Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Password Storage And Attacking In PHP - PHP Argentina

3,550 views

Published on

Password storage is a common problem that every developer needs to solve at some point in their career. Often, we rely upon frameworks and libraries to do it for us. But do they get it right?

How should passwords be stored? How are they going to be attacked? All these questions (and more) will be answered. This session will dive head first into password storage and all aspects surrounding it. We’ll cover some common misconceptions and dangerous mistakes. We’ll also explore some of the best available tools to solve the problem, and go into why they are the best. Finally, we’ll look at some of the tools that attackers will use to attempt to extract plain text passwords.

We’ll explore each point from both angles: the pragmatic developer and the attacker. For the safety and security of your users, make sure that you know how to securely store their passwords. It’s not just the right thing to do, but it is negligent not to!

Published in: Technology
  • Be the first to comment

Password Storage And Attacking In PHP - PHP Argentina

  1. 1. Password Storage (And Attacking) In PHP Anthony Ferrara
  2. 2. “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break.” - Bruce Schneier
  3. 3. Github URL Follow Along: github.com/ircmaxell/password-bad-web-app A "Bad Web App" - Has Known Vulnerabilities - Only Use For Education!!! - Requires only Apache + PHP - Has Composer Dependencies
  4. 4. Let's Start From The Beginning
  5. 5. Plain-Text Storage git checkout plaintext Stores passwords in Plain-Text What's wrong with this picture?
  6. 6. Plain-Text Storage What happens if we have a SQL-Injection Vulnerability? localhost/sqli Simulates: ?offset=0'+UNION+SELECT+*+FROM+users
  7. 7. Plain-Text Storage Problem! Any attack vector results in leakage of ALL credentials!
  8. 8. We Can Do Better
  9. 9. MD5 git checkout md5 Uses the MD5 Cryptographic Hash function. md5($password) hash('md5', $password)
  10. 10. Wait, What Is A Hash?
  11. 11. What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
  12. 12. MD5 What's the problem now? SQL-Injection still gives us hash But the hash is one-way, how can we attack it?
  13. 13. Enter: Lookup Tables
  14. 14. Lookup Table Google is a great example Maps hash to password directly Database Table: hash | password --------------+----------- "5f4dcc3b..." | "password" "acbd18db..." | "foo"
  15. 15. Lookup Table Lookups are CPU efficient. Require a LOT of storage space - (Very space inefficient) All passwords <= 7 chars (95^7, 70 Trillion) Requires 1.5 PetaBytes - In Most Optimal Storage Format
  16. 16. We Can Do Better
  17. 17. Lookup Table Password Hash a4fef...
  18. 18. Rainbow Table Seed Hash Reduce Hash a4fef... Reduce New Password b741...
  19. 19. Chained Table Seed 1 Hash Reduce Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash Reduce Hash Seed 4 Hash Reduce Hash Reduce Hash Reduce Hash Seed 5 Hash Reduce Hash Reduce Hash Reduce Hash Seed 6 Hash Reduce Hash Reduce Hash Reduce Hash
  20. 20. Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash Reduce Hash Seed 4 Hash Reduce Hash Reduce Hash Reduce Hash Seed 5 Hash Reduce Hash Reduce Hash Reduce Hash Seed 6 Hash Reduce Hash Reduce Hash Reduce Hash
  21. 21. Using A Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash a4fef... b741... b741... b741...
  22. 22. Using A Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash a4fef... b741... b741... b741...
  23. 23. Using A Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash a4fef... b741... b741... b741... Reduce Hash
  24. 24. Using A Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash a4fef... b741... b741... b741... Reduce Reduce Hash Hash
  25. 25. Rainbow Table Time/Space Tradeoff - Slower than a Lookup Table - Uses Much less storage Most (99.9%) passwords <= 7 chars Requires only 64 GB - Chain length of 71,000
  26. 26. Defense!
  27. 27. Salted MD5 git checkout salted-md5 Uses the MD5 Cryptographic Hash function. But adds a random salt UNIQUE per user. md5($salt . $password) hash('md5', $salt . $password)
  28. 28. Salts Must be unique! - Per Hash - Globally Should be random - Strong!!! - Reasonably long (at least 64 bits)
  29. 29. Salted MD5 What's the problem now? SQL-Injection still gives us hash - And the salt But the salt defeats rainbow tables...
  30. 30. Can Anyone See The Problem?
  31. 31. What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
  32. 32. What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
  33. 33. Hash Functions Are Made To Be FAST
  34. 34. Brute Forcing Several Tools Available - John The Ripper - OCIHashCat A Lot Faster Than You May Think
  35. 35. Brute Forcing Multiple Ways To Attack - Mask Based (permutations) - Dictionary Based - Combinator Based - Combinations of dictionary words - Fingerprint Based - Combinators applied with permutations - Rule Based - Takes input password and transforms it
  36. 36. Brute Forcing Salted MD5 2012 Macbook Pro: - md5: 33 million per second - sha256: 20 million per second Mask Attack: 6 char passwords: 5 hours 7 char passwords: 22 days Entire English Language: 1.8 seconds "LEET" Permutations: 1 hour
  37. 37. We Can Do Better
  38. 38. Brute Forcing Salted MD5 25 GPU Cluster - md5: 180 Billion per second - < US$50,000 6 char passwords: 4 seconds 7 char passwords: 6 minutes 8 char passwords: 10 hours Entire English Language: "LEET" Permutations:
  39. 39. Brute Forcing Salted MD5 25 GPU Cluster - md5: 180 Billion per second - < US$50,000 6 char passwords: 4 seconds 7 char passwords: 6 minutes 8 char passwords: 10 hours Entire English Language: yeah... "LEET" Permutations: 0.7 seconds
  40. 40. But Wait, I Thought MD5 Was Broken?
  41. 41. MD5 IS Broken! But No Other Primitive Hash Is Not!!! sha1≈ md5 sha256 ≈ md5 sha512 ≈ md5 whirlpool ≈ md5 ALL raw primitive hashes are broken for password storage.
  42. 42. So, How Can We Combat Such Hardware?
  43. 43. Iterated MD5 git checkout iterated-md5 Uses the MD5 Cryptographic Hash function. But adds a random salt UNIQUE per user. And iterates a lot of times do { $h = md5($h . $salt . $password) } while($i++ < 1000);
  44. 44. We're Intentionally Slowing It Down
  45. 45. Brute Forcing Iterated MD5 25 GPU Cluster - md5: 70 million per second 6 char passwords: 17 minutes 7 char passwords: 1 day 8 char passwords: 124 days Entire English Language: 0.8 seconds
  46. 46. We Can Do Better
  47. 47. PBKDF2 git checkout pbkdf2 Uses the standard PBKDF2 algo - With SHA512 primitive Slower, and harder to use on GPU pbkdf2($pass, $salt, 10000, 40)
  48. 48. Brute Forcing PBKDF2 25 GPU Cluster - PBKDF2(sha512): 300,000 per second 6 char passwords: 28 days 7 char passwords: 7 years 8 char passwords: 700 years Entire English Language: 3 minutes
  49. 49. We Can Still Do Better
  50. 50. BCrypt git checkout bcrypt Uses the standard BCrypt algo - based on Blowfish cipher Same execution time, Much harder to run on GPU crypt $2a$
  51. 51. Brute Forcing BCrypt 25 GPU Cluster - BCrypt: 70,000 per second 6 char passwords: 120 days 7 char passwords: 31 years 8 char passwords: 3000 years Entire English Language: 14 minutes
  52. 52. A Note On Cost BCrypt accepts a "cost" parameter Must be tuned per server! - Target about 0.1 to 0.25 second runtime - Cost of 10 is a good baseline - Cost of 11 or 12 is better - Only if you have good hardware.
  53. 53. PHP 5.5 Password Hashing API git checkout password-compat A thin wrapper over crypt() - Simplifies implmentation - Strong random salt generation - Can specify cost as int option password_hash($pass, $algo, [$opts]) password_verify($pass, $hash) github.com/ircmaxell/password_compat
  54. 54. We Can Do Even Better!
  55. 55. Let's Encrypt As Well!
  56. 56. Encrypted BCrypt git checkout bcrypt-with-encryption Hash with BCrypt, Then encrypt result with AES-128. Requires key storage for the app. - Not trivial Use only if needed! - BCrypt alone is typically sufficient
  57. 57. Brute Forcing Encrypted BCrypt Attack requires low level server compromise! - SQL Injection is not enough! localhost/codeinject - Simulates code injection that reads source Any low level compromise Is No Worse than raw BCrypt - BCrypt is the baseline.
  58. 58. The Future
  59. 59. The Future scrypt - Sequential Memory Hard - Uses a LOT of memory (> 4mb / hash) - MUCH Harder to brute-force than bcrypt - IFF setup correctly
  60. 60. The Future Password Hashing Competition - Currently being setup - Aims to pick "standard" password hashing algorithm - A community effort
  61. 61. The Future Brute Forcing Word Lists - Complex combinations of words - "horse correct battery staple" Brute Forcing Grammar - "I don't want no cookies" Brute Forcing Structures - URLs, Email Addresses, URLs, etc
  62. 62. “Few false ideas have more firmly gripped the minds of so many intelligent men than the one that, if they just tried, they could invent a cipher that no one could break.” - David Kahn
  63. 63. A Note On Protecting Yourself
  64. 64. xkcd.com/936/
  65. 65. BAD ADVICE xkcd.com/936/
  66. 66. Use True Random Passwords
  67. 67. Use A Password Manager
  68. 68. Anthony Ferrara @ircmaxell me@ircmaxell.com blog.ircmaxell.com youtube.com/ircmaxell

×