Hash Functions and how not to use them

Transcript

1. Hash Functions And how not to use them @natmchugh

2. None

3. Advice Don’t use MD5 Don’t use SHA1 Don’t use cryptographic

   hash functions Don’t use any cryptographic primitives
4. None

5. Some Hash Functions • SHA1 • SHA2 • MD5 •

   RIPEMD • TIGER • Whirpool • HAVAL • GOST • CRC • City Hash • Joaat

6. Cryptographic Hash Functions 1.Pre image resistance (one way) given hash

   cannot find m 2.Second pre-image resistance (weak collision resistance) 3.Collision resistance

7. What are crypto hash functions used for? • Password storage

   • Duplicate Data detection • Git • Crypto currencies • Digital Signatures • MAC

8. Stolen from: https://www.coursera.org/course/crypto

9. MD4 in detail MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0 a = 0x67452301

   b = 0xefcdab89 c = 0x98badcfe d = 0x10325476 F(b, c, d) = (((c ^ d) & b) ^ d) ... a = 0x31d6cfe0 b = 0xd16ae931 c = 0xb73c59d7 d = 0xe0c089c0

10. MAC

11. MAC from hash functions HASH(key || message) HASH(key|| orig-message ||

    padding || new-message) plainText = ‘user=nat\x0c…\x00&admin=true' http://vnhacker.blogspot.co.uk/2009/09/flickrs-api-signature- forgery.html

12. HMAC hash_hmac ($algo, $data, $key); HMAC(K, m) = H (

    (K ^opad) | H((K ^ ipad) | m))

13. Password Storage • Different Security Criteria • Needs special construction

    e.g. KDF, salt and iterations $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a 3 choices bcrypt, scrypt & PBKDF2 But please just use a library

14. Comparing Hashes <?php var_dump( md5('240610708') == md5('QNKCDZO'), md5('240610708'), md5('QNKCDZO') );

    bool(true) string(32) "0e462097431906509019562988736854" string(32) "0e830400451993494058024219903391"

15. Comparing Hashes p = 1 / 255 * (100 /

    255) ^ 15= 3 * 10 ^ -9 var_dump('0e462097431906509019562988736854' == '0e830400451993494058024219903391');

16. Magic Hashes Algo. Plain Text Hash MD5 240610708 0e462097431906509019562988736854 MD5

    QNKCDZO 0e830400451993494058024219903391 MD5 Password147186970! 0e153958235710973524115407854157 SHA1 aaroZmOk 0e665070199694271348945674943051855 66735

17. Comparing Hashes Solution: • Use hash_equals > php 5.6 •

    Use === • Use strcmp()

18. Bcrypt & Null Bytes • crypt uses common C null-terminated

    string • Passwords won’t contain null byte • If combined with another hash then may have

19. Bcrypt Example <?php $hash = md5(168, true); $superHash = password_hash(

    $hash, PASSWORD_DEFAULT ); var_dump($hash); var_dump(password_verify(md5(363, true), $superHash)); var_dump(password_verify('', $superHash)); string(32) "006f52e9102a8d3be2fe5614f42ba989" bool(true) bool(true)

20. Bcrypt Null Bytes • Never feed binary data to bcrypt

    • Don’t use multiple hash functions • If you must feed crypt output of another hash use hex or base64 Starts with \0 p =1 / 255 = 0.0039

21. Collisions

22. Collisions When H(m1) = H(m2) and m1≠m2 Plenty in MD4,

    MD5, SHA0 None in SHA1, SHA2 Forge Signatures, distribute files different behaviours, predict future not HMAC not pre-image

23. Brute Force n ≈ √(-2 * ln(1-p) * √d If

    p=0.5 then n= 1.177 * √d √365 = 19 √(2^128) = 2^64

24. Wang Attack 1.Start with random message 2.Create another message M’

    with small diffs 3.Modify message so that certain bitwise conditions hold in intermediate state 4.Test for collision if not found go to 1

25. Wang MD4 M = M − M’ = (Δm0, Δm1,

    ......, Δm15) Δm1 = 231, Δm2 = 2^31 − 228, Δm12 = −216

26. Demo

27. Chosen Prefix Collision

28. Flame • Collision in X509 Certificate • TSL certificate issued

    with no restrictions therefore anyone could sign code • Did not work on Vista or Windows 7 Stolen from: https://www.trailofbits.com/resources/flame-md5.pdf

29. Links • http://cryptopals.com/ • https://github.com/natmchugh/longEgg • https://marc-stevens.nl/research/ • http://natmchugh.blogspot.co.uk/ •

    http://www.win.tue.nl/hashclash/rogue-ca/