Password Storage And Attacking In PHP - PHP Argentina

Password Storage
(And Attacking)
In PHP
Anthony Ferrara

“Anyone, from the most
clueless amateur to the
best cryptographer, can
create an algorithm that
he himself can't break.”
- Bruce Schneier

Github URL
Follow Along:
github.com/ircmaxell/password-bad-web-app
A "Bad Web App"
- Has Known Vulnerabilities
- Only Use For Education!!!
- Requires only Apache + PHP
- Has Composer Dependencies

Let's Start
From The
Beginning

Plain-Text Storage
git checkout plaintext
Stores passwords in Plain-Text
What's wrong with this picture?

Plain-Text Storage
What happens if we have a SQL-Injection
Vulnerability?
localhost/sqli
Simulates:
?offset=0'+UNION+SELECT+*+FROM+users

Plain-Text Storage
Problem!
Any attack vector results in leakage of ALL
credentials!

MD5
git checkout md5
Uses the MD5 Cryptographic Hash function.
md5($password)
hash('md5', $password)

What's A Cryptographic Hash?
Like a fingerprint.
One-way.
- Easy and efficient to compute
- Very inefficient to reverse
- (Practically impossible)
- Very hard to create collision
- (new input with same output)

MD5
What's the problem now?
SQL-Injection still gives us hash
But the hash is one-way, how can we attack it?

Lookup Table
Google is a great example
Maps hash to password directly
Database Table:
hash | password
--------------+-----------
"5f4dcc3b..." | "password"
"acbd18db..." | "foo"

Lookup Table
Lookups are CPU efficient.
Require a LOT of storage space
- (Very space inefficient)
All passwords <= 7 chars (95^7, 70 Trillion)
Requires 1.5 PetaBytes
- In Most Optimal Storage Format

Lookup Table
Password
Hash
a4fef...

Rainbow Table
Seed
Hash
Reduce
Hash
a4fef...
Reduce
New
Password
b741...

Chained Table
Seed 1 Hash Reduce Hash Reduce Hash Reduce Hash

Rainbow Table

Using A Rainbow Table
Seed 1 Hash Reduce Hash Reduce Hash
a4fef...
b741...
b741...
b741...

a4fef...
b741...
b741...
b741...
Reduce Hash

a4fef...
b741...
b741...
b741...
Reduce
Reduce Hash
Hash

Rainbow Table
Time/Space Tradeoff
- Slower than a Lookup Table
- Uses Much less storage
Most (99.9%) passwords <= 7 chars
Requires only 64 GB
- Chain length of 71,000

Salted MD5
git checkout salted-md5
But adds a random salt UNIQUE per user.
md5($salt . $password)
hash('md5', $salt . $password)

Salts
Must be unique!
- Per Hash
- Globally
Should be random
- Strong!!!
- Reasonably long (at least 64 bits)

Salted MD5
What's the problem now?
SQL-Injection still gives us hash
- And the salt
But the salt defeats rainbow tables...

Hash Functions
Are Made To Be
FAST

Brute Forcing
Several Tools Available
- John The Ripper
- OCIHashCat
A Lot Faster Than You May Think

Brute Forcing
Multiple Ways To Attack
- Mask Based (permutations)
- Dictionary Based
- Combinator Based
- Combinations of dictionary words
- Fingerprint Based
- Combinators applied with permutations
- Rule Based
- Takes input password and transforms it

Brute Forcing
Salted MD5
2012 Macbook Pro:
- md5: 33 million per second
- sha256: 20 million per second
Mask Attack:
6 char passwords: 5 hours
7 char passwords: 22 days
Entire English Language: 1.8 seconds
"LEET" Permutations: 1 hour

Brute Forcing
Salted MD5
25 GPU Cluster
- md5: 180 Billion per second
- < US$50,000
6 char passwords: 4 seconds
7 char passwords: 6 minutes
Entire English Language:
"LEET" Permutations:

Brute Forcing
Salted MD5
25 GPU Cluster
- md5: 180 Billion per second
- < US$50,000
6 char passwords: 4 seconds
Entire English Language: yeah...
"LEET" Permutations: 0.7 seconds

But Wait,
I Thought MD5
Was Broken?

MD5 IS Broken!
But No Other Primitive Hash Is Not!!!
sha1≈ md5
sha256 ≈ md5
sha512 ≈ md5
whirlpool ≈ md5
ALL raw primitive hashes are broken for
password storage.

So, How Can We
Combat Such
Hardware?

Iterated MD5
git checkout iterated-md5
But adds a random salt UNIQUE per user.
And iterates a lot of times
do {
$h = md5($h . $salt . $password)
} while($i++ < 1000);

We're
Intentionally
Slowing It Down

Brute Forcing
Iterated MD5
25 GPU Cluster
- md5: 70 million per second
7 char passwords: 1 day
Entire English Language: 0.8 seconds

PBKDF2
git checkout pbkdf2
Uses the standard PBKDF2 algo
- With SHA512 primitive
Slower, and harder to use on GPU
pbkdf2($pass, $salt, 10000, 40)

Brute Forcing
PBKDF2
25 GPU Cluster
- PBKDF2(sha512): 300,000 per second
7 char passwords: 7 years
Entire English Language: 3 minutes

BCrypt
git checkout bcrypt
Uses the standard BCrypt algo
- based on Blowfish cipher
Same execution time,
Much harder to run on GPU
crypt $2a$

Brute Forcing
BCrypt
25 GPU Cluster
- BCrypt: 70,000 per second
Entire English Language: 14 minutes

A Note On Cost
BCrypt accepts a "cost" parameter
Must be tuned per server!
- Target about 0.1 to 0.25 second runtime
- Cost of 10 is a good baseline
- Cost of 11 or 12 is better
- Only if you have good hardware.

PHP 5.5 Password Hashing API
git checkout password-compat
A thin wrapper over crypt()
- Simplifies implmentation
- Strong random salt generation
- Can specify cost as int option
password_hash($pass, $algo, [$opts])
password_verify($pass, $hash)
github.com/ircmaxell/password_compat

Encrypted BCrypt
git checkout bcrypt-with-encryption
Hash with BCrypt,
Then encrypt result with AES-128.
Requires key storage for the app.
- Not trivial
Use only if needed!
- BCrypt alone is typically sufficient

Brute Forcing
Encrypted BCrypt
Attack requires low level server compromise!
- SQL Injection is not enough!
localhost/codeinject
- Simulates code injection that reads source
Any low level compromise
Is No Worse than raw BCrypt
- BCrypt is the baseline.

The Future
scrypt
- Sequential Memory Hard
- Uses a LOT of memory (> 4mb / hash)
- MUCH Harder to brute-force than bcrypt
- IFF setup correctly

The Future
Password Hashing Competition
- Currently being setup
- Aims to pick "standard" password hashing
algorithm
- A community effort

The Future
Brute Forcing Word Lists
- Complex combinations of words
- "horse correct battery staple"
Brute Forcing Grammar
- "I don't want no cookies"
Brute Forcing Structures
- URLs, Email Addresses, URLs, etc

“Few false ideas have more firmly
gripped the minds of so many
intelligent men than the one
that, if they just tried, they could
invent a cipher that no one could
break.”
- David Kahn

A Note On
Protecting
Yourself

Anthony Ferrara
@ircmaxell
me@ircmaxell.com
blog.ircmaxell.com
youtube.com/ircmaxell

Password Storage And Attacking In PHP - PHP Argentina

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (17)

Similar to Password Storage And Attacking In PHP - PHP Argentina

Similar to Password Storage And Attacking In PHP - PHP Argentina (20)

Recently uploaded

Recently uploaded (20)

Password Storage And Attacking In PHP - PHP Argentina