Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Checksums are not secure

Justin Mancinelli
July 21, 2015
Programming
0
78

Checksums are not secure

One day I stumbled upon a web app testing environment that used client side Javascript to perform authentication.

It was very simple to break into because it hashed the password using a very simple checksum algorithm.

I created this presentation to share my thoughts on what I found.

Justin Mancinelli

July 21, 2015
Tweet

More Decks by Justin Mancinelli

See All by Justin Mancinelli
Empathy is the Accelerant
piannaf
0
16
Evaluating Multiplatform Solutions
piannaf
0
10
The Future of Cross-Platform is Native
piannaf
1
200
A trip through the Emergency Dialer
piannaf
0
14
My tmux Experience
piannaf
1
65

Other Decks in Programming

See All in Programming
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
3
390
Piniaの現状と今後
waka292
5
1.4k
WEBエンジニア向けAI活用入門
sutetotanuki
0
300
開発効率向上のためのリファクタリングの一歩目の選択肢 ~コード分割~ / JJUG CCC 2024 Fall
ryounasso
0
360
qmuntal/stateless のススメ
sgash708
0
120
From Subtype Polymorphism To Typeclass-based Ad hoc Polymorphism - An Example
philipschwarz
PRO
0
160
macOS でできる リアルタイム動画像処理
biacco42
4
1.6k
Amazon Neptuneで始めてみるグラフDB -OpenSearchによるグラフの全文検索-
satoshi256kbyte
4
310
Outline View in SwiftUI
1024jp
1
100
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
910
VR HMDとしてのVision Pro+ゲーム開発について
yasei_no_otoko
0
100
生成 AI を活用した toitta 切片分類機能の裏側 / Inside toitta's AI-Based Factoid Clustering
pokutuna
0
570

Featured

See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Rails Girls Zürich Keynote
gr2m
93
13k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
7
150
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
The World Runs on Bad Software
bkeepers
PRO
65
11k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
13
1.9k
Adopting Sorbet at Scale
ufuk
73
9k
Imperfection Machines: The Place of Print at Facebook
scottboms
264
13k
Why Our Code Smells
bkeepers
PRO
334
57k
Learning to Love Humans: Emotional Interface Design
aarron
272
40k
How to Think Like a Performance Engineer
csswizardry
19
1.1k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
37
1.8k

Transcript

  1. Checksum != Security An example hacking into bad Javascript authentication

  2. What’s so Bad? The Enemy Breaking Bad Closing Found in

    the wild: a web app testing environment

  3. function  promptUserForPassword(pass)  {      if  (jesChecksum(pass)  !=  9887)  {

             pass  =  prompt("Please  enter  the  passkey","");          if  (pass  ==  null)  {              document.location.href  =  defaultHref;          }  else  {              verifyPassword(pass);          }      }  else  {          successfulLogin(pass);      }   }   What’s so Bad? The Enemy Breaking Bad Closing

  4. function  jesChecksum(str)  {      var  primes  =  [  2,

     3,  5,  7,11,                                  13,17,19,23,29,                                  31,37,41,43,47,                                  53,59,61,67,71,                                  73,79,83,89,97];      var  rtn  =  0;      for  (i  =  0;  i  <  (str.length);  i++)  {          tmp  =  str.charCodeAt(i)  *  primes[i];          rtn  =  rtn  +  tmp;      }      return  rtn;   } What’s so Bad? The Enemy Breaking Bad Closing

  5. What’s so Bad? The Enemy Breaking Bad Closing A hash

    function is any function that can be used to map digital data of any size to digital data of a fixed size.

  6. “checksums are often used to verify data integrity, but should

    not be relied upon to also verify data authenticity" What’s so Bad? The Enemy Breaking Bad Closing

  7. “It is infeasible to find two different messages with the

    same [cryptographic] hash” What’s so Bad? The Enemy Breaking Bad Closing

  8. It should be feasible to find two different messages with

    the same checksum. What’s so Bad? The Enemy Breaking Bad Closing

  9. What’s so Bad? The Enemy Breaking Bad Closing jesChecksum(pass)  ==

     9887 Find “pass” such that

  10. function  jesChecksum(str)  {      …      for  (i

     =  0;  i  <  (str.length);  i++)  {          tmp  =  str.charCodeAt(i)  *  primes[i];          rtn  =  rtn  +  tmp;      }      …   } The simplicity of this algorithm makes it very easy to solve. What’s so Bad? The Enemy Breaking Bad Closing

  11. Thanks to Unicode: Solve 2x + 3y = 9887 over

    integers One such solution is “Ŏఁ” Ŏఁ = String.fromCharCode(334, 3073); What’s so Bad? The Enemy Breaking Bad Closing

  12. Using the right tool for the job requires you to

    understand the tools available What’s so Bad? The Enemy Breaking Bad Closing

  13. Don’t roll your own security either What’s so Bad? The

    Enemy Breaking Bad Closing

  14. And definitely don’t do security client side in Javascript What’s

    so Bad? The Enemy Breaking Bad Closing

  15. Thanks Justin Mancinelli @piannaf http://piannaf.github.io https://www.linkedin.com/in/justinmancinelli

  16. Slide 5: http://en.wikipedia.org/wiki/Hash_function Slide 6: http://en.wikipedia.org/wiki/Checksum Slide 7: http://en.wikipedia.org/wiki/Cryptographic_hash_function Slide

    8: http://blog.codinghorror.com/checksums-and-hashes/ Slide 13: http://xkcd.com/1286/ http://www.explainxkcd.com/wiki/index.php/Encryptic