Checksums are not secure

Checksum != Security An example hacking into bad Javascript authentication

What’s so Bad? The Enemy Breaking Bad Closing Found in
the wild: a web app testing environment

function jesChecksum(str) { var primes = [ 2,
3, 5, 7,11, 13,17,19,23,29, 31,37,41,43,47, 53,59,61,67,71, 73,79,83,89,97]; var rtn = 0; for (i = 0; i < (str.length); i++) { tmp = str.charCodeAt(i) * primes[i]; rtn = rtn + tmp; } return rtn; } What’s so Bad? The Enemy Breaking Bad Closing

What’s so Bad? The Enemy Breaking Bad Closing A hash
function is any function that can be used to map digital data of any size to digital data of a ﬁxed size.

“checksums are often used to verify data integrity, but should
not be relied upon to also verify data authenticity" What’s so Bad? The Enemy Breaking Bad Closing

“It is infeasible to ﬁnd two different messages with the
same [cryptographic] hash” What’s so Bad? The Enemy Breaking Bad Closing

It should be feasible to ﬁnd two different messages with
the same checksum. What’s so Bad? The Enemy Breaking Bad Closing

What’s so Bad? The Enemy Breaking Bad Closing jesChecksum(pass) ==
9887 Find “pass” such that

function jesChecksum(str) { … for (i
= 0; i < (str.length); i++) { tmp = str.charCodeAt(i) * primes[i]; rtn = rtn + tmp; } … } The simplicity of this algorithm makes it very easy to solve. What’s so Bad? The Enemy Breaking Bad Closing

Thanks to Unicode: Solve 2x + 3y = 9887 over
integers One such solution is “Ŏఁ” Ŏఁ = String.fromCharCode(334, 3073); What’s so Bad? The Enemy Breaking Bad Closing

Using the right tool for the job requires you to
understand the tools available What’s so Bad? The Enemy Breaking Bad Closing

Don’t roll your own security either What’s so Bad? The
Enemy Breaking Bad Closing

And deﬁnitely don’t do security client side in Javascript What’s
so Bad? The Enemy Breaking Bad Closing

Thanks Justin Mancinelli @piannaf http://piannaf.github.io https://www.linkedin.com/in/justinmancinelli

http://en.wikipedia.org/wiki/Hash_function Slide 6: http://en.wikipedia.org/wiki/Checksum Slide 7: http://en.wikipedia.org/wiki/Cryptographic_hash_function Slide
8: http://blog.codinghorror.com/checksums-and-hashes/ Slide 13: http://xkcd.com/1286/ http://www.explainxkcd.com/wiki/index.php/Encryptic

Checksums are not secure

Checksums are not secure

Justin Mancinelli

More Decks by Justin Mancinelli

Other Decks in Programming

Featured

Transcript

Checksum != Security An example hacking into bad Javascript authentication

What’s so Bad? The Enemy Breaking Bad Closing Found in

function promptUserForPassword(pass) { if (jesChecksum(pass) != 9887) {

function jesChecksum(str) { var primes = [ 2,

What’s so Bad? The Enemy Breaking Bad Closing A hash

“checksums are often used to verify data integrity, but should

“It is infeasible to ﬁnd two different messages with the

It should be feasible to ﬁnd two different messages with

What’s so Bad? The Enemy Breaking Bad Closing jesChecksum(pass) ==

function jesChecksum(str) { … for (i

Thanks to Unicode: Solve 2x + 3y = 9887 over

Using the right tool for the job requires you to

Don’t roll your own security either What’s so Bad? The

And deﬁnitely don’t do security client side in Javascript What’s

Thanks Justin Mancinelli @piannaf http://piannaf.github.io https://www.linkedin.com/in/justinmancinelli

Slide 5: http://en.wikipedia.org/wiki/Hash_function Slide 6: http://en.wikipedia.org/wiki/Checksum Slide 7: http://en.wikipedia.org/wiki/Cryptographic_hash_function Slide