Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Checksums are not secure

Checksums are not secure

One day I stumbled upon a web app testing environment that used client side Javascript to perform authentication.

It was very simple to break into because it hashed the password using a very simple checksum algorithm.

I created this presentation to share my thoughts on what I found.

Justin Mancinelli

July 21, 2015
Tweet

More Decks by Justin Mancinelli

Other Decks in Programming

Transcript

  1. What’s so Bad? The Enemy Breaking Bad Closing Found in

    the wild: a web app testing environment
  2. function  promptUserForPassword(pass)  {      if  (jesChecksum(pass)  !=  9887)  {

             pass  =  prompt("Please  enter  the  passkey","");          if  (pass  ==  null)  {              document.location.href  =  defaultHref;          }  else  {              verifyPassword(pass);          }      }  else  {          successfulLogin(pass);      }   }   What’s so Bad? The Enemy Breaking Bad Closing
  3. function  jesChecksum(str)  {      var  primes  =  [  2,

     3,  5,  7,11,                                  13,17,19,23,29,                                  31,37,41,43,47,                                  53,59,61,67,71,                                  73,79,83,89,97];      var  rtn  =  0;      for  (i  =  0;  i  <  (str.length);  i++)  {          tmp  =  str.charCodeAt(i)  *  primes[i];          rtn  =  rtn  +  tmp;      }      return  rtn;   } What’s so Bad? The Enemy Breaking Bad Closing
  4. What’s so Bad? The Enemy Breaking Bad Closing A hash

    function is any function that can be used to map digital data of any size to digital data of a fixed size.
  5. “checksums are often used to verify data integrity, but should

    not be relied upon to also verify data authenticity" What’s so Bad? The Enemy Breaking Bad Closing
  6. “It is infeasible to find two different messages with the

    same [cryptographic] hash” What’s so Bad? The Enemy Breaking Bad Closing
  7. It should be feasible to find two different messages with

    the same checksum. What’s so Bad? The Enemy Breaking Bad Closing
  8. function  jesChecksum(str)  {      …      for  (i

     =  0;  i  <  (str.length);  i++)  {          tmp  =  str.charCodeAt(i)  *  primes[i];          rtn  =  rtn  +  tmp;      }      …   } The simplicity of this algorithm makes it very easy to solve. What’s so Bad? The Enemy Breaking Bad Closing
  9. Thanks to Unicode: Solve 2x + 3y = 9887 over

    integers One such solution is “Ŏఁ” Ŏఁ = String.fromCharCode(334, 3073); What’s so Bad? The Enemy Breaking Bad Closing
  10. Using the right tool for the job requires you to

    understand the tools available What’s so Bad? The Enemy Breaking Bad Closing
  11. Slide 5: http://en.wikipedia.org/wiki/Hash_function Slide 6: http://en.wikipedia.org/wiki/Checksum Slide 7: http://en.wikipedia.org/wiki/Cryptographic_hash_function Slide

    8: http://blog.codinghorror.com/checksums-and-hashes/ Slide 13: http://xkcd.com/1286/ http://www.explainxkcd.com/wiki/index.php/Encryptic