Password Storage and Attacking in PHP
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Password Storage and Attacking in PHP

  • 8,449 views
Uploaded on

These slides are from a talk that I did at PHP Benelux 2013 ( http://conference.phpbenelux.eu/2013/ ). ...

These slides are from a talk that I did at PHP Benelux 2013 ( http://conference.phpbenelux.eu/2013/ ).

In this talk, I go over the progression of password storage techniques, and weaknesses of each method. Eventually, we build up to the final secure implementations, and the current methods used to attack them.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
8,449
On Slideshare
6,103
From Embeds
2,346
Number of Embeds
12

Actions

Shares
Downloads
79
Comments
0
Likes
5

Embeds 2,346

http://blog.ircmaxell.com 2,133
http://blog.alexanderc.me 90
http://lanyrd.com 60
http://eventifier.co 32
http://www.linkedin.com 8
https://twitter.com 8
https://www.linkedin.com 7
http://librosweb.es 4
http://www.twylah.com 1
https://si0.twimg.com 1
https://twimg0-a.akamaihd.net 1
http://7414445313853167451_8211ed460cb8898cc0459832f6d341d32dc18989.blogspot.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Password Storage (And Attacking) In PHP Anthony Ferrara
  • 2. Github URLFollow Along:github.com/ircmaxell/password-bad-web-appA "Bad Web App"- Has Known Vulnerabilities- Only Use For Education!!!- Requires only Apache + PHP- Has Composer Dependencies
  • 3. Lets StartFrom TheBeginning
  • 4. Plain-Text Storage git checkout plaintextStores passwords in Plain-TextWhats wrong with this picture?
  • 5. Plain-Text StorageWhat happens if we have a SQL-InjectionVulnerability?localhost/sqliSimulates:?offset=0+UNION+SELECT+*+FROM+users
  • 6. Plain-Text StorageProblem!Any attack vector results in leakage of ALLcredentials!
  • 7. We Can Do Better
  • 8. MD5 git checkout md5Uses the MD5 Cryptographic Hash function.md5($password)hash(md5, $password)
  • 9. Wait,What Is A Hash?
  • 10. Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse - (Practically impossible)- Very hard to create collision - (new input with same output)
  • 11. MD5Whats the problem now?SQL-Injection still gives us hashBut the hash is one-way, how can we attack it?
  • 12. Enter:Lookup Tables
  • 13. Lookup TableGoogle is a great exampleMaps hash to password directlyDatabase Table:hash | password--------------+-----------"5f4dcc3b..." | "password""acbd18db..." | "foo"
  • 14. Lookup TableLookups are CPU efficient.Require a LOT of storage space- (Very space inefficient)All passwords <= 7 chars (95^7, 70 Trillion)Requires 1.5 PetaBytes- In Most Optimal Storage Format
  • 15. We Can Do Better
  • 16. Rainbow Table Seed Hash Reduce Hash
  • 17. Rainbow Tablea4fef... Seed Hash Reduce Reduce New HashPassword
  • 18. Rainbow TableSeed 1 Hash Reduce Hash Reduce Hash Reduce HashSeed 2 Hash Reduce Hash Reduce Hash Reduce HashSeed 3 Hash Reduce Hash Reduce Hash Reduce HashSeed 4 Hash Reduce Hash Reduce Hash Reduce HashSeed 5 Hash Reduce Hash Reduce Hash Reduce HashSeed 6 Hash Reduce Hash Reduce Hash Reduce Hash
  • 19. Rainbow TableTime/Space Tradeoff- Slower than a Lookup Table- Uses Much less storageMost (99.9%) passwords <= 7 charsRequires only 64 GB- Chain length of 71,000
  • 20. Defense!
  • 21. Salted MD5 git checkout salted-md5Uses the MD5 Cryptographic Hash function.But adds a random salt UNIQUE per user.md5($salt . $password)hash(md5, $salt . $password)
  • 22. SaltsMust be unique!- Per Hash- GloballyShould be random- Strong!!!- Reasonably long (at least 64 bits)
  • 23. Salted MD5Whats the problem now?SQL-Injection still gives us hash- And the saltBut the salt defeats rainbow tables...
  • 24. Can Anyone See The Problem?
  • 25. Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse - (Practically impossible)- Very hard to create collision - (new input with same output)
  • 26. Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse - (Practically impossible)- Very hard to create collision - (new input with same output)
  • 27. Hash FunctionsAre Made To Be FAST
  • 28. Brute ForcingSeveral Tools Available- John The Ripper- OCIHashCatA Lot Faster Than You May Think
  • 29. Brute ForcingMultiple Ways To Attack- Mask Based (permutations)- Dictionary Based- Combinator Based - Combinations of dictionary words- Fingerprint Based - Combinators applied with permutations- Rule Based - Takes input password and transforms it
  • 30. Brute Forcing Salted MD52012 Macbook Pro:- md5: 33 million per second- sha256: 20 million per secondMask Attack:6 char passwords: 5 hours7 char passwords: 22 daysEntire English Language: 1.8 seconds"LEET" Permutations: 1 hour
  • 31. We Can Do Better
  • 32. Brute Forcing Salted MD525 GPU Cluster- md5: 180 Billion per second- < $50,0006 char passwords: 4 seconds7 char passwords: 6 minutes8 char passwords: 10 hoursEntire English Language:"LEET" Permutations:
  • 33. Brute Forcing Salted MD525 GPU Cluster- md5: 180 Billion per second- < $50,0006 char passwords: 4 seconds7 char passwords: 6 minutes8 char passwords: 10 hoursEntire English Language: yeah..."LEET" Permutations: 0.7 seconds
  • 34. But Wait,I Thought MD5 Was Broken?
  • 35. MD5 IS Broken!But No Other Primitive Hash Is Not!!!sha1≈ md5sha256 ≈ md5sha512 ≈ md5whirlpool ≈ md5ALL raw primitive hashes are broken forpassword storage.
  • 36. So, How Can We Combat Such Hardware?
  • 37. Iterated MD5 git checkout iterated-md5Uses the MD5 Cryptographic Hash function.But adds a random salt UNIQUE per user.And iterates a lot of timesdo { $h = md5($h . $salt . $password)} while($i++ < 1000);
  • 38. Were IntentionallySlowing It Down
  • 39. Brute Forcing Iterated MD525 GPU Cluster- md5: 70 million per second6 char passwords: 17 minutes7 char passwords: 1 day8 char passwords: 124 daysEntire English Language: 0.8 seconds
  • 40. We Can Do Better
  • 41. PBKDF2 git checkout pbkdf2Uses the standard PBKDF2 algo- With SHA512 primitiveSlower, and harder to use on GPUpbkdf2($pass, $salt, 10000, 40)
  • 42. Brute Forcing PBKDF225 GPU Cluster- PBKDF2(sha512): 300,000 per second6 char passwords: 28 days7 char passwords: 7 years8 char passwords: 700 yearsEntire English Language: 3 minutes
  • 43. We Can Still Do Better
  • 44. BCrypt git checkout bcryptUses the standard BCrypt algo- based on Blowfish cipherSame execution time,Much harder to run on GPUcrypt $2a$
  • 45. Brute Forcing BCrypt25 GPU Cluster- BCrypt: 70,000 per second6 char passwords: 120 days7 char passwords: 31 years8 char passwords: 3000 yearsEntire English Language: 14 minutes
  • 46. A Note On CostBCrypt accepts a "cost" parameterMust be tuned per server!- Target about 0.25 to 0.5 second runtime- Cost of 10 is a good baseline- Cost of 11 or 12 is better - If you have decent hardware.
  • 47. PHP 5.5 Password Hashing API git checkout password-compatA thin wrapper over crypt()- Simplifies implmentation- Strong random salt generation- Can specify cost as int optionpassword_hash($pass, $algo, $opts)password_verify($pass, $hash)github.com/ircmaxell/password_compat
  • 48. We Can DoEven Better!
  • 49. Lets Encrypt Instead!
  • 50. Encrypted BCryptgit checkout bcrypt-with-encryptionHash with BCrypt,Then encrypt result with AES-128.Requires key storage for the app.- Not trivialUse only if needed!- BCrypt alone is typically sufficient
  • 51. Brute Forcing Encrypted BCryptAttack requires low level server compromise!- SQL Injection is not enough!localhost/codeinject - Simulates code injection that reads sourceAny low level compromiseIs No Worse than raw BCrypt - BCrypt is the baseline.
  • 52. The Future
  • 53. The Futurescrypt - Sequential Memory Hard - Uses a LOT of memory (32mb / hash) - Harder to brute-force than bcryptBut its VERY new- In cryptography terms at least- Not proven enough for use (yet)
  • 54. The FuturePassword Hashing Competition- Currently being setup- Aims to pick "standard" password hashingalgorithm- A community effort
  • 55. The FutureBrute Forcing Word Lists- Complex combinations of words- "horse correct battery staple"Brute Forcing Grammar- "I dont want no cookies"Brute Forcing Structures- URLs, Email Addresses, URLs, etc
  • 56. Anthony Ferrara joind.in/7792 @ircmaxellircmaxell@php.netblog.ircmaxell.comyoutube.com/ircmaxell