Hash Functions and how not to use them

Transcript

1. Hash Functions
   And how not to use them
   @natmchugh
   

   View Slide

2. View Slide

3. Advice
   Don’t use MD5
   Don’t use SHA1
   Don’t use cryptographic hash functions
   Don’t use any cryptographic primitives
   

   View Slide

4. View Slide

5. Some Hash Functions
   • SHA1
   • SHA2
   • MD5
   • RIPEMD
   • TIGER
   • Whirpool
   • HAVAL
   • GOST
   • CRC
   • City Hash
   • Joaat
   

   View Slide

6. Cryptographic Hash
   Functions
   1.Pre image resistance (one way) given hash
   cannot find m
   2.Second pre-image resistance (weak collision
   resistance)
   3.Collision resistance
   

   View Slide

7. What are crypto hash
   functions used for?
   • Password storage
   • Duplicate Data detection
   • Git
   • Crypto currencies
   • Digital Signatures
   • MAC
   

   View Slide

8. Stolen from: https://www.coursera.org/course/crypto
   

   View Slide

9. MD4 in detail
   MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0
   a = 0x67452301
   b = 0xefcdab89
   c = 0x98badcfe
   d = 0x10325476
   F(b, c, d) = (((c ^ d) & b) ^ d)
   ...
   a = 0x31d6cfe0
   b = 0xd16ae931
   c = 0xb73c59d7
   d = 0xe0c089c0
   

   View Slide

10. MAC
    

    View Slide

11. MAC from hash functions
    HASH(key || message)
    HASH(key|| orig-message || padding || new-message)
    plainText = ‘user=nat\x0c…\x00&admin=true'
    http://vnhacker.blogspot.co.uk/2009/09/flickrs-api-signature-
    forgery.html
    

    View Slide

12. HMAC
    hash_hmac ($algo, $data, $key);
    HMAC(K, m) = H ( (K ^opad) | H((K ^ ipad) | m))
    

    View Slide

13. Password Storage
    • Different Security Criteria
    • Needs special construction e.g. KDF, salt and
    iterations
    $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a
    3 choices bcrypt, scrypt & PBKDF2
    But please just use a library
    

    View Slide

14. Comparing Hashes
    var_dump(
    md5('240610708') == md5('QNKCDZO'),
    md5('240610708'),
    md5('QNKCDZO')
    );
    bool(true)
    string(32) "0e462097431906509019562988736854"
    string(32) "0e830400451993494058024219903391"
    

    View Slide

15. Comparing Hashes
    p = 1 / 255 * (100 / 255) ^ 15= 3 * 10 ^ -9
    var_dump('0e462097431906509019562988736854' ==
    '0e830400451993494058024219903391');
    

    View Slide

16. Magic Hashes
    Algo. Plain Text Hash
    MD5 240610708 0e462097431906509019562988736854
    MD5 QNKCDZO 0e830400451993494058024219903391
    MD5 Password147186970! 0e153958235710973524115407854157
    SHA1 aaroZmOk
    0e665070199694271348945674943051855
    66735
    

    View Slide

17. Comparing Hashes
    Solution:
    • Use hash_equals > php 5.6
    • Use ===
    • Use strcmp()
    

    View Slide

18. Bcrypt & Null Bytes
    • crypt uses common C null-terminated string
    • Passwords won’t contain null byte
    • If combined with another hash then may have
    

    View Slide

19. Bcrypt Example
    $hash = md5(168, true);
    $superHash = password_hash(
    $hash,
    PASSWORD_DEFAULT
    );
    var_dump($hash);
    var_dump(password_verify(md5(363, true), $superHash));
    var_dump(password_verify('', $superHash));
    string(32) "006f52e9102a8d3be2fe5614f42ba989"
    bool(true)
    bool(true)
    

    View Slide

20. Bcrypt Null Bytes
    • Never feed binary data to bcrypt
    • Don’t use multiple hash functions
    • If you must feed crypt output of another hash use hex or
    base64
    Starts with \0 p =1 / 255 = 0.0039
    

    View Slide

21. Collisions
    

    View Slide

22. Collisions
    When H(m1) = H(m2) and m1≠m2
    Plenty in MD4, MD5, SHA0
    None in SHA1, SHA2
    Forge Signatures, distribute files different behaviours,
    predict future not HMAC not pre-image
    

    View Slide

23. Brute Force
    n ≈ √(-2 * ln(1-p) * √d
    If p=0.5 then n= 1.177 * √d
    √365 = 19
    √(2^128) = 2^64
    

    View Slide

24. Wang Attack
    1.Start with random message
    2.Create another message M’ with small diffs
    3.Modify message so that certain bitwise
    conditions hold in intermediate state
    4.Test for collision if not found go to 1
    

    View Slide

25. Wang MD4
    M = M − M’ = (Δm0, Δm1, ......, Δm15)
    Δm1 = 231, Δm2 = 2^31 − 228, Δm12 = −216
    

    View Slide

26. Demo
    

    View Slide

27. Chosen Prefix Collision
    

    View Slide

28. Flame
    • Collision in X509 Certificate
    • TSL certificate issued with no restrictions
    therefore anyone could sign code
    • Did not work on Vista or Windows 7
    Stolen from: https://www.trailofbits.com/resources/flame-md5.pdf
    

    View Slide

29. Links
    • http://cryptopals.com/
    • https://github.com/natmchugh/longEgg
    • https://marc-stevens.nl/research/
    • http://natmchugh.blogspot.co.uk/
    • http://www.win.tue.nl/hashclash/rogue-ca/
    

    View Slide