbow TableTime/Space Tradeoff- Slower than a Lookup Table- Uses Much less storageMost (99.9%) passwords <= 7 charsRequires only 64 GB- Chain length of 71,000
  20. 20. Defense!
  21. 21. Salted MD5 git checkout salted-md5Uses the MD5 Cryptographic Hash function.But adds a random salt UNIQUE per user.md5($salt . $password)hash(md5, $salt . $password)
  22. 22. SaltsMust be unique!- Per Hash- GloballyShould be random- Strong!!!- Reasonably long (at least 64 bits)
  23. 23. Salted MD5Whats the problem now?SQL-Injection still gives us hash- And the saltBut the salt defeats rainbow tables...
  24. 24. Can Anyone See The Problem?
  25. 25. Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse - (Practically impossible)- Very hard to create collision - (new input with same output)
  26. 26. Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse - (Practically impossible)- Very hard to create collision - (new input with same output)
  27. 27. Hash FunctionsAre Made To Be FAST
  28. 28. Brute ForcingSeveral Tools Available- John The Ripper- OCIHashCatA Lot Faster Than You May Think
  29. 29. Brute ForcingMultiple Ways To Attack- Mask Based (permutations)- Dictionary Based- Combinator Based - Combinations of dictionary words- Fingerprint Based - Combinators applied with permutations- Rule Based - Takes input password and transforms it
  30. 30. Brute Forcing Salted MD52012 Macbook Pro:- md5: 33 million per second- sha256: 20 million per secondMask Attack:6 char passwords: 5 hours7 char passwords: 22 daysEntire English Language: 1.8 seconds"LEET" Permutations: 1 hour
  31. 31. We Can Do Better
  32. 32. Brute Forcing Salted MD525 GPU Cluster- md5: 180 Billion per second- < $50,0006 char passwords: 4 seconds7 char passwords: 6 minutes8 char passwords: 10 hoursEntire English Language:"LEET" Permutations:
  33. 33. Brute Forcing Salted MD525 GPU Cluster- md5: 180 Billion per second- < $50,0006 char passwords: 4 seconds7 char passwords: 6 minutes8 char passwords: 10 hoursEntire English Language: yeah..."LEET" Permutations: 0.7 seconds
  34. 34. But Wait,I Thought MD5 Was Broken?
  35. 35. MD5 IS Broken!But No Other Primitive Hash Is Not!!!sha1≈ md5sha256 ≈ md5sha512 ≈ md5whirlpool ≈ md5ALL raw primitive hashes are broken forpassword storage.
  36. 36. So, How Can We Combat Such Hardware?
  37. 37. Iterated MD5 git checkout iterated-md5Uses the MD5 Cryptographic Hash function.But adds a random salt UNIQUE per user.And iterates a lot of timesdo { $h = md5($h . $salt . $password)} while($i++ < 1000);
  38. 38. Were IntentionallySlowing It Down
  39. 39. Brute Forcing Iterated MD525 GPU Cluster- md5: 70 million per second6 char passwords: 17 minutes7 char passwords: 1 day8 char passwords: 124 daysEntire English Language: 0.8 seconds
  40. 40. We Can Do Better
  41. 41. PBKDF2 git checkout pbkdf2Uses the standard PBKDF2 algo- With SHA512 primitiveSlower, and harder to use on GPUpbkdf2($pass, $salt, 10000, 40)
  42. 42. Brute Forcing PBKDF225 GPU Cluster- PBKDF2(sha512): 300,000 per second6 char passwords: 28 days7 char passwords: 7 years8 char passwords: 700 yearsEntire English Language: 3 minutes
  43. 43. We Can Still Do Better
  44. 44. BCrypt git checkout bcryptUses the standard BCrypt algo- based on Blowfish cipherSame execution time,Much harder to run on GPUcrypt $2a$
  45. 45. Brute Forcing BCrypt25 GPU Cluster- BCrypt: 70,000 per second6 char passwords: 120 days7 char passwords: 31 years8 char passwords: 3000 yearsEntire English Language: 14 minutes
  46. 46. A Note On CostBCrypt accepts a "cost" parameterMust be tuned per server!- Target about 0.25 to 0.5 second runtime- Cost of 10 is a good baseline- Cost of 11 or 12 is better - If you have decent hardware.
  47. 47. PHP 5.5 Password Hashing API git checkout password-compatA thin wrapper over crypt()- Simplifies implmentation- Strong random salt generation- Can specify cost as int optionpassword_hash($pass, $algo, $opts)password_verify($pass, $hash)github.com/ircmaxell/password_compat
  48. 48. We Can DoEven Better!
  49. 49. Lets Encrypt Instead!
  50. 50. Encrypted BCryptgit checkout bcrypt-with-encryptionHash with BCrypt,Then encrypt result with AES-128.Requires key storage for the app.- Not trivialUse only if needed!- BCrypt alone is typically sufficient
  51. 51. Brute Forcing Encrypted BCryptAttack requires low level server compromise!- SQL Injection is not enough!localhost/codeinject - Simulates code injection that reads sourceAny low level compromiseIs No Worse than raw BCrypt - BCrypt is the baseline.
  52. 52. The Future
  53. 53. The Futurescrypt - Sequential Memory Hard - Uses a LOT of memory (32mb / hash) - Harder to brute-force than bcryptBut its VERY new- In cryptography terms at least- Not proven enough for use (yet)
  54. 54. The FuturePassword Hashing Competition- Currently being setup- Aims to pick "standard" password hashingalgorithm- A community effort
  55. 55. The FutureBrute Forcing Word Lists- Complex combinations of words- "horse correct battery staple"Brute Forcing Grammar- "I dont want no cookies"Brute Forcing Structures- URLs, Email Addresses, URLs, etc
  56. 56. Anthony Ferrara joind.in/7792 @ircmaxellircmaxell@php.netblog.ircmaxell.comyoutube.com/ircmaxell
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×