password (in)security

38
Password (in)security How to generate and store passwords in a secure way by Enrico “cerin0” Zimuel

Upload: enrico-zimuel

Post on 26-Aug-2014

5.102 views

Category:

Self Improvement


2 download

DESCRIPTION

The 7th June 2012 Linkedin was hacked. More than 6 million LinkedIn passwords was compromised. The real shocking news was not the theft but the fact that the attackers were able to decrypt many of these passwords. Why it happened? The answer is simple: a bad design of the password security. In this talk I presented how to choose "secure" user's passwords and how to safely store it from a programmer's perspective. This talk has been presented during the MOCA 2012, http://moca.olografix.org/moca2012

TRANSCRIPT

Page 1: Password (in)security

Password (in)securityHow to generate and store passwords

in a secure way

by Enrico “cerin0” Zimuel

Page 2: Password (in)security

About me Enrico “cerin0” Zimuel Developer since Texas Instruments TI99/4A Research programmer, Informatics institute of UvA (Amsterdam) Core team of the open source project Zend Framework Co-author of the books “Segreti, Spie Codici Cifrati”, “Come si fa a

usare la firma digitale”, “PHP Best Practices” Founder of the PHP User Group Torino http://www.zimuel.it

1998

Page 3: Password (in)security

Password

A password is a secret word or string of characters that is used for

authentication.

Page 4: Password (in)security

User perspective:

How to choose a “secure” password?

Developer perspective:

How to store a password in a secure way?

Page 5: Password (in)security

Password security

Basically every security systemis based on password.

Page 6: Password (in)security

When security fails...

Page 7: Password (in)security

linkedin.com

Hack: 6th June 2012 More than 6 million passwords

was compromisedSHA1 password

Page 8: Password (in)security

eharmony.com

Hack: 6th June 2012 More than 1.5 million passwords

was compromisedSHA1 password

Page 9: Password (in)security

last.fm

Hack: 7th June 2012? million passwords was

compromisedMD5 password

Page 10: Password (in)security

yahoo.com

Hack: 12th June 2012 443K passwords was compromised

SQL injection, password in plaintext!

Page 11: Password (in)security

How to choose a “robust” user's password

Page 12: Password (in)security
Page 13: Password (in)security

Some best practices:

● No personal information● A long pass phrase is better than a shorter random jumble of characters● At least 10 characters long● Don't use the same password for everything● Change your password from time to time

Page 14: Password (in)security

http://howsecureismypassword.net/

Page 15: Password (in)security

Developers

Force the user to generate robust password

Page 16: Password (in)security

How to store a password in a secure way?

Developers

Page 17: Password (in)security

Old school (deprecated)

Use hash algorithms likeMD5 or SHA1

Page 18: Password (in)security

New school (deprecated?)

Use hash algorithm + salt(a random string).

Page 19: Password (in)security

Using hash + salt

Prevent dictionary attacks? YES Prevent brute force attacks? NO

Page 20: Password (in)security

Brute forcing attacks

CPU power is growing (multi-core)GPU are rendering password security uselessUse a Cloud system (n-CPU)

Page 21: Password (in)security

Brute forcing with a GPU

Source: www.nvidia.com

Page 22: Password (in)security

GPU and CUDA

CUDA™ is a parallel computing platform and programming model invented by NVIDIA

Page 23: Password (in)security

Extreme GPU Bruteforcerusing NVIDIA GTS250 ~ $100

Source: http://www.insidepro.com/eng/egb.shtml

Algorithm Speed 8 chars 9 chars 10 chars

md5($pass) 426 million p/s 6 days 1 year 62 years

md5($pass.$salt) 170 million p/s 14 days 2 ½ years 156 years

sha1($pass) 85 million p/s 29 days 5 years 313 years

sha1($pass.$salt) 80 million p/s 31 days 5 years 332 years

Password of 62 characters (a-z, A-Z, 0-9)

Page 24: Password (in)security

IGHASHGPUATI HD 5970 ~ $700

Source: http://www.golubev.com/hashgpu.htm

Algorithm Speed 8 chars 9 chars 10 chars

md5($pass) 5600 million p/s 10 hours 27 days 4 ½ years

sha1($pass) 2300 million p/s 26 hours 68 days 11 ½ years

Password of 62 characters (a-z, A-Z, 0-9)

Page 25: Password (in)security

Whitepixel4 Dual HD 5970~ $2800

Source: http://blog.zorinaq.com/?e=42

Algorithm Speed 8 chars 9 chars 10 chars

md5($pass) 33 billion p/s 1 ½ hour 4 ½ days 294 days

Password of 62 characters (a-z, A-Z, 0-9)

Page 26: Password (in)security

Secure algorithms forpassword storing

● Hash + salt + stretching (i.e. PBKDF2)● bcrypt● scrypt

Page 27: Password (in)security

Hash + salt + stretching

● Stretching = iterate (hash + salt) n-times

key = ““for 1 to n­times do  key = hash(key + password + salt)

Page 28: Password (in)security

How to estimate thenumber of iterations?

● The number of iterations depends on the CPU speed, should take around 1 sec to be considered secure

● For instance, this PHP code:<?php

$key='';for ($i=0;$i<NUM_ITERATIONS;$i++) {

    $key= hash('sha512',$key.$salt.$password);}

runs in 900 ms with NUM_ITERATIONS= 40'000 using an Intel Core 2 at 2.1Ghz

Page 29: Password (in)security

PBKDF2

● PBKDF2 (Password-Based Key Derivation Function 2) is a key derivation function that is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically PKCS #5 v2.0

● PBKDF2 applies a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations

Page 30: Password (in)security

PBKDF2 in PHP

PBKDF2 in PHP (Zend Framework 2.0)

function calc($hash, $password, $salt, $iterations, $length) {$num = ceil($length / Hmac::getOutputSize($hash, 

Hmac::OUTPUT_BINARY));$result = '';for ($block = 1; $block <= $num; $block++) {

$hmac = Hmac::compute($password, $hash, $salt . pack('N', $block), Hmac::OUTPUT_BINARY);

    $mix = $hmac;    for ($i = 1; $i < $iterations; $i++) {    $hmac = Hmac::compute($password, $hash, $hmac, 

  Hmac::OUTPUT_BINARY);    $mix ^= $hmac;    }    $result .= $mix;

}return substr($result, 0, $length);

}

Page 31: Password (in)security

bcrypt

● http://bcrypt.sourceforge.net/

● bcrypt uses Blowfish cipher + iterations to generate secure hash values

● bcrypt is secure against brute force or dictionary attacks because is slow, very slow (that means attacks need huge amount of time to be completed)

Page 32: Password (in)security

bcrypt parameters

● The algorithm needs a salt value and a work factor parameter (cost), which allows you to determine how expensive the bcrypt function will be

● The cost value depends on the CPU speed, check on your system! I suggest to set at least 1 second.

Page 33: Password (in)security

bcrypt in PHP

● bcrypt is implemented in PHP with the crypt() function:

$salt = substr(str_replace('+', '.',                base64_encode($salt)), 0, 22); $hash = crypt($password,'$2a$'.$cost.'$'.$salt);

● For instance, $password= 'thisIsTheSecretPassword' and $salt= 'hsjYeg/bxn()%3jdhsGHq0' aHNqWWVnL2J4bigpJTNqZGhzR0hxMA==$a9c810e9c722af719adabcf50db8a0b4cd0d14e07eddbb43e5f47bde620a3c13

Green= salt, Red= encrypted password

Page 34: Password (in)security

scrypt

● http://www.tarsnap.com/scrypt.html

● scrypt is a sequential memory hard algorithm:● memory-hard functions require high memory● cannot be parallelized efficiently

● scrypt uses PBKDF2, HMAC-SHA256, Salsa 20/8 core

Page 35: Password (in)security

scrypt security

“From a test executed on modern (2009) hardware, if 5 seconds are spent computing a derived key, the cost of a hardware brute-force attack against scrypt is roughly 4000 times greater than the cost of a similar attack against bcrypt (to find the same password), and 20000 times greater than a similar attack against Pbkdf2." Colin Percival (the author of scrypt algorithm)

Page 36: Password (in)security

Conclusion

● As user:

Use only “robust” password (e.g. long pass phrase is better than a shorter random jumble of characters)Don't use the same password for different services

● As developer:

Don't use hash or hash+salt to store a password!Use hash+salt+stretching (PBKDF2), bcrypt or scrypt to store your passwords

Page 37: Password (in)security

References

● Colin Percival, Stronger Key Derivation via Sequential Memory-Hard Functions, presented at BSDCan'09, May 2009

● Morris, Robert, Thompson, Ken, Password Security: A Case History, Bell Laboratories, 2011

● Coda Hale, How to safely store a password, 2010http://codahale.com/how-to-safely-store-a-password/

● J. Kelsey, B. Schneier, C. Hall, and D. Wagner, Secure Applications of Low-Entropy Keys, nformation Security Workshop (ISW'97), 1997

● Marc Bevand, Whitepixel breaks 28.6 billion password/sechttp://blog.zorinaq.com/?e=42

● Andrew Zonenberg, Distributed Hash Cracker: A Cross-Platform GPU-Accelerated Password Recovery System, 2009

Page 38: Password (in)security

Thanks!

Contacts: [email protected]

@ezimuel