Hash Functions and how not to use them

Slide 1

Slide 1 text

Hash Functions And how not to use them @natmchugh

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

Advice Don’t use MD5 Don’t use SHA1 Don’t use cryptographic hash functions Don’t use any cryptographic primitives

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Some Hash Functions • SHA1 • SHA2 • MD5 • RIPEMD • TIGER • Whirpool • HAVAL • GOST • CRC • City Hash • Joaat

Slide 6

Slide 6 text

Cryptographic Hash Functions 1.Pre image resistance (one way) given hash cannot ﬁnd m 2.Second pre-image resistance (weak collision resistance) 3.Collision resistance

Slide 7

Slide 7 text

What are crypto hash functions used for? • Password storage • Duplicate Data detection • Git • Crypto currencies • Digital Signatures • MAC

Slide 8

Slide 8 text

Stolen from: https://www.coursera.org/course/crypto

Slide 9

Slide 9 text

MD4 in detail MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0 a = 0x67452301 b = 0xefcdab89 c = 0x98badcfe d = 0x10325476 F(b, c, d) = (((c ^ d) & b) ^ d) ... a = 0x31d6cfe0 b = 0xd16ae931 c = 0xb73c59d7 d = 0xe0c089c0

Slide 10

Slide 10 text

MAC

Slide 11

Slide 11 text

MAC from hash functions HASH(key || message) HASH(key|| orig-message || padding || new-message) plainText = ‘user=nat\x0c…\x00&admin=true' http://vnhacker.blogspot.co.uk/2009/09/ﬂickrs-api-signature- forgery.html

Slide 12

Slide 12 text

HMAC hash_hmac ($algo, $data, $key); HMAC(K, m) = H ( (K ^opad) | H((K ^ ipad) | m))

Slide 13

Slide 13 text

Password Storage • Different Security Criteria • Needs special construction e.g. KDF, salt and iterations $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a 3 choices bcrypt, scrypt & PBKDF2 But please just use a library

Slide 14

Slide 14 text

Comparing Hashes

Slide 15

Slide 15 text

Comparing Hashes p = 1 / 255 * (100 / 255) ^ 15= 3 * 10 ^ -9 var_dump('0e462097431906509019562988736854' == '0e830400451993494058024219903391');

Slide 16

Slide 16 text

Magic Hashes Algo. Plain Text Hash MD5 240610708 0e462097431906509019562988736854 MD5 QNKCDZO 0e830400451993494058024219903391 MD5 Password147186970! 0e153958235710973524115407854157 SHA1 aaroZmOk 0e665070199694271348945674943051855 66735

Slide 17

Slide 17 text

Comparing Hashes Solution: • Use hash_equals > php 5.6 • Use === • Use strcmp()

Slide 18

Slide 18 text

Bcrypt & Null Bytes • crypt uses common C null-terminated string • Passwords won’t contain null byte • If combined with another hash then may have

Slide 19

Slide 19 text

Bcrypt Example

Slide 20

Slide 20 text

Bcrypt Null Bytes • Never feed binary data to bcrypt • Don’t use multiple hash functions • If you must feed crypt output of another hash use hex or base64 Starts with \0 p =1 / 255 = 0.0039

Slide 21

Slide 21 text

Collisions

Slide 22

Slide 22 text

Collisions When H(m1) = H(m2) and m1≠m2 Plenty in MD4, MD5, SHA0 None in SHA1, SHA2 Forge Signatures, distribute ﬁles different behaviours, predict future not HMAC not pre-image

Slide 23

Slide 23 text

Brute Force n ≈ √(-2 * ln(1-p) * √d If p=0.5 then n= 1.177 * √d √365 = 19 √(2^128) = 2^64

Slide 24

Slide 24 text

Wang Attack 1.Start with random message 2.Create another message M’ with small diffs 3.Modify message so that certain bitwise conditions hold in intermediate state 4.Test for collision if not found go to 1

Slide 25

Slide 25 text

Wang MD4 M = M − M’ = (Δm0, Δm1, ......, Δm15) Δm1 = 231, Δm2 = 2^31 − 228, Δm12 = −216

Slide 26

Slide 26 text

Demo

Slide 27

Slide 27 text

Chosen Preﬁx Collision

Slide 28

Slide 28 text

Flame • Collision in X509 Certificate • TSL certificate issued with no restrictions therefore anyone could sign code • Did not work on Vista or Windows 7 Stolen from: https://www.trailofbits.com/resources/flame-md5.pdf

Slide 29

Slide 29 text

Links • http://cryptopals.com/ • https://github.com/natmchugh/longEgg • https://marc-stevens.nl/research/ • http://natmchugh.blogspot.co.uk/ • http://www.win.tue.nl/hashclash/rogue-ca/