Password Storage and Attacking in PHP

9,202 views
9,061 views

Published on

These slides are from a talk that I did at PHP Benelux 2013 ( http://conference.phpbenelux.eu/2013/ ).

In this talk, I go over the progression of password storage techniques, and weaknesses of each method. Eventually, we build up to the final secure implementations, and the current methods used to attack them.

0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
9,202
On SlideShare
0
From Embeds
0
Number of Embeds
2,535
Actions
Shares
0
Downloads
98
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Password Storage and Attacking in PHP

  1. 1. Password Storage (And Attacking) In PHP Anthony Ferrara
  2. 2. Github URLFollow Along:github.com/ircmaxell/password-bad-web-appA "Bad Web App"- Has Known Vulnerabilities- Only Use For Education!!!- Requires only Apache + PHP- Has Composer Dependencies
  3. 3. Lets StartFrom TheBeginning
  4. 4. Plain-Text Storage git checkout plaintextStores passwords in Plain-TextWhats wrong with this picture?
  5. 5. Plain-Text StorageWhat happens if we have a SQL-InjectionVulnerability?localhost/sqliSimulates:?offset=0+UNION+SELECT+*+FROM+users
  6. 6. Plain-Text StorageProblem!Any attack vector results in leakage of ALLcredentials!
  7. 7. We Can Do Better
  8. 8. MD5 git checkout md5Uses the MD5 Cryptographic Hash function.md5($password)hash(md5, $password)
  9. 9. Wait,What Is A Hash?
  10. 10. Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse - (Practically impossible)- Very hard to create collision - (new input with same output)
  11. 11. MD5Whats the problem now?SQL-Injection still gives us hashBut the hash is one-way, how can we attack it?
  12. 12. Enter:Lookup Tables
  13. 13. Lookup TableGoogle is a great exampleMaps hash to password directlyDatabase Table:hash | password--------------+-----------"5f4dcc3b..." | "password""acbd18db..." | "foo"
  14. 14. Lookup TableLookups are CPU efficient.Require a LOT of storage space- (Very space inefficient)All passwords <= 7 chars (95^7, 70 Trillion)Requires 1.5 PetaBytes- In Most Optimal Storage Format
  15. 15. We Can Do Better
  16. 16. Rainbow Table Seed Hash Reduce Hash
  17. 17. Rainbow Tablea4fef... Seed Hash Reduce Reduce New HashPassword
  18. 18. Rainbow TableSeed 1 Hash Reduce Hash Reduce Hash Reduce HashSeed 2 Hash Reduce Hash Reduce Hash Reduce HashSeed 3 Hash Reduce Hash Reduce Hash Reduce HashSeed 4 Hash Reduce Hash Reduce Hash Reduce HashSeed 5 Hash Reduce Hash Reduce Hash Reduce HashSeed 6 Hash Reduce Hash Reduce Hash Reduce Hash
  19. 19. Rainbow TableTime/Space Tradeoff- Slower than a Lookup Table- Uses Much less storageMost (99.9%) passwords <= 7 charsRequires only 64 GB- Chain length of 71,000
  20. 20. Defense!
  21. 21. Salted MD5 git checkout salted-md5Uses the MD5 Cryptographic Hash function.But adds a random salt UNIQUE per user.md5($salt . $password)hash(md5, $salt . $password)
  22. 22. SaltsMust be unique!- Per Hash- GloballyShould be random- Strong!!!- Reasonably long (at least 64 bits)
  23. 23. Salted MD5Whats the problem now?SQL-Injection still gives us hash- And the saltBut the salt defeats rainbow tables...
  24. 24. Can Anyone See The Problem?
  25. 25. Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse - (Practically impossible)- Very hard to create collision - (new input with same output)
  26. 26. Whats A Cryptographic Hash?Like a fingerprint.One-way.- Easy and efficient to compute- Very inefficient to reverse - (Practically impossible)- Very hard to create collision - (new input with same output)
  27. 27. Hash FunctionsAre Made To Be FAST
  28. 28. Brute ForcingSeveral Tools Available- John The Ripper- OCIHashCatA Lot Faster Than You May Think
  29. 29. Brute ForcingMultiple Ways To Attack- Mask Based (permutations)- Dictionary Based- Combinator Based - Combinations of dictionary words- Fingerprint Based - Combinators applied with permutations- Rule Based - Takes input password and transforms it
  30. 30. Brute Forcing Salted MD52012 Macbook Pro:- md5: 33 million per second- sha256: 20 million per secondMask Attack:6 char passwords: 5 hours7 char passwords: 22 daysEntire English Language: 1.8 seconds"LEET" Permutations: 1 hour
  31. 31. We Can Do Better
  32. 32. Brute Forcing Salted MD525 GPU Cluster- md5: 180 Billion per second- < $50,0006 char passwords: 4 seconds7 char passwords: 6 minutes8 char passwords: 10 hoursEntire English Language:"LEET" Permutations:
  33. 33. Brute Forcing Salted MD525 GPU Cluster- md5: 180 Billion per second- < $50,0006 char passwords: 4 seconds7 char passwords: 6 minutes8 char passwords: 10 hoursEntire English Language: yeah..."LEET" Permutations: 0.7 seconds
  34. 34. But Wait,I Thought MD5 Was Broken?
  35. 35. MD5 IS Broken!But No Other Primitive Hash Is Not!!!sha1≈ md5sha256 ≈ md5sha512 ≈ md5whirlpool ≈ md5ALL raw primitive hashes are broken forpassword storage.
  36. 36. So, How Can We Combat Such Hardware?
  37. 37. Iterated MD5 git checkout iterated-md5Uses the MD5 Cryptographic Hash function.But adds a random salt UNIQUE per user.And iterates a lot of timesdo { $h = md5($h . $salt . $password)} while($i++ < 1000);
  38. 38. Were IntentionallySlowing It Down
  39. 39. Brute Forcing Iterated MD525 GPU Cluster- md5: 70 million per second6 char passwords: 17 minutes7 char passwords: 1 day8 char passwords: 124 daysEntire English Language: 0.8 seconds
  40. 40. We Can Do Better
  41. 41. PBKDF2 git checkout pbkdf2Uses the standard PBKDF2 algo- With SHA512 primitiveSlower, and harder to use on GPUpbkdf2($pass, $salt, 10000, 40)
  42. 42. Brute Forcing PBKDF225 GPU Cluster- PBKDF2(sha512): 300,000 per second6 char passwords: 28 days7 char passwords: 7 years8 char passwords: 700 yearsEntire English Language: 3 minutes
  43. 43. We Can Still Do Better
  44. 44. BCrypt git checkout bcryptUses the standard BCrypt algo- based on Blowfish cipherSame execution time,Much harder to run on GPUcrypt $2a$
  45. 45. Brute Forcing BCrypt25 GPU Cluster- BCrypt: 70,000 per second6 char passwords: 120 days7 char passwords: 31 years8 char passwords: 3000 yearsEntire English Language: 14 minutes
  46. 46. A Note On CostBCrypt accepts a "cost" parameterMust be tuned per server!- Target about 0.25 to 0.5 second runtime- Cost of 10 is a good baseline- Cost of 11 or 12 is better - If you have decent hardware.
  47. 47. PHP 5.5 Password Hashing API git checkout password-compatA thin wrapper over crypt()- Simplifies implmentation- Strong random salt generation- Can specify cost as int optionpassword_hash($pass, $algo, $opts)password_verify($pass, $hash)github.com/ircmaxell/password_compat
  48. 48. We Can DoEven Better!
  49. 49. Lets Encrypt Instead!
  50. 50. Encrypted BCryptgit checkout bcrypt-with-encryptionHash with BCrypt,Then encrypt result with AES-128.Requires key storage for the app.- Not trivialUse only if needed!- BCrypt alone is typically sufficient
  51. 51. Brute Forcing Encrypted BCryptAttack requires low level server compromise!- SQL Injection is not enough!localhost/codeinject - Simulates code injection that reads sourceAny low level compromiseIs No Worse than raw BCrypt - BCrypt is the baseline.
  52. 52. The Future
  53. 53. The Futurescrypt - Sequential Memory Hard - Uses a LOT of memory (32mb / hash) - Harder to brute-force than bcryptBut its VERY new- In cryptography terms at least- Not proven enough for use (yet)
  54. 54. The FuturePassword Hashing Competition- Currently being setup- Aims to pick "standard" password hashingalgorithm- A community effort
  55. 55. The FutureBrute Forcing Word Lists- Complex combinations of words- "horse correct battery staple"Brute Forcing Grammar- "I dont want no cookies"Brute Forcing Structures- URLs, Email Addresses, URLs, etc
  56. 56. Anthony Ferrara joind.in/7792 @ircmaxellircmaxell@php.netblog.ircmaxell.comyoutube.com/ircmaxell

×