This document discusses the history of vulnerabilities in SSL/TLS, including padding oracle attacks and the POODLE attack. It provides details on how padding oracle attacks work by exploiting weaknesses in CBC mode encryption and how SSLv3 is vulnerable. It recommends completely disabling SSLv3 to prevent POODLE attacks, as the protocol allows plaintext recovery through padding oracle exploitation when MAC is incorrectly used.
Collision vulnerability for hash data structures in web platformsBerescu Ionut
The document discusses a denial of service vulnerability in various programming languages and web servers that use hash tables to store key-value pairs. By exploiting collisions in the hashing algorithms, an attacker can construct inputs that degenerate the hash table performance to O(n*2) time by creating 100% collisions. This allows exhausting CPU resources through a single HTTP request, denying availability to the system. The vulnerability affects languages like PHP, Python, Ruby and servers like Apache and Glassfish.
Message Authentication using Message Digests and the MD5 AlgorithmAjay Karri
Message authentication is important to prevent undetected manipulation of messages, which can have disastrous effects. Examples where message authentication is crucial include internet commerce and network management. Cryptographic hash functions are often used to authenticate messages by providing a digital fingerprint of the message contents.
This document discusses message authentication with MD5. It provides an overview of how MD5 works as a hash function and describes how it can be used to generate a message authentication code (MAC). It notes that MD5 was an attempt to reduce overhead compared to DES-based MACs. However, it also describes an extension attack that allows modifying messages while reusing the original MAC. The document considers replacing MD5 with AES to address this issue and provides thoughts on using MD5 for per-message authentication despite its age.
Hash functions are used to compress variable length messages into fixed length digests. They provide compression, efficiency, and hide message content. Properties include one-way, weak collision, and strong collision resistance. Merkle-Damgard iteration is used to build cryptographic hash functions from compression functions. Applications include digital signatures, message authentication codes, and key derivation. Common hash functions are MD4, MD5, and SHA which use Boolean functions and updating rules in their algorithms. Hash functions provide security by making it difficult to find collisions or inputs that result in specific outputs.
This document discusses password security and different password strategies. It explains that longer, more complex passwords are harder to guess due to higher entropy. Traditional passwords can have high per-character entropy but are hard to remember and reuse. Proper phrase passwords have overall higher entropy than traditional passwords due to using multiple words, while still being memorable. The document recommends at least 75 bits of entropy, which can be achieved with over 12 random characters or six random words from a large dictionary.
The document discusses cryptographic hash functions, including an overview of their usage, properties, structures, attacks, and the need for a new secure hash standard. It describes how hash functions work by condensing arbitrary messages into fixed-size message digests. The properties of preimage resistance, second preimage resistance, and collision resistance are explained. Common hashing algorithms like MD5, SHA-1, and SHA-2 are outlined along with vulnerabilities like birthday attacks. The document concludes by noting the need to replace standards like MD5 and SHA-1 due to successful cryptanalysis attacks.
This document discusses the history of vulnerabilities in SSL/TLS, including padding oracle attacks and the POODLE attack. It provides details on how padding oracle attacks work by exploiting weaknesses in CBC mode encryption and how SSLv3 is vulnerable. It recommends completely disabling SSLv3 to prevent POODLE attacks, as the protocol allows plaintext recovery through padding oracle exploitation when MAC is incorrectly used.
Collision vulnerability for hash data structures in web platformsBerescu Ionut
The document discusses a denial of service vulnerability in various programming languages and web servers that use hash tables to store key-value pairs. By exploiting collisions in the hashing algorithms, an attacker can construct inputs that degenerate the hash table performance to O(n*2) time by creating 100% collisions. This allows exhausting CPU resources through a single HTTP request, denying availability to the system. The vulnerability affects languages like PHP, Python, Ruby and servers like Apache and Glassfish.
Message Authentication using Message Digests and the MD5 AlgorithmAjay Karri
Message authentication is important to prevent undetected manipulation of messages, which can have disastrous effects. Examples where message authentication is crucial include internet commerce and network management. Cryptographic hash functions are often used to authenticate messages by providing a digital fingerprint of the message contents.
This document discusses message authentication with MD5. It provides an overview of how MD5 works as a hash function and describes how it can be used to generate a message authentication code (MAC). It notes that MD5 was an attempt to reduce overhead compared to DES-based MACs. However, it also describes an extension attack that allows modifying messages while reusing the original MAC. The document considers replacing MD5 with AES to address this issue and provides thoughts on using MD5 for per-message authentication despite its age.
Hash functions are used to compress variable length messages into fixed length digests. They provide compression, efficiency, and hide message content. Properties include one-way, weak collision, and strong collision resistance. Merkle-Damgard iteration is used to build cryptographic hash functions from compression functions. Applications include digital signatures, message authentication codes, and key derivation. Common hash functions are MD4, MD5, and SHA which use Boolean functions and updating rules in their algorithms. Hash functions provide security by making it difficult to find collisions or inputs that result in specific outputs.
This document discusses password security and different password strategies. It explains that longer, more complex passwords are harder to guess due to higher entropy. Traditional passwords can have high per-character entropy but are hard to remember and reuse. Proper phrase passwords have overall higher entropy than traditional passwords due to using multiple words, while still being memorable. The document recommends at least 75 bits of entropy, which can be achieved with over 12 random characters or six random words from a large dictionary.
The document discusses cryptographic hash functions, including an overview of their usage, properties, structures, attacks, and the need for a new secure hash standard. It describes how hash functions work by condensing arbitrary messages into fixed-size message digests. The properties of preimage resistance, second preimage resistance, and collision resistance are explained. Common hashing algorithms like MD5, SHA-1, and SHA-2 are outlined along with vulnerabilities like birthday attacks. The document concludes by noting the need to replace standards like MD5 and SHA-1 due to successful cryptanalysis attacks.
The document discusses the MD5 algorithm used for generating message digests of arbitrary inputs. It describes the MD5 algorithm structure and implementation steps. The implementation involves padding the input message to a length congruent to 448 modulo 512 bits. A 64-bit representation of the original message length is then appended. The padded message is processed in 512-bit blocks, each divided into sixteen 32-bit words. Four initialization values are used to compute the message digest through four rounds of operations on each block.
This document discusses hash functions and their analysis for a network security seminar. It begins by defining a hash function as a mathematical function that converts a large amount of data into a small string of integers. Common applications of hash functions include hash tables for quickly searching data, eliminating data redundancy, caches, bloom filters, and pattern matching. Cryptographic hash functions have properties like preimage and second preimage resistance as well as collision resistance. Popular cryptographic hash functions discussed include MD2, MD4, MD5, SHA-1, and SHA-2, along with their advantages, limitations, and examples of attacks.
CTF3, Stripe's third Capture-the-Flag, focused on distributed systems engineering with a goal of learning to build fault-tolerant, performant software while playing around with a bunch of cool cutting-edge technologies.
More here: https://stripe.com/blog/ctf3-launch.
Cryptographic hash functions, message authentication codes (MACs), and digital signatures are discussed.
HMAC and CBC-MAC are introduced as methods to construct MACs from hash functions. HMAC incorporates a secret key into a hash function to provide message authentication. CBC-MAC uses a block cipher like DES in CBC mode.
Digital signatures are similar to MACs but use public-key cryptography like RSA. A digital signature provides both message authentication and non-repudiation. RSA can be used to generate signatures by signing a hash of the message with the private key.
The document discusses various cryptographic concepts such as MACs, hashes, key derivation functions, and authenticated encryption. It describes techniques for constructing secure MACs like ECBC-MAC and PMAC, and explains attacks like length-extension attacks and collision attacks. The document also covers standards for authenticated encryption like GCM, CCM, and EAX that combine encryption and message authentication codes.
MD5 & Hash Encryption provides an overview of MD5 and hash encryption algorithms. It discusses the purpose and examples of MD5, how the MD5 algorithm works, potential security risks like collisions, and practical applications through code. It also covers how difficult MD5 is to crack through brute force, though flaws in the algorithm allow for exploits, and discusses how MD5 is used for digital signatures, certificates, and one-way encryption storage.
Hash functions are a one-way function, when properly implemented provides protection against collision. They however are susceptible to man-in-the-middle attack.
- Basics of IPv6
- How to use IPv6 for network penetration test.
- How to configure network security with respect to IPv6
- Tools of the trade for IPv6
The document discusses the MD5 algorithm, which takes an input message of arbitrary length and produces a 128-bit fingerprint or message digest. It describes the technical process, including padding the message, appending the length, initializing buffers, processing the message in 16-word blocks using four auxiliary functions, and outputting the final message digest consisting of the values A, B, C, and D. The MD5 algorithm provides a secure way to compress a large file before encryption.
This study investigates users’ behavior in password utilization. Good password practices are critical to the security of any information system. End users often use weak passwords that are short, simple, and based on personal and meaningful information that can be easily guessed. A survey was conducted among executive MBA students who hold managerial positions. The results of the survey indicate that users practice insecure behaviors in the utilization of passwords. The results support the literature and can be used to guide password management policy.
Cryptographic hashing functions are used to map data of arbitrary size to fixed-size values to facilitate data storage and transmission. They have properties such as preimage and collision resistance to make them unpredictable and secure. Popular cryptographic hashing algorithms include MD5, SHA-1, and SHA-2. Hashing functions are used for applications like digital signatures, password security, and message authentication. Techniques like salting hashes make them more resistant to brute force and pre-computed rainbow table attacks.
The document discusses hash functions and message authentication codes (MACs). It begins by defining hash functions and MACs, noting that hash functions generate a fingerprint for a message without a key while MACs use a keyed hash function. It then covers security requirements for hash functions like one-wayness and collision resistance. Popular hash functions are described like MD5, SHA-1, and the SHA-2 family. Constructions for hash functions based on block ciphers and iterated hash functions are also outlined. The document concludes by comparing hash functions and MACs and describing common MAC constructions.
Strong cryptography is the usage of systems or components that are considered highly resistant to cryptanalysis, the study of methods to cracking the codes. In this talk I would like to present the usage of strong cryptography in PHP. Security is a very important aspect of web applications especially when they manipulate data like passwords, credit card numbers, or sensitive data (as health, financial activities, sexual behavior or sexual orientation, social security numbers, etc). In particular I will present the extensions mcrypt, Hash, and OpenSSL that are been improved in the last version of PHP. These are the slides presented during my talk at PHP Dutch Conference 2011.
Cryptography For The Average Developer - Sunshine PHPAnthony Ferrara
This document provides an overview of cryptography concepts for PHP developers. It discusses keeping data secure from viewing, tampering and forgery without cryptography being a "silver bullet" solution. The document covers random number generation, symmetric and asymmetric encryption, hashing, common ciphers and modes, authentication, and password storage best practices like hashing passwords instead of encrypting them. The key messages are that cryptography is very difficult to implement securely and developers should rely on expert libraries or hire an expert instead of rolling their own solutions.
Security is a very important aspect of web applications. In order to protect sensitive data we should use cryptography. But cryptography means security? Absolutely not, especially if developers do not,especially if developers do not use it properly. In this talk I would like to present some best practices in PHP to implement secure cryptography using the extensions mcrypt, Hash and OpenSSL.
This document discusses secure passwords and provides information from both a user and developer perspective. It explains that passwords are important for authentication and act as the first line of defense for security. Examples are given of what passwords protect, such as bank accounts, email, and student information. Authentication methods include what you know, where you are, what you are, and what you have. The document also outlines threats to password security such as snooping, guessing, and cracking. It notes that passwords are not truly random and cracking is possible because people tend to use dictionary words and names which reduces the number of possible passwords.
This document discusses message authentication techniques including message encryption, message authentication codes (MACs), and hash functions. It describes how each technique can be used to authenticate messages and protect against various security threats. It also covers how symmetric and asymmetric encryption can provide authentication when used with MACs or digital signatures. Specific MAC and hash functions are examined like HMAC, SHA-1, and SHA-2. X.509 is introduced as a standard for digital certificates.
Information and data security cryptographic hash functionsMazin Alwaaly
This document discusses hash functions and their cryptographic applications. It begins by defining hash functions and their properties like one-wayness and collision resistance. It then discusses various applications of cryptographic hash functions like message authentication codes, digital signatures, password files, and more. It provides details on how hash functions are used for message authentication and digital signatures. It also describes the Secure Hash Algorithm family of hash functions like SHA-1, SHA-2, and the NIST competition for the SHA-3 standard.
This document discusses the MD5 cryptographic hash function. It provides an introduction to hash functions and describes MD5, including its features, applications, algorithm, analysis, and drawbacks. MD5 produces a 128-bit hash value from a message of any size through a multi-step process involving padding, appending a length, initializing buffers, and processing in 16-word blocks. While once widely used, MD5 is now considered broken due to vulnerabilities found in its compression function and preimage resistance.
This document discusses password cracking using rainbow tables. It begins with an introduction to the author and their background and interests. It then provides definitions and examples of hashing algorithms like MD5 and LM hashes. The bulk of the document demonstrates cracking hashed passwords like "PANGGI" and "LOVE" using rainbow tables, which are pre-computed lookup tables allowing efficient password cracking without brute force. Timings and results of cracking attempts using different rainbow table files are shown.
Techniques for password hashing and crackingNipun Joshi
This document discusses techniques for securely storing passwords using hashing and preventing cracking. It recommends using algorithms like bcrypt and PBKDF2 that include salts and key stretching to make passwords very difficult to brute force or dictionary attack by requiring extensive time and computing resources. The document provides examples of hashing best practices and measures organizations and users can take to better protect against leaks and unauthorized access.
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
Password storage is a common problem that every developer needs to solve at some point in their career. Often, we rely upon frameworks and libraries to do it for us. But do they get it right?
How should passwords be stored? How are they going to be attacked? All these questions (and more) will be answered. This session will dive head first into password storage and all aspects surrounding it. We’ll cover some common misconceptions and dangerous mistakes. We’ll also explore some of the best available tools to solve the problem, and go into why they are the best. Finally, we’ll look at some of the tools that attackers will use to attempt to extract plain text passwords.
We’ll explore each point from both angles: the pragmatic developer and the attacker. For the safety and security of your users, make sure that you know how to securely store their passwords. It’s not just the right thing to do, but it is negligent not to!
The document discusses the MD5 algorithm used for generating message digests of arbitrary inputs. It describes the MD5 algorithm structure and implementation steps. The implementation involves padding the input message to a length congruent to 448 modulo 512 bits. A 64-bit representation of the original message length is then appended. The padded message is processed in 512-bit blocks, each divided into sixteen 32-bit words. Four initialization values are used to compute the message digest through four rounds of operations on each block.
This document discusses hash functions and their analysis for a network security seminar. It begins by defining a hash function as a mathematical function that converts a large amount of data into a small string of integers. Common applications of hash functions include hash tables for quickly searching data, eliminating data redundancy, caches, bloom filters, and pattern matching. Cryptographic hash functions have properties like preimage and second preimage resistance as well as collision resistance. Popular cryptographic hash functions discussed include MD2, MD4, MD5, SHA-1, and SHA-2, along with their advantages, limitations, and examples of attacks.
CTF3, Stripe's third Capture-the-Flag, focused on distributed systems engineering with a goal of learning to build fault-tolerant, performant software while playing around with a bunch of cool cutting-edge technologies.
More here: https://stripe.com/blog/ctf3-launch.
Cryptographic hash functions, message authentication codes (MACs), and digital signatures are discussed.
HMAC and CBC-MAC are introduced as methods to construct MACs from hash functions. HMAC incorporates a secret key into a hash function to provide message authentication. CBC-MAC uses a block cipher like DES in CBC mode.
Digital signatures are similar to MACs but use public-key cryptography like RSA. A digital signature provides both message authentication and non-repudiation. RSA can be used to generate signatures by signing a hash of the message with the private key.
The document discusses various cryptographic concepts such as MACs, hashes, key derivation functions, and authenticated encryption. It describes techniques for constructing secure MACs like ECBC-MAC and PMAC, and explains attacks like length-extension attacks and collision attacks. The document also covers standards for authenticated encryption like GCM, CCM, and EAX that combine encryption and message authentication codes.
MD5 & Hash Encryption provides an overview of MD5 and hash encryption algorithms. It discusses the purpose and examples of MD5, how the MD5 algorithm works, potential security risks like collisions, and practical applications through code. It also covers how difficult MD5 is to crack through brute force, though flaws in the algorithm allow for exploits, and discusses how MD5 is used for digital signatures, certificates, and one-way encryption storage.
Hash functions are a one-way function, when properly implemented provides protection against collision. They however are susceptible to man-in-the-middle attack.
- Basics of IPv6
- How to use IPv6 for network penetration test.
- How to configure network security with respect to IPv6
- Tools of the trade for IPv6
The document discusses the MD5 algorithm, which takes an input message of arbitrary length and produces a 128-bit fingerprint or message digest. It describes the technical process, including padding the message, appending the length, initializing buffers, processing the message in 16-word blocks using four auxiliary functions, and outputting the final message digest consisting of the values A, B, C, and D. The MD5 algorithm provides a secure way to compress a large file before encryption.
This study investigates users’ behavior in password utilization. Good password practices are critical to the security of any information system. End users often use weak passwords that are short, simple, and based on personal and meaningful information that can be easily guessed. A survey was conducted among executive MBA students who hold managerial positions. The results of the survey indicate that users practice insecure behaviors in the utilization of passwords. The results support the literature and can be used to guide password management policy.
Cryptographic hashing functions are used to map data of arbitrary size to fixed-size values to facilitate data storage and transmission. They have properties such as preimage and collision resistance to make them unpredictable and secure. Popular cryptographic hashing algorithms include MD5, SHA-1, and SHA-2. Hashing functions are used for applications like digital signatures, password security, and message authentication. Techniques like salting hashes make them more resistant to brute force and pre-computed rainbow table attacks.
The document discusses hash functions and message authentication codes (MACs). It begins by defining hash functions and MACs, noting that hash functions generate a fingerprint for a message without a key while MACs use a keyed hash function. It then covers security requirements for hash functions like one-wayness and collision resistance. Popular hash functions are described like MD5, SHA-1, and the SHA-2 family. Constructions for hash functions based on block ciphers and iterated hash functions are also outlined. The document concludes by comparing hash functions and MACs and describing common MAC constructions.
Strong cryptography is the usage of systems or components that are considered highly resistant to cryptanalysis, the study of methods to cracking the codes. In this talk I would like to present the usage of strong cryptography in PHP. Security is a very important aspect of web applications especially when they manipulate data like passwords, credit card numbers, or sensitive data (as health, financial activities, sexual behavior or sexual orientation, social security numbers, etc). In particular I will present the extensions mcrypt, Hash, and OpenSSL that are been improved in the last version of PHP. These are the slides presented during my talk at PHP Dutch Conference 2011.
Cryptography For The Average Developer - Sunshine PHPAnthony Ferrara
This document provides an overview of cryptography concepts for PHP developers. It discusses keeping data secure from viewing, tampering and forgery without cryptography being a "silver bullet" solution. The document covers random number generation, symmetric and asymmetric encryption, hashing, common ciphers and modes, authentication, and password storage best practices like hashing passwords instead of encrypting them. The key messages are that cryptography is very difficult to implement securely and developers should rely on expert libraries or hire an expert instead of rolling their own solutions.
Security is a very important aspect of web applications. In order to protect sensitive data we should use cryptography. But cryptography means security? Absolutely not, especially if developers do not,especially if developers do not use it properly. In this talk I would like to present some best practices in PHP to implement secure cryptography using the extensions mcrypt, Hash and OpenSSL.
This document discusses secure passwords and provides information from both a user and developer perspective. It explains that passwords are important for authentication and act as the first line of defense for security. Examples are given of what passwords protect, such as bank accounts, email, and student information. Authentication methods include what you know, where you are, what you are, and what you have. The document also outlines threats to password security such as snooping, guessing, and cracking. It notes that passwords are not truly random and cracking is possible because people tend to use dictionary words and names which reduces the number of possible passwords.
This document discusses message authentication techniques including message encryption, message authentication codes (MACs), and hash functions. It describes how each technique can be used to authenticate messages and protect against various security threats. It also covers how symmetric and asymmetric encryption can provide authentication when used with MACs or digital signatures. Specific MAC and hash functions are examined like HMAC, SHA-1, and SHA-2. X.509 is introduced as a standard for digital certificates.
Information and data security cryptographic hash functionsMazin Alwaaly
This document discusses hash functions and their cryptographic applications. It begins by defining hash functions and their properties like one-wayness and collision resistance. It then discusses various applications of cryptographic hash functions like message authentication codes, digital signatures, password files, and more. It provides details on how hash functions are used for message authentication and digital signatures. It also describes the Secure Hash Algorithm family of hash functions like SHA-1, SHA-2, and the NIST competition for the SHA-3 standard.
This document discusses the MD5 cryptographic hash function. It provides an introduction to hash functions and describes MD5, including its features, applications, algorithm, analysis, and drawbacks. MD5 produces a 128-bit hash value from a message of any size through a multi-step process involving padding, appending a length, initializing buffers, and processing in 16-word blocks. While once widely used, MD5 is now considered broken due to vulnerabilities found in its compression function and preimage resistance.
This document discusses password cracking using rainbow tables. It begins with an introduction to the author and their background and interests. It then provides definitions and examples of hashing algorithms like MD5 and LM hashes. The bulk of the document demonstrates cracking hashed passwords like "PANGGI" and "LOVE" using rainbow tables, which are pre-computed lookup tables allowing efficient password cracking without brute force. Timings and results of cracking attempts using different rainbow table files are shown.
Techniques for password hashing and crackingNipun Joshi
This document discusses techniques for securely storing passwords using hashing and preventing cracking. It recommends using algorithms like bcrypt and PBKDF2 that include salts and key stretching to make passwords very difficult to brute force or dictionary attack by requiring extensive time and computing resources. The document provides examples of hashing best practices and measures organizations and users can take to better protect against leaks and unauthorized access.
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
Password storage is a common problem that every developer needs to solve at some point in their career. Often, we rely upon frameworks and libraries to do it for us. But do they get it right?
How should passwords be stored? How are they going to be attacked? All these questions (and more) will be answered. This session will dive head first into password storage and all aspects surrounding it. We’ll cover some common misconceptions and dangerous mistakes. We’ll also explore some of the best available tools to solve the problem, and go into why they are the best. Finally, we’ll look at some of the tools that attackers will use to attempt to extract plain text passwords.
We’ll explore each point from both angles: the pragmatic developer and the attacker. For the safety and security of your users, make sure that you know how to securely store their passwords. It’s not just the right thing to do, but it is negligent not to!
The 7th June 2012 Linkedin was hacked. More than 6 million LinkedIn passwords was compromised. The real shocking news was not the theft but the fact that the attackers were able to decrypt many of these passwords. Why it happened? The answer is simple: a bad design of the password security. In this talk I presented how to choose "secure" user's passwords and how to safely store it from a programmer's perspective.
This talk has been presented during the MOCA 2012, http://moca.olografix.org/moca2012
These slides are from a talk that I did at PHP Benelux 2013 ( http://conference.phpbenelux.eu/2013/ ).
In this talk, I go over the progression of password storage techniques, and weaknesses of each method. Eventually, we build up to the final secure implementations, and the current methods used to attack them.
This document discusses password security and best practices. It notes that 66% of corporate network breaches are due to weak passwords. Passwords should not be stored in plaintext or with reversible encryption, but rather hashed with salts. Hashing strengthens security but using salts is important to avoid rainbow table attacks. The document recommends choosing long, unique passphrases rather than short, dictionary words for passwords. It also advocates the use of password managers and two-factor authentication for strongest security.
The document discusses passwords and password security. It summarizes that common password practices like complexity rules and frequent changes actually decrease security by making passwords harder to remember. Instead, it recommends using very long, easy to remember passwords and only changing them when truly necessary. It also discusses how password cracking tools like rainbow tables and hashcat can crack hashed passwords, but proper defenses like salting and slow hashing functions provide effective protection.
This document summarizes key points from a presentation on password security best practices and weaknesses. It discusses how passwords are cracked using tools like hashcat that can generate billions of hashes per second on GPUs. It also explains how practices like complex rules, frequent changes and plaintext storage undermine security. The presentation argues for using long, easy to remember passwords and storing hashed passwords with salts instead of complex rules and frequent changes.
The document provides guidance on properly storing passwords in a database. It recommends using cryptographically secure hash functions with salts to hash passwords before storage. It discusses approaches like PBKDF2, BCrypt, and SCRYPT that can be used to hash passwords and make brute force attacks more difficult. The document stresses that security should be a higher priority for developers than new frameworks, and provides other recommendations like using standard authentication when possible and limiting database access.
Kieon secure passwords theory and practice 2011Kieon
The document discusses password security and different methods for storing passwords. It analyzes passwords from a data breach of 32 million passwords and finds that most passwords were very weak. It then discusses various methods for storing passwords like clear text, hashed passwords without salts, hashed passwords with static salts, and hashed passwords with dynamic salts. Hashing passwords with dynamic salts provides the strongest security since each hash is unique and cannot be cracked using rainbow tables. The document concludes that while no database is completely secure, dynamic hashing with salts makes the passwords much harder to steal through automated attacks or by experienced hackers.
This document provides tips and information about internet security and password best practices. It discusses the threats posed by hackers and malware online. It then offers recommendations for creating stronger passwords, such as using passphrases that are long and memorable rather than following outdated guidelines. The document also introduces password managers as a tool for generating and storing unique, secure passwords for all accounts. LastPass and KeePass are highlighted as popular and effective password manager options.
The presentation discusses common security issues with JSON Web Tokens (JWTs) and demonstrates attacks. It covers problems with none algorithms in JWT libraries, password cracking with weak keys, packet sniffing to steal unencrypted tokens, and cross-site scripting to steal tokens from session storage. The presentation provides best practices for algorithms, keys, encryption, timeouts, logouts, and defenses like content security policy to address these issues.
What Video Games and BotCoin Did To The World Of Security... On AccidentBen Finke
Advances in graphics processing for both video games and crypto-currency mining have given us exceptional computing power to attack hashing algorithms, an underpinning foundational element of many of the security protections we use today. In this talk we'll explore how GPUs can be used in a security context, mostly by the bad guys.
The document discusses password security and different techniques for generating strong passwords. It examines password policies, techniques for creating memorable passwords, machine-generated versus human-generated passwords, and diceware passphrases. Testing of various password styles showed that longer, random passwords containing a mix of characters were strongest, but hardest to remember, while shorter words were easier to recall but weaker. Both machine-generated and diceware-produced passwords were stronger than human choices on average.
Lightning Talk: What You Need to Know Before You Shard in 20 MinutesMongoDB
Curious about the benefits of sharding your MongoDB deployments? Do you need help deciding when you should shard, or which collections to shard first? Or maybe you just need some guidance on finding the right shard key. This session will cover these topics and give you a primer on MongoDB sharding and why it makes the database so compelling for so many applications. This is an entry-level to medium-level talk with references and links to more advanced material on sharding MongoDB.
This document discusses sharding in MongoDB. It covers why to shard (to scale out writes and data), who to shard (largest and busiest collections), when to shard (as early as possible to avoid issues later), and where the shard key should be placed (on values that won't change like IDs or dates to improve performance). The presenter is a MongoDB master with 16 years of database experience who recommends hashed shard keys for even data distribution and non-hashed keys on unchanging fields only.
A Survey of Password Attacks and Safe Hashing AlgorithmsIRJET Journal
This document discusses password hashing and safe hashing algorithms. It begins with an introduction to password hashing and why it is important to store hashed passwords rather than plaintext passwords. It then discusses various hashing algorithms such as MD5, SHA-1, SHA-2, and SHA-3. The document also covers different types of password attacks like dictionary attacks, brute force attacks, and rainbow tables. Finally, it discusses the properties that make for a secure hashing algorithm, including using unique salts per password and algorithms being fast on software but slow on hardware.
This document discusses best practices for securely storing passwords. It notes that passwords are often stored insecurely, such as in plain text. To securely store passwords, it recommends encrypting them using cryptographic hash functions with salts. Specifically, it advises using functions such as SHA-2, bcrypt, and scrypt, which can include salts and be slowed down through key stretching to make passwords very difficult to hack or crack. Following these guidelines helps protect users and companies by securing password data.
User Credential handling in Web Applications done righttladesignz
In my work I often see very bad practices how the users' passwords are treated in web applications. This is a short summary of the current state of the art, how to do it the right way.
Passwords associated with hash keys, such as MD5, SHA, WHIRLPOOL, RipeMD, etc.
Hashes are one-way functions —mathematical operation that is easy to perform, but very difficult to reverse engineer.
Hash functions turns readable data into a random string of fixed length size.
Hashes do not allow someone to decrypt data with a specific key, as standard encryption protocols allow.
The document discusses emerging web technologies for developers such as WebRTC for real-time communications, WebSockets for full-duplex connections, and WebVR for accessing virtual reality devices from a browser. It also covers concepts related to virtual reality like stereoscopic vision and head tracking. The presentation encourages developers to get involved with communities and share their knowledge of these new technologies.
Similar to How-to crack 43kk passwords while drinking your juice/smoozie in the Hood (20)
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3Data Hops
Free A4 downloadable and printable Cyber Security, Social Engineering Safety and security Training Posters . Promote security awareness in the home or workplace. Lock them Out From training providers datahops.com
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
3. TEAM
WE are Security Group
WE are ALL Engineers (Almost;)
WE are OWASP Lviv Chapter
WE are Legio… oops
blog: http://owasp-lviv.blogspot.com
skype: y.bilyk
4. o But WHY??!!
o Our CRACKING RIG
o Different obvious methods
o Not so obvious methods
o Some interesting statistics
Agenda
23. Where to Start?
We used dictionary attack as the
first attempt
You need good dictionary. We
started with rockyou.txt
You need memory for your hashes.
It could be problem for GPU
24. So First Try
Cracked around 20% of all hashes
(with rockyou.txt dictionary)
It took around 5 mins
And now you have to think what
to do next
25. We need moar dictionaries!
RockYou contains 14 344 391 words
We tried different dictionaries.
The biggest was 1 212 356 398
words and 15 GB in size
All this gives us approx 35% of all
hashes
26. Let’s brute it!
We selected up to 6 char passwords
with full set of characters
It took around 2 hours
All this gives us approx 45% of all
hashes
28. What we can do get moar?
HashCat has rules of transformation
It mutates original word
Quality of your dictionary is
essential. Size doesn’t rly matters
Using rules is more time consuming
than just dictionary attack
29. What rules are effective?
We used best64, InsidePro-
PasswordsPro and d3ad0ne rules
It was very effective in terms of
number of hashes
All this gives us approx 60% of all
hashes
30. Time to go smarter way
We have 36 millions of cracked
passwords
We can analyze cracked password
to determine patters
This patterns can produce more
efficient bruteforce masks
32. PACK Tool Features
Can analyze list of password and
generate bruteforce mask
You can specify password length,
time, complexity constrains
Gives you some idea what type of
passwords are popular
33. Is PACK effective?
It can crack similar passwords
according that you already have
You can flexibly choose best
masks regarding constrains
All this gives us approx 65% of all
hashes
34. Other types of attacks
PRINCE attack, somehow similar to
the using PACK tool + mutation
Combination of TWO and more
dictionaries
Hybrid attack, that uses
dictionaries + rules + bruteforce
masks