Password (in)security, how to generate and store passwords in a secure way

Transcript

1. Password (in)security How to generate and store passwords in a

   secure way by Enrico “cerin0” Zimuel

2. About me Enrico “cerin0” Zimuel Developer since Texas Instruments TI99/4A

   Research programmer, Informatics institute of UvA (Amsterdam) Core team of the open source project Zend Framework Co-author of the books “Segreti, Spie Codici Cifrati”, “Come si fa a usare la firma digitale”, “PHP Best Practices” Founder of the PHP User Group Torino http://www.zimuel.it 1998

3. Password A password is a secret word or string of

   characters that is used for authentication.

4. User perspective: How to choose a “secure” password? Developer perspective:

   How to store a password in a secure way?

5. Password security Basically every security system is based on password.

6. When security fails...

7. linkedin.com Hack: 6th June 2012 More than 6 million passwords

   was compromised SHA1 password

8. eharmony.com Hack: 6th June 2012 More than 1.5 million passwords

   was compromised SHA1 password

9. last.fm Hack: 7th June 2012 ? million passwords was compromised

   MD5 password

10. yahoo.com Hack: 12th June 2012 443K passwords was compromised SQL

    injection, password in plaintext!

11. How to choose a “robust” user's password

12. None

13. Some best practices: • No personal information • A long

    pass phrase is better than a shorter random jumble of characters • At least 10 characters long • Don't use the same password for everything • Change your password from time to time

14. http://howsecureismypassword.net/

15. Developers Force the user to generate robust password

16. How to store a password in a secure way? Developers

17. Old school (deprecated) Use hash algorithms like MD5 or SHA1

18. New school (deprecated?) Use hash algorithm + salt (a random

    string).

19. Using hash + salt Prevent dictionary attacks? YES Prevent brute

    force attacks? NO

20. Brute forcing attacks CPU power is growing (multi-core) GPU are

    rendering password security useless Use a Cloud system (n-CPU)

21. Brute forcing with a GPU Source: www.nvidia.com

22. GPU and CUDA CUDA™ is a parallel computing platform and

    programming model invented by NVIDIA

23. Extreme GPU Bruteforcer using NVIDIA GTS250 ~ $100 Source: http://www.insidepro.com/eng/egb.shtml

    Algorithm Speed 8 chars 9 chars 10 chars md5($pass) 426 million p/s 6 days 1 year 62 years md5($pass.$salt) 170 million p/s 14 days 2 ½ years 156 years sha1($pass) 85 million p/s 29 days 5 years 313 years sha1($pass.$salt) 80 million p/s 31 days 5 years 332 years Password of 62 characters (a-z, A-Z, 0-9)

24. IGHASHGPU ATI HD 5970 ~ $700 Source: http://www.golubev.com/hashgpu.htm Algorithm Speed

    8 chars 9 chars 10 chars md5($pass) 5600 million p/s 10 hours 27 days 4 ½ years sha1($pass) 2300 million p/s 26 hours 68 days 11 ½ years Password of 62 characters (a-z, A-Z, 0-9)

25. Whitepixel 4 Dual HD 5970 ~ $2800 Source: http://blog.zorinaq.com/?e=42 Algorithm

    Speed 8 chars 9 chars 10 chars md5($pass) 33 billion p/s 1 ½ hour 4 ½ days 294 days Password of 62 characters (a-z, A-Z, 0-9)

26. Secure algorithms for password storing • Hash + salt +

    stretching (i.e. PBKDF2) • bcrypt • scrypt

27. Hash + salt + stretching • Stretching = iterate (hash

    + salt) n-times key = ““ for 1 to n­times do key = hash(key + password + salt)

28. How to estimate the number of iterations? • The number

    of iterations depends on the CPU speed, should take around 1 sec to be considered secure • For instance, this PHP code: <?php $key=''; for ($i=0;$i<NUM_ITERATIONS;$i++) { $key= hash('sha512',$key.$salt.$password); } runs in 900 ms with NUM_ITERATIONS= 40'000 using an Intel Core 2 at 2.1Ghz

29. PBKDF2 • PBKDF2 (Password-Based Key Derivation Function 2) is a

    key derivation function that is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically PKCS #5 v2.0 • PBKDF2 applies a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations

30. PBKDF2 in PHP PBKDF2 in PHP (Zend Framework 2.0) function

    calc($hash, $password, $salt, $iterations, $length) { $num = ceil($length / Hmac::getOutputSize($hash, Hmac::OUTPUT_BINARY)); $result = ''; for ($block = 1; $block <= $num; $block++) { $hmac = Hmac::compute($password, $hash, $salt . pack('N', $block), Hmac::OUTPUT_BINARY); $mix = $hmac; for ($i = 1; $i < $iterations; $i++) { $hmac = Hmac::compute($password, $hash, $hmac, Hmac::OUTPUT_BINARY); $mix ^= $hmac; } $result .= $mix; } return substr($result, 0, $length); }

31. bcrypt • http://bcrypt.sourceforge.net/ • bcrypt uses Blowfish cipher + iterations

    to generate secure hash values • bcrypt is secure against brute force or dictionary attacks because is slow, very slow (that means attacks need huge amount of time to be completed)

32. bcrypt parameters • The algorithm needs a salt value and

    a work factor parameter (cost), which allows you to determine how expensive the bcrypt function will be • The cost value depends on the CPU speed, check on your system! I suggest to set at least 1 second.

33. bcrypt in PHP • bcrypt is implemented in PHP with

    the crypt() function: $salt = substr(str_replace('+', '.', base64_encode($salt)), 0, 22); $hash = crypt($password,'$2a$'.$cost.'$'.$salt); • For instance, $password= 'thisIsTheSecretPassword' and $salt= 'hsjYeg/bxn()%3jdhsGHq0' aHNqWWVnL2J4bigpJTNqZGhzR0hxMA==$a9c810e9c722af719adabcf50d b8a0b4cd0d14e07eddbb43e5f47bde620a3c13 Green= salt, Red= encrypted password

34. scrypt • http://www.tarsnap.com/scrypt.html • scrypt is a sequential memory hard

    algorithm: • memory-hard functions require high memory • cannot be parallelized efficiently • scrypt uses PBKDF2, HMAC-SHA256, Salsa 20/8 core

35. scrypt security “From a test executed on modern (2009) hardware,

    if 5 seconds are spent computing a derived key, the cost of a hardware brute-force attack against scrypt is roughly 4000 times greater than the cost of a similar attack against bcrypt (to find the same password), and 20000 times greater than a similar attack against Pbkdf2." Colin Percival (the author of scrypt algorithm)

36. Conclusion • As user: Use only “robust” password (e.g. long

    pass phrase is better than a shorter random jumble of characters) Don't use the same password for different services • As developer: Don't use hash or hash+salt to store a password! Use hash+salt+stretching (PBKDF2), bcrypt or scrypt to store your passwords

37. References • Colin Percival, Stronger Key Derivation via Sequential Memory-Hard

    Functions, presented at BSDCan'09, May 2009 • Morris, Robert, Thompson, Ken, Password Security: A Case History, Bell Laboratories, 2011 • Coda Hale, How to safely store a password, 2010 http://codahale.com/how-to-safely-store-a-password/ • J. Kelsey, B. Schneier, C. Hall, and D. Wagner, Secure Applications of Low-Entropy Keys, nformation Security Workshop (ISW'97), 1997 • Marc Bevand, Whitepixel breaks 28.6 billion password/sec http://blog.zorinaq.com/?e=42 • Andrew Zonenberg, Distributed Hash Cracker: A Cross- Platform GPU-Accelerated Password Recovery System, 2009

38. Thanks! Contacts: [email protected] @ezimuel