Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hash Functions and how not to use them

Hash Functions and how not to use them

DPC 2015-06-26

Nathaniel McHugh

June 26, 2015
Tweet

More Decks by Nathaniel McHugh

Other Decks in Technology

Transcript

  1. Hash Functions And how not to use them @natmchugh

  2. None
  3. Advice Don’t use MD5 Don’t use SHA1 Don’t use cryptographic

    hash functions Don’t use any cryptographic primitives
  4. None
  5. Some Hash Functions • SHA1 • SHA2 • MD5 •

    RIPEMD • TIGER • Whirpool • HAVAL • GOST • CRC • City Hash • Joaat
  6. Cryptographic Hash Functions 1.Pre image resistance (one way) given hash

    cannot find m 2.Second pre-image resistance (weak collision resistance) 3.Collision resistance
  7. What are crypto hash functions used for? • Password storage

    • Duplicate Data detection • Git • Crypto currencies • Digital Signatures • MAC
  8. Stolen from: https://www.coursera.org/course/crypto

  9. MD4 in detail MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0 a = 0x67452301

    b = 0xefcdab89 c = 0x98badcfe d = 0x10325476 F(b, c, d) = (((c ^ d) & b) ^ d) ... a = 0x31d6cfe0 b = 0xd16ae931 c = 0xb73c59d7 d = 0xe0c089c0
  10. MAC

  11. MAC from hash functions HASH(key || message) HASH(key|| orig-message ||

    padding || new-message) plainText = ‘user=nat\x0c…\x00&admin=true' http://vnhacker.blogspot.co.uk/2009/09/flickrs-api-signature- forgery.html
  12. HMAC hash_hmac ($algo, $data, $key); HMAC(K, m) = H (

    (K ^opad) | H((K ^ ipad) | m))
  13. Password Storage • Different Security Criteria • Needs special construction

    e.g. KDF, salt and iterations $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a 3 choices bcrypt, scrypt & PBKDF2 But please just use a library
  14. Comparing Hashes <?php var_dump( md5('240610708') == md5('QNKCDZO'), md5('240610708'), md5('QNKCDZO') );

    bool(true) string(32) "0e462097431906509019562988736854" string(32) "0e830400451993494058024219903391"
  15. Comparing Hashes p = 1 / 255 * (100 /

    255) ^ 15= 3 * 10 ^ -9 var_dump('0e462097431906509019562988736854' == '0e830400451993494058024219903391');
  16. Magic Hashes Algo. Plain Text Hash MD5 240610708 0e462097431906509019562988736854 MD5

    QNKCDZO 0e830400451993494058024219903391 MD5 Password147186970! 0e153958235710973524115407854157 SHA1 aaroZmOk 0e665070199694271348945674943051855 66735
  17. Comparing Hashes Solution: • Use hash_equals > php 5.6 •

    Use === • Use strcmp()
  18. Bcrypt & Null Bytes • crypt uses common C null-terminated

    string • Passwords won’t contain null byte • If combined with another hash then may have
  19. Bcrypt Example <?php $hash = md5(168, true); $superHash = password_hash(

    $hash, PASSWORD_DEFAULT ); var_dump($hash); var_dump(password_verify(md5(363, true), $superHash)); var_dump(password_verify('', $superHash)); string(32) "006f52e9102a8d3be2fe5614f42ba989" bool(true) bool(true)
  20. Bcrypt Null Bytes • Never feed binary data to bcrypt

    • Don’t use multiple hash functions • If you must feed crypt output of another hash use hex or base64 Starts with \0 p =1 / 255 = 0.0039
  21. Collisions

  22. Collisions When H(m1) = H(m2) and m1≠m2 Plenty in MD4,

    MD5, SHA0 None in SHA1, SHA2 Forge Signatures, distribute files different behaviours, predict future not HMAC not pre-image
  23. Brute Force n ≈ √(-2 * ln(1-p) * √d If

    p=0.5 then n= 1.177 * √d √365 = 19 √(2^128) = 2^64
  24. Wang Attack 1.Start with random message 2.Create another message M’

    with small diffs 3.Modify message so that certain bitwise conditions hold in intermediate state 4.Test for collision if not found go to 1
  25. Wang MD4 M = M − M’ = (Δm0, Δm1,

    ......, Δm15) Δm1 = 231, Δm2 = 2^31 − 228, Δm12 = −216
  26. Demo

  27. Chosen Prefix Collision

  28. Flame • Collision in X509 Certificate • TSL certificate issued

    with no restrictions therefore anyone could sign code • Did not work on Vista or Windows 7 Stolen from: https://www.trailofbits.com/resources/flame-md5.pdf
  29. Links • http://cryptopals.com/ • https://github.com/natmchugh/longEgg • https://marc-stevens.nl/research/ • http://natmchugh.blogspot.co.uk/ •

    http://www.win.tue.nl/hashclash/rogue-ca/