Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hash Functions and how not to use them

Hash Functions and how not to use them

DPC 2015-06-26

Nathaniel McHugh

June 26, 2015
Tweet

More Decks by Nathaniel McHugh

Other Decks in Technology

Transcript

  1. Hash Functions
    And how not to use them
    @natmchugh

    View Slide

  2. View Slide

  3. Advice
    Don’t use MD5
    Don’t use SHA1
    Don’t use cryptographic hash functions
    Don’t use any cryptographic primitives

    View Slide

  4. View Slide

  5. Some Hash Functions
    • SHA1
    • SHA2
    • MD5
    • RIPEMD
    • TIGER
    • Whirpool
    • HAVAL
    • GOST
    • CRC
    • City Hash
    • Joaat

    View Slide

  6. Cryptographic Hash
    Functions
    1.Pre image resistance (one way) given hash
    cannot find m
    2.Second pre-image resistance (weak collision
    resistance)
    3.Collision resistance

    View Slide

  7. What are crypto hash
    functions used for?
    • Password storage
    • Duplicate Data detection
    • Git
    • Crypto currencies
    • Digital Signatures
    • MAC

    View Slide

  8. Stolen from: https://www.coursera.org/course/crypto

    View Slide

  9. MD4 in detail
    MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0
    a = 0x67452301
    b = 0xefcdab89
    c = 0x98badcfe
    d = 0x10325476
    F(b, c, d) = (((c ^ d) & b) ^ d)
    ...
    a = 0x31d6cfe0
    b = 0xd16ae931
    c = 0xb73c59d7
    d = 0xe0c089c0

    View Slide

  10. MAC

    View Slide

  11. MAC from hash functions
    HASH(key || message)
    HASH(key|| orig-message || padding || new-message)
    plainText = ‘user=nat\x0c…\x00&admin=true'
    http://vnhacker.blogspot.co.uk/2009/09/flickrs-api-signature-
    forgery.html

    View Slide

  12. HMAC
    hash_hmac ($algo, $data, $key);
    HMAC(K, m) = H ( (K ^opad) | H((K ^ ipad) | m))

    View Slide

  13. Password Storage
    • Different Security Criteria
    • Needs special construction e.g. KDF, salt and
    iterations
    $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a
    3 choices bcrypt, scrypt & PBKDF2
    But please just use a library

    View Slide

  14. Comparing Hashes
    var_dump(
    md5('240610708') == md5('QNKCDZO'),
    md5('240610708'),
    md5('QNKCDZO')
    );
    bool(true)
    string(32) "0e462097431906509019562988736854"
    string(32) "0e830400451993494058024219903391"

    View Slide

  15. Comparing Hashes
    p = 1 / 255 * (100 / 255) ^ 15= 3 * 10 ^ -9
    var_dump('0e462097431906509019562988736854' ==
    '0e830400451993494058024219903391');

    View Slide

  16. Magic Hashes
    Algo. Plain Text Hash
    MD5 240610708 0e462097431906509019562988736854
    MD5 QNKCDZO 0e830400451993494058024219903391
    MD5 Password147186970! 0e153958235710973524115407854157
    SHA1 aaroZmOk
    0e665070199694271348945674943051855
    66735

    View Slide

  17. Comparing Hashes
    Solution:
    • Use hash_equals > php 5.6
    • Use ===
    • Use strcmp()

    View Slide

  18. Bcrypt & Null Bytes
    • crypt uses common C null-terminated string
    • Passwords won’t contain null byte
    • If combined with another hash then may have

    View Slide

  19. Bcrypt Example
    $hash = md5(168, true);
    $superHash = password_hash(
    $hash,
    PASSWORD_DEFAULT
    );
    var_dump($hash);
    var_dump(password_verify(md5(363, true), $superHash));
    var_dump(password_verify('', $superHash));
    string(32) "006f52e9102a8d3be2fe5614f42ba989"
    bool(true)
    bool(true)

    View Slide

  20. Bcrypt Null Bytes
    • Never feed binary data to bcrypt
    • Don’t use multiple hash functions
    • If you must feed crypt output of another hash use hex or
    base64
    Starts with \0 p =1 / 255 = 0.0039

    View Slide

  21. Collisions

    View Slide

  22. Collisions
    When H(m1) = H(m2) and m1≠m2
    Plenty in MD4, MD5, SHA0
    None in SHA1, SHA2
    Forge Signatures, distribute files different behaviours,
    predict future not HMAC not pre-image

    View Slide

  23. Brute Force
    n ≈ √(-2 * ln(1-p) * √d
    If p=0.5 then n= 1.177 * √d
    √365 = 19
    √(2^128) = 2^64

    View Slide

  24. Wang Attack
    1.Start with random message
    2.Create another message M’ with small diffs
    3.Modify message so that certain bitwise
    conditions hold in intermediate state
    4.Test for collision if not found go to 1

    View Slide

  25. Wang MD4
    M = M − M’ = (Δm0, Δm1, ......, Δm15)
    Δm1 = 231, Δm2 = 2^31 − 228, Δm12 = −216

    View Slide

  26. Demo

    View Slide

  27. Chosen Prefix Collision

    View Slide

  28. Flame
    • Collision in X509 Certificate
    • TSL certificate issued with no restrictions
    therefore anyone could sign code
    • Did not work on Vista or Windows 7
    Stolen from: https://www.trailofbits.com/resources/flame-md5.pdf

    View Slide

  29. Links
    • http://cryptopals.com/
    • https://github.com/natmchugh/longEgg
    • https://marc-stevens.nl/research/
    • http://natmchugh.blogspot.co.uk/
    • http://www.win.tue.nl/hashclash/rogue-ca/

    View Slide