Password (in)security, how to generate and store passwords in a secure way

Transcript

1. Password (in)security
   How to generate and store passwords
   in a secure way
   by Enrico “cerin0” Zimuel
   

   View Slide

2. About me
   Enrico “cerin0” Zimuel
   Developer since Texas Instruments TI99/4A
   Research programmer, Informatics institute of UvA (Amsterdam)
   Core team of the open source project Zend Framework
   Co-author of the books “Segreti, Spie Codici Cifrati”, “Come si fa a
   usare la firma digitale”, “PHP Best Practices”
   Founder of the PHP User Group Torino
   http://www.zimuel.it
   1998
   

   View Slide

3. Password
   A password is a secret word or
   string of characters that is used for
   authentication.
   

   View Slide

4. User perspective:
   How to choose a “secure” password?
   Developer perspective:
   How to store a password in a secure way?
   

   View Slide

5. Password security
   Basically every security system
   is based on password.
   

   View Slide

6. When security fails...
   

   View Slide

7. linkedin.com
   Hack: 6th June 2012
   More than 6 million passwords
   was compromised
   SHA1 password
   

   View Slide

8. eharmony.com
   Hack: 6th June 2012
   More than 1.5 million passwords
   was compromised
   SHA1 password
   

   View Slide

9. last.fm
   Hack: 7th June 2012
   ? million passwords was
   compromised
   MD5 password
   

   View Slide

10. yahoo.com
    Hack: 12th June 2012
    443K passwords was compromised
    SQL injection, password in plaintext!
    

    View Slide

11. How to choose a “robust”
    user's password
    

    View Slide

12. View Slide

13. Some best practices:
    ●
    No personal information
    ●
    A long pass phrase is better than a shorter
    random jumble of characters
    ●
    At least 10 characters long
    ●
    Don't use the same password for everything
    ●
    Change your password from time to time
    

    View Slide

14. http://howsecureismypassword.net/
    

    View Slide

15. Developers
    Force the user to generate
    robust password
    

    View Slide

16. How to store a password in a
    secure way?
    Developers
    

    View Slide

17. Old school (deprecated)
    Use hash algorithms like
    MD5 or SHA1
    

    View Slide

18. New school (deprecated?)
    Use hash algorithm + salt
    (a random string).
    

    View Slide

19. Using hash + salt
    Prevent dictionary attacks? YES
    Prevent brute force attacks? NO
    

    View Slide

20. Brute forcing attacks
    CPU power is growing (multi-core)
    GPU are rendering password security
    useless
    Use a Cloud system (n-CPU)
    

    View Slide

21. Brute forcing with a GPU
    Source: www.nvidia.com
    

    View Slide

22. GPU and CUDA
    CUDA™ is a parallel computing
    platform and programming model
    invented by NVIDIA
    

    View Slide

23. Extreme GPU Bruteforcer
    using NVIDIA GTS250 ~ $100
    Source: http://www.insidepro.com/eng/egb.shtml
    Algorithm Speed 8 chars 9 chars 10 chars
    md5($pass) 426 million p/s 6 days 1 year 62 years
    md5($pass.$salt) 170 million p/s 14 days 2 ½ years 156 years
    sha1($pass) 85 million p/s 29 days 5 years 313 years
    sha1($pass.$salt) 80 million p/s 31 days 5 years 332 years
    Password of 62 characters (a-z, A-Z, 0-9)
    

    View Slide

24. IGHASHGPU
    ATI HD 5970 ~ $700
    Source: http://www.golubev.com/hashgpu.htm
    Algorithm Speed 8 chars 9 chars 10 chars
    md5($pass) 5600 million p/s 10 hours 27 days 4 ½ years
    sha1($pass) 2300 million p/s 26 hours 68 days 11 ½ years
    Password of 62 characters (a-z, A-Z, 0-9)
    

    View Slide

25. Whitepixel
    4 Dual HD 5970
    ~ $2800
    Source: http://blog.zorinaq.com/?e=42
    Algorithm Speed 8 chars 9 chars 10 chars
    md5($pass) 33 billion p/s 1 ½ hour 4 ½ days 294 days
    Password of 62 characters (a-z, A-Z, 0-9)
    

    View Slide

26. Secure algorithms for
    password storing
    ●
    Hash + salt + stretching (i.e. PBKDF2)
    ● bcrypt
    ● scrypt
    

    View Slide

27. Hash + salt + stretching
    ●
    Stretching = iterate (hash + salt) n-times
    key = ““
    for 1 to n­times do
    key = hash(key + password + salt)
    

    View Slide

28. How to estimate the
    number of iterations?
    ●
    The number of iterations depends on the CPU
    speed, should take around 1 sec to be considered
    secure
    ● For instance, this PHP code:
    $key='';
    for ($i=0;$i$key= hash('sha512',$key.$salt.$password);
    }
    runs in 900 ms with NUM_ITERATIONS= 40'000 using
    an Intel Core 2 at 2.1Ghz
    

    View Slide

29. PBKDF2
    ● PBKDF2 (Password-Based Key Derivation Function 2)
    is a key derivation function that is part of RSA
    Laboratories' Public-Key Cryptography Standards
    (PKCS) series, specifically PKCS #5 v2.0
    ● PBKDF2 applies a pseudorandom function, such as a
    cryptographic hash, cipher, or HMAC to the input password
    or passphrase along with a salt value and repeats the
    process many times to produce a derived key, which can
    then be used as a cryptographic key in subsequent
    operations
    

    View Slide

30. PBKDF2 in PHP
    PBKDF2 in PHP (Zend Framework 2.0)
    function calc($hash, $password, $salt, $iterations, $length) {
    $num = ceil($length / Hmac::getOutputSize($hash,
    Hmac::OUTPUT_BINARY));
    $result = '';
    for ($block = 1; $block <= $num; $block++) {
    $hmac = Hmac::compute($password, $hash, $salt . pack('N',
    $block), Hmac::OUTPUT_BINARY);
    $mix = $hmac;
    for ($i = 1; $i < $iterations; $i++) {
    $hmac = Hmac::compute($password, $hash, $hmac,
    Hmac::OUTPUT_BINARY);
    $mix ^= $hmac;
    }
    $result .= $mix;
    }
    return substr($result, 0, $length);
    }
    

    View Slide

31. bcrypt
    ● http://bcrypt.sourceforge.net/
    ● bcrypt uses Blowfish cipher + iterations to generate
    secure hash values
    ● bcrypt is secure against brute force or dictionary
    attacks because is slow, very slow (that means attacks
    need huge amount of time to be completed)
    

    View Slide

32. bcrypt parameters
    ● The algorithm needs a salt value and a work factor
    parameter (cost), which allows you to determine
    how expensive the bcrypt function will be
    ● The cost value depends on the CPU speed, check
    on your system! I suggest to set at least 1 second.
    

    View Slide

33. bcrypt in PHP
    ●
    bcrypt is implemented in PHP with the crypt()
    function:
    $salt = substr(str_replace('+', '.',
    base64_encode($salt)), 0, 22);
    $hash = crypt($password,'$2a$'.$cost.'$'.$salt);
    ●
    For instance, $password= 'thisIsTheSecretPassword' and
    $salt= 'hsjYeg/bxn()%3jdhsGHq0'
    aHNqWWVnL2J4bigpJTNqZGhzR0hxMA==$a9c810e9c722af719adabcf50d
    b8a0b4cd0d14e07eddbb43e5f47bde620a3c13
    Green= salt, Red= encrypted password
    

    View Slide

34. scrypt
    ●
    http://www.tarsnap.com/scrypt.html
    ●
    scrypt is a sequential memory hard algorithm:
    ●
    memory-hard functions require high memory
    ●
    cannot be parallelized efficiently
    ●
    scrypt uses PBKDF2, HMAC-SHA256, Salsa 20/8 core
    

    View Slide

35. scrypt security
    “From a test executed on modern (2009) hardware,
    if 5 seconds are spent computing a derived key, the
    cost of a hardware brute-force attack against scrypt
    is roughly 4000 times greater than the cost of a
    similar attack against bcrypt (to find the same
    password), and 20000 times greater than a similar
    attack against Pbkdf2."
    Colin Percival
    (the author of scrypt algorithm)
    

    View Slide

36. Conclusion
    ●
    As user:
    Use only “robust” password (e.g. long pass phrase is
    better than a shorter random jumble of characters)
    Don't use the same password for different services
    ●
    As developer:
    Don't use hash or hash+salt to store a password!
    Use hash+salt+stretching (PBKDF2), bcrypt or scrypt
    to store your passwords
    

    View Slide

37. References
    ●
    Colin Percival, Stronger Key Derivation via Sequential
    Memory-Hard Functions, presented at BSDCan'09, May 2009
    ●
    Morris, Robert, Thompson, Ken, Password Security: A Case
    History, Bell Laboratories, 2011
    ●
    Coda Hale, How to safely store a password, 2010
    http://codahale.com/how-to-safely-store-a-password/
    ●
    J. Kelsey, B. Schneier, C. Hall, and D. Wagner, Secure
    Applications of Low-Entropy Keys, nformation Security
    Workshop (ISW'97), 1997
    ●
    Marc Bevand, Whitepixel breaks 28.6 billion password/sec
    http://blog.zorinaq.com/?e=42
    ●
    Andrew Zonenberg, Distributed Hash Cracker: A Cross-
    Platform GPU-Accelerated Password Recovery System, 2009
    

    View Slide

38. Thanks!
    Contacts:
    [email protected]
    @ezimuel
    

    View Slide