Your SlideShare is downloading. ×
Password Storage and Attacking in PHP
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Password Storage and Attacking in PHP

8,341
views

Published on

These slides are from a talk that I did at PHP Benelux 2013 ( http://conference.phpbenelux.eu/2013/ ). …

These slides are from a talk that I did at PHP Benelux 2013 ( http://conference.phpbenelux.eu/2013/ ).

In this talk, I go over the progression of password storage techniques, and weaknesses of each method. Eventually, we build up to the final secure implementations, and the current methods used to attack them.


0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
8,341
On Slideshare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
88
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Password Storage (And Attacking) In PHP Anthony Ferrara
  • 2. Github URLFollow Along:github.com/ircmaxell/password-bad-web-appA "Bad Web App"- Has Known Vulnerabilities- Only Use For Education!!!- Requires only Apache + PHP- Has Composer Dependencies
  • 3. Lets StartFrom TheBeginning
  • 4. Plain-Text Storage git checkout plaintextStores passwords in Plain-TextWhats wrong with this picture?
  • 5. Plain-Text StorageWhat happens if we have a SQL-InjectionVulnerability?localhost/sqliSimulates:?offset=0+UNION+SELECT+*+FROM+users
  • 6. Plain-Text StorageProblem!Any attack vector results in leakage of ALLcredentials!
  • 7. We Can Do Better
  • 8. MD5 git checkout md5Uses the MD5 Cryptographic Hash function.md5($password)hash(md5, $password)
  • 9. Wait,What Is A Hash?
  • 10. Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse - (Practically impossible)- Very hard to create collision - (new input with same output)
  • 11. MD5Whats the problem now?SQL-Injection still gives us hashBut the hash is one-way, how can we attack it?
  • 12. Enter:Lookup Tables
  • 13. Lookup TableGoogle is a great exampleMaps hash to password directlyDatabase Table:hash | password--------------+-----------"5f4dcc3b..." | "password""acbd18db..." | "foo"
  • 14. Lookup TableLookups are CPU efficient.Require a LOT of storage space- (Very space inefficient)All passwords <= 7 chars (95^7, 70 Trillion)Requires 1.5 PetaBytes- In Most Optimal Storage Format
  • 15. We Can Do Better
  • 16. Rainbow Table Seed Hash Reduce Hash
  • 17. Rainbow Tablea4fef... Seed Hash Reduce Reduce New HashPassword
  • 18. Rainbow TableSeed 1 Hash Reduce Hash Reduce Hash Reduce HashSeed 2 Hash Reduce Hash Reduce Hash Reduce HashSeed 3 Hash Reduce Hash Reduce Hash Reduce HashSeed 4 Hash Reduce Hash Reduce Hash Reduce HashSeed 5 Hash Reduce Hash Reduce Hash Reduce HashSeed 6 Hash Reduce Hash Reduce Hash Reduce Hash
  • 19. Rainbow TableTime/Space Tradeoff- Slower than a Lookup Table- Uses Much less storageMost (99.9%) passwords <= 7 charsRequires only 64 GB- Chain length of 71,000
  • 20. Defense!
  • 21. Salted MD5 git checkout salted-md5Uses the MD5 Cryptographic Hash function.But adds a random salt UNIQUE per user.md5($salt . $password)hash(md5, $salt . $password)
  • 22. SaltsMust be unique!- Per Hash- GloballyShould be random- Strong!!!- Reasonably long (at least 64 bits)
  • 23. Salted MD5Whats the problem now?SQL-Injection still gives us hash- And the saltBut the salt defeats rainbow tables...
  • 24. Can Anyone See The Problem?
  • 25. Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse - (Practically impossible)- Very hard to create collision - (new input with same output)
  • 26. Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse - (Practically impossible)- Very hard to create collision - (new input with same output)
  • 27. Hash FunctionsAre Made To Be FAST
  • 28. Brute ForcingSeveral Tools Available- John The Ripper- OCIHashCatA Lot Faster Than You May Think
  • 29. Brute ForcingMultiple Ways To Attack- Mask Based (permutations)- Dictionary Based- Combinator Based - Combinations of dictionary words- Fingerprint Based - Combinators applied with permutations- Rule Based - Takes input password and transforms it
  • 30. Brute Forcing Salted MD52012 Macbook Pro:- md5: 33 million per second- sha256: 20 million per secondMask Attack:6 char passwords: 5 hours7 char passwords: 22 daysEntire English Language: 1.8 seconds"LEET" Permutations: 1 hour
  • 31. We Can Do Better
  • 32. Brute Forcing Salted MD525 GPU Cluster- md5: 180 Billion per second- < $50,0006 char passwords: 4 seconds7 char passwords: 6 minutes8 char passwords: 10 hoursEntire English Language:"LEET" Permutations:
  • 33. Brute Forcing Salted MD525 GPU Cluster- md5: 180 Billion per second- < $50,0006 char passwords: 4 seconds7 char passwords: 6 minutes8 char passwords: 10 hoursEntire English Language: yeah..."LEET" Permutations: 0.7 seconds
  • 34. But Wait,I Thought MD5 Was Broken?
  • 35. MD5 IS Broken!But No Other Primitive Hash Is Not!!!sha1≈ md5sha256 ≈ md5sha512 ≈ md5whirlpool ≈ md5ALL raw primitive hashes are broken forpassword storage.
  • 36. So, How Can We Combat Such Hardware?
  • 37. Iterated MD5 git checkout iterated-md5Uses the MD5 Cryptographic Hash function.But adds a random salt UNIQUE per user.And iterates a lot of timesdo { $h = md5($h . $salt . $password)} while($i++ < 1000);
  • 38. Were IntentionallySlowing It Down
  • 39. Brute Forcing Iterated MD525 GPU Cluster- md5: 70 million per second6 char passwords: 17 minutes7 char passwords: 1 day8 char passwords: 124 daysEntire English Language: 0.8 seconds
  • 40. We Can Do Better
  • 41. PBKDF2 git checkout pbkdf2Uses the standard PBKDF2 algo- With SHA512 primitiveSlower, and harder to use on GPUpbkdf2($pass, $salt, 10000, 40)
  • 42. Brute Forcing PBKDF225 GPU Cluster- PBKDF2(sha512): 300,000 per second6 char passwords: 28 days7 char passwords: 7 years8 char passwords: 700 yearsEntire English Language: 3 minutes
  • 43. We Can Still Do Better
  • 44. BCrypt git checkout bcryptUses the standard BCrypt algo- based on Blowfish cipherSame execution time,Much harder to run on GPUcrypt $2a$
  • 45. Brute Forcing BCrypt25 GPU Cluster- BCrypt: 70,000 per second6 char passwords: 120 days7 char passwords: 31 years8 char passwords: 3000 yearsEntire English Language: 14 minutes
  • 46. A Note On CostBCrypt accepts a "cost" parameterMust be tuned per server!- Target about 0.25 to 0.5 second runtime- Cost of 10 is a good baseline- Cost of 11 or 12 is better - If you have decent hardware.
  • 47. PHP 5.5 Password Hashing API git checkout password-compatA thin wrapper over crypt()- Simplifies implmentation- Strong random salt generation- Can specify cost as int optionpassword_hash($pass, $algo, $opts)password_verify($pass, $hash)github.com/ircmaxell/password_compat
  • 48. We Can DoEven Better!
  • 49. Lets Encrypt Instead!
  • 50. Encrypted BCryptgit checkout bcrypt-with-encryptionHash with BCrypt,Then encrypt result with AES-128.Requires key storage for the app.- Not trivialUse only if needed!- BCrypt alone is typically sufficient
  • 51. Brute Forcing Encrypted BCryptAttack requires low level server compromise!- SQL Injection is not enough!localhost/codeinject - Simulates code injection that reads sourceAny low level compromiseIs No Worse than raw BCrypt - BCrypt is the baseline.
  • 52. The Future
  • 53. The Futurescrypt - Sequential Memory Hard - Uses a LOT of memory (32mb / hash) - Harder to brute-force than bcryptBut its VERY new- In cryptography terms at least- Not proven enough for use (yet)
  • 54. The FuturePassword Hashing Competition- Currently being setup- Aims to pick "standard" password hashingalgorithm- A community effort
  • 55. The FutureBrute Forcing Word Lists- Complex combinations of words- "horse correct battery staple"Brute Forcing Grammar- "I dont want no cookies"Brute Forcing Structures- URLs, Email Addresses, URLs, etc
  • 56. Anthony Ferrara joind.in/7792 @ircmaxellircmaxell@php.netblog.ircmaxell.comyoutube.com/ircmaxell

×