Slide 1
Slide 1 text
Hash Functions
And how not to use them
@natmchugh
Slide 2
Slide 2 text
No content
Slide 3
Slide 3 text
Advice
Don’t use MD5
Don’t use SHA1
Don’t use cryptographic hash functions
Don’t use any cryptographic primitives
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
Some Hash Functions
• SHA1
• SHA2
• MD5
• RIPEMD
• TIGER
• Whirpool
• HAVAL
• GOST
• CRC
• City Hash
• Joaat
Slide 6
Slide 6 text
Cryptographic Hash
Functions
1.Pre image resistance (one way) given hash
cannot find m
2.Second pre-image resistance (weak collision
resistance)
3.Collision resistance
Slide 7
Slide 7 text
What are crypto hash
functions used for?
• Password storage
• Duplicate Data detection
• Git
• Crypto currencies
• Digital Signatures
• MAC
Slide 8
Slide 8 text
Stolen from: https://www.coursera.org/course/crypto
Slide 9
Slide 9 text
MD4 in detail
MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0
a = 0x67452301
b = 0xefcdab89
c = 0x98badcfe
d = 0x10325476
F(b, c, d) = (((c ^ d) & b) ^ d)
...
a = 0x31d6cfe0
b = 0xd16ae931
c = 0xb73c59d7
d = 0xe0c089c0
Slide 10
Slide 10 text
MAC
Slide 11
Slide 11 text
MAC from hash functions
HASH(key || message)
HASH(key|| orig-message || padding || new-message)
plainText = ‘user=nat\x0c…\x00&admin=true'
http://vnhacker.blogspot.co.uk/2009/09/flickrs-api-signature-
forgery.html
Slide 12
Slide 12 text
HMAC
hash_hmac ($algo, $data, $key);
HMAC(K, m) = H ( (K ^opad) | H((K ^ ipad) | m))
Slide 13
Slide 13 text
Password Storage
• Different Security Criteria
• Needs special construction e.g. KDF, salt and
iterations
$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a
3 choices bcrypt, scrypt & PBKDF2
But please just use a library
Slide 14
Slide 14 text
Comparing Hashes
Slide 15
Slide 15 text
Comparing Hashes
p = 1 / 255 * (100 / 255) ^ 15= 3 * 10 ^ -9
var_dump('0e462097431906509019562988736854' ==
'0e830400451993494058024219903391');
Slide 16
Slide 16 text
Magic Hashes
Algo. Plain Text Hash
MD5 240610708 0e462097431906509019562988736854
MD5 QNKCDZO 0e830400451993494058024219903391
MD5 Password147186970! 0e153958235710973524115407854157
SHA1 aaroZmOk
0e665070199694271348945674943051855
66735
Slide 17
Slide 17 text
Comparing Hashes
Solution:
• Use hash_equals > php 5.6
• Use ===
• Use strcmp()
Slide 18
Slide 18 text
Bcrypt & Null Bytes
• crypt uses common C null-terminated string
• Passwords won’t contain null byte
• If combined with another hash then may have
Slide 19
Slide 19 text
Bcrypt Example
Slide 20
Slide 20 text
Bcrypt Null Bytes
• Never feed binary data to bcrypt
• Don’t use multiple hash functions
• If you must feed crypt output of another hash use hex or
base64
Starts with \0 p =1 / 255 = 0.0039
Slide 21
Slide 21 text
Collisions
Slide 22
Slide 22 text
Collisions
When H(m1) = H(m2) and m1≠m2
Plenty in MD4, MD5, SHA0
None in SHA1, SHA2
Forge Signatures, distribute files different behaviours,
predict future not HMAC not pre-image
Slide 23
Slide 23 text
Brute Force
n ≈ √(-2 * ln(1-p) * √d
If p=0.5 then n= 1.177 * √d
√365 = 19
√(2^128) = 2^64
Slide 24
Slide 24 text
Wang Attack
1.Start with random message
2.Create another message M’ with small diffs
3.Modify message so that certain bitwise
conditions hold in intermediate state
4.Test for collision if not found go to 1
Slide 25
Slide 25 text
Wang MD4
M = M − M’ = (Δm0, Δm1, ......, Δm15)
Δm1 = 231, Δm2 = 2^31 − 228, Δm12 = −216
Slide 26
Slide 26 text
Demo
Slide 27
Slide 27 text
Chosen Prefix Collision
Slide 28
Slide 28 text
Flame
• Collision in X509 Certificate
• TSL certificate issued with no restrictions
therefore anyone could sign code
• Did not work on Vista or Windows 7
Stolen from: https://www.trailofbits.com/resources/flame-md5.pdf
Slide 29
Slide 29 text
Links
• http://cryptopals.com/
• https://github.com/natmchugh/longEgg
• https://marc-stevens.nl/research/
• http://natmchugh.blogspot.co.uk/
• http://www.win.tue.nl/hashclash/rogue-ca/