Угадываем пароль за минуту
Your SlideShare is downloading.
×
Check these out next
More Related Content
Slideshows for you (20)
Viewers also liked (17)
Similar to Password Storage And Attacking In PHP - PHP Argentina (20)
Recently uploaded (20)
Password Storage And Attacking In PHP - PHP Argentina
- 1. Password Storage (And Attacking) In PHP Anthony Ferrara
- 2. “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break.” - Bruce Schneier
- 3. Github URL Follow Along: github.com/ircmaxell/password-bad-web-app A "Bad Web App" - Has Known Vulnerabilities - Only Use For Education!!! - Requires only Apache + PHP - Has Composer Dependencies
- 4. Let's Start From The Beginning
- 5. Plain-Text Storage git checkout plaintext Stores passwords in Plain-Text What's wrong with this picture?
- 6. Plain-Text Storage What happens if we have a SQL-Injection Vulnerability? localhost/sqli Simulates: ?offset=0'+UNION+SELECT+*+FROM+users
- 7. Plain-Text Storage Problem! Any attack vector results in leakage of ALL credentials!
- 8. We Can Do Better
- 9. MD5 git checkout md5 Uses the MD5 Cryptographic Hash function. md5($password) hash('md5', $password)
- 10. Wait, What Is A Hash?
- 11. What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
- 12. MD5 What's the problem now? SQL-Injection still gives us hash But the hash is one-way, how can we attack it?
- 13. Enter: Lookup Tables
- 14. Lookup Table Google is a great example Maps hash to password directly Database Table: hash | password --------------+----------- "5f4dcc3b..." | "password" "acbd18db..." | "foo"
- 15. Lookup Table Lookups are CPU efficient. Require a LOT of storage space - (Very space inefficient) All passwords <= 7 chars (95^7, 70 Trillion) Requires 1.5 PetaBytes - In Most Optimal Storage Format
- 16. We Can Do Better
- 17. Lookup Table Password Hash a4fef...
- 18. Rainbow Table Seed Hash Reduce Hash a4fef... Reduce New Password b741...
- 19. Chained Table Seed 1 Hash Reduce Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash Reduce Hash Seed 4 Hash Reduce Hash Reduce Hash Reduce Hash Seed 5 Hash Reduce Hash Reduce Hash Reduce Hash Seed 6 Hash Reduce Hash Reduce Hash Reduce Hash
- 20. Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash Reduce Hash Seed 4 Hash Reduce Hash Reduce Hash Reduce Hash Seed 5 Hash Reduce Hash Reduce Hash Reduce Hash Seed 6 Hash Reduce Hash Reduce Hash Reduce Hash
- 21. Using A Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash a4fef... b741... b741... b741...
- 22. Using A Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash a4fef... b741... b741... b741...
- 23. Using A Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash a4fef... b741... b741... b741... Reduce Hash
- 24. Using A Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash a4fef... b741... b741... b741... Reduce Reduce Hash Hash
- 25. Rainbow Table Time/Space Tradeoff - Slower than a Lookup Table - Uses Much less storage Most (99.9%) passwords <= 7 chars Requires only 64 GB - Chain length of 71,000
- 26. Defense!
- 27. Salted MD5 git checkout salted-md5 Uses the MD5 Cryptographic Hash function. But adds a random salt UNIQUE per user. md5($salt . $password) hash('md5', $salt . $password)
- 28. Salts Must be unique! - Per Hash - Globally Should be random - Strong!!! - Reasonably long (at least 64 bits)
- 29. Salted MD5 What's the problem now? SQL-Injection still gives us hash - And the salt But the salt defeats rainbow tables...
- 30. Can Anyone See The Problem?
- 31. What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
- 32. What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
- 33. Hash Functions Are Made To Be FAST
- 34. Brute Forcing Several Tools Available - John The Ripper - OCIHashCat A Lot Faster Than You May Think
- 35. Brute Forcing Multiple Ways To Attack - Mask Based (permutations) - Dictionary Based - Combinator Based - Combinations of dictionary words - Fingerprint Based - Combinators applied with permutations - Rule Based - Takes input password and transforms it
- 36. Brute Forcing Salted MD5 2012 Macbook Pro: - md5: 33 million per second - sha256: 20 million per second Mask Attack: 6 char passwords: 5 hours 7 char passwords: 22 days Entire English Language: 1.8 seconds "LEET" Permutations: 1 hour
- 37. We Can Do Better
- 38. Brute Forcing Salted MD5 25 GPU Cluster - md5: 180 Billion per second - < US$50,000 6 char passwords: 4 seconds 7 char passwords: 6 minutes 8 char passwords: 10 hours Entire English Language: "LEET" Permutations:
- 39. Brute Forcing Salted MD5 25 GPU Cluster - md5: 180 Billion per second - < US$50,000 6 char passwords: 4 seconds 7 char passwords: 6 minutes 8 char passwords: 10 hours Entire English Language: yeah... "LEET" Permutations: 0.7 seconds
- 40. But Wait, I Thought MD5 Was Broken?
- 41. MD5 IS Broken! But No Other Primitive Hash Is Not!!! sha1≈ md5 sha256 ≈ md5 sha512 ≈ md5 whirlpool ≈ md5 ALL raw primitive hashes are broken for password storage.
- 42. So, How Can We Combat Such Hardware?
- 43. Iterated MD5 git checkout iterated-md5 Uses the MD5 Cryptographic Hash function. But adds a random salt UNIQUE per user. And iterates a lot of times do { $h = md5($h . $salt . $password) } while($i++ < 1000);
- 44. We're Intentionally Slowing It Down
- 45. Brute Forcing Iterated MD5 25 GPU Cluster - md5: 70 million per second 6 char passwords: 17 minutes 7 char passwords: 1 day 8 char passwords: 124 days Entire English Language: 0.8 seconds
- 46. We Can Do Better
- 47. PBKDF2 git checkout pbkdf2 Uses the standard PBKDF2 algo - With SHA512 primitive Slower, and harder to use on GPU pbkdf2($pass, $salt, 10000, 40)
- 48. Brute Forcing PBKDF2 25 GPU Cluster - PBKDF2(sha512): 300,000 per second 6 char passwords: 28 days 7 char passwords: 7 years 8 char passwords: 700 years Entire English Language: 3 minutes
- 49. We Can Still Do Better
- 50. BCrypt git checkout bcrypt Uses the standard BCrypt algo - based on Blowfish cipher Same execution time, Much harder to run on GPU crypt $2a$
- 51. Brute Forcing BCrypt 25 GPU Cluster - BCrypt: 70,000 per second 6 char passwords: 120 days 7 char passwords: 31 years 8 char passwords: 3000 years Entire English Language: 14 minutes
- 52. A Note On Cost BCrypt accepts a "cost" parameter Must be tuned per server! - Target about 0.1 to 0.25 second runtime - Cost of 10 is a good baseline - Cost of 11 or 12 is better - Only if you have good hardware.
- 53. PHP 5.5 Password Hashing API git checkout password-compat A thin wrapper over crypt() - Simplifies implmentation - Strong random salt generation - Can specify cost as int option password_hash($pass, $algo, [$opts]) password_verify($pass, $hash) github.com/ircmaxell/password_compat
- 54. We Can Do Even Better!
- 55. Let's Encrypt As Well!
- 56. Encrypted BCrypt git checkout bcrypt-with-encryption Hash with BCrypt, Then encrypt result with AES-128. Requires key storage for the app. - Not trivial Use only if needed! - BCrypt alone is typically sufficient
- 57. Brute Forcing Encrypted BCrypt Attack requires low level server compromise! - SQL Injection is not enough! localhost/codeinject - Simulates code injection that reads source Any low level compromise Is No Worse than raw BCrypt - BCrypt is the baseline.
- 58. The Future
- 59. The Future scrypt - Sequential Memory Hard - Uses a LOT of memory (> 4mb / hash) - MUCH Harder to brute-force than bcrypt - IFF setup correctly
- 60. The Future Password Hashing Competition - Currently being setup - Aims to pick "standard" password hashing algorithm - A community effort
- 61. The Future Brute Forcing Word Lists - Complex combinations of words - "horse correct battery staple" Brute Forcing Grammar - "I don't want no cookies" Brute Forcing Structures - URLs, Email Addresses, URLs, etc
- 62. “Few false ideas have more firmly gripped the minds of so many intelligent men than the one that, if they just tried, they could invent a cipher that no one could break.” - David Kahn
- 63. A Note On Protecting Yourself
- 64. xkcd.com/936/
- 65. BAD ADVICE xkcd.com/936/
- 66. Use True Random Passwords
- 67. Use A Password Manager
- 68. Anthony Ferrara @ircmaxell me@ircmaxell.com blog.ircmaxell.com youtube.com/ircmaxell
