1 / 55

Improving Your Password with Salt

Improving Your Password with Salt. Tayler Angevine Bachelor of Arts in Computer Science Dr. Ken Blaha (Advisor) May 03, 2014. Introduction. Why did I choose this project? Design of original project How my project turned into what it is now Two-way Symmetric Encryption

dyan
Download Presentation

Improving Your Password with Salt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improving Your Password with Salt Tayler Angevine Bachelor of Arts in Computer Science Dr. Ken Blaha (Advisor) May 03, 2014

  2. Introduction • Why did I choose this project? • Design of original project • How my project turned into what it is now • Two-way Symmetric Encryption • Key Generation and Storage • Salting • How does a hashing algorithm work: SHA-256 • Why is SHA-256 widely used • Demonstration • Conclusion • Questions

  3. “Hardly a week goes by without a major password breach at one website or another—in one week, nearly 500,000 Yahoo passwords were exposed, Formspring's server hack gave up nearly as many passwords, and Nvidia's developer zone was breached. And that's just some of the hacks we heard about...” • Neil J. Rubenking (pcmag)

  4. Original Project • Password Management Application • Desktop Application • Use a password to log in (a username was not required) • A central place to store all of your usernames and passwords • “a place to keep all of your keys” • Why was this useful? • Emphasis on security caused me to keep forgetting passwords. • Tired of resetting password and calling customer service

  5. Requirements • 100% reliable • Should be able to open the program and retrieve information whenever needed. • Completely Secure • Trust is a reoccurring theme when it comes to password management applications. • How does one safely store passwords? • Incorrect and Correct Techniques • Creating a safe environment for your information

  6. What is cryptography? • Secret writing • The computerized encoding and decoding of information • Symmetric-key cryptography • Hashing

  7. Compromised Databases • “Hardly a week goes by without a major password breach at one website or another—in one week, nearly 500,000 Yahoo passwords were exposed…” • Focal point of my project • Everything should be encrypted in the database • Which algorithms can encrypt and decrypt information? • Information needed to be encrypted, but returned to plaintext

  8. Advanced Encryption Standard (AES) • Two-way symmetric encryption algorithm.

  9. What is the key used for? • A key is a string that is used to shift each letter by a number of places or something much more complicated. • Operations: XOR, bit shifts, etc.

  10. Key Derivation • Key must be a certain length • 128, 192, 256 bits • Bigger the key means more key rounds. • 10, 12, 14 • Key rounds refer to repetitions of AES operations (shift rows, mix columns, add round key) • If you use a password as a key you must take some precautionary steps • Passwords tend to be weak • Key should be hashed first using sha 256 • Ciphered using AES with a randomly generated Key. (Key used should be stored) • Ensure “randomness” • Hashed again using sha 256. • Key size • Prevent from Dictionary Attacks

  11. Key Derivation Continued… • Plenty of Libraries for creating secret keys • Java’s • SecretKeyFactory • SecretKey

  12. Storing the Key • Key must be stored in order to encrypt and decrypt data. • Problem that’s been around for years

  13. Storing Key in Database • Common Solution • Risky

  14. Storing Key in Separate File • Common Solution • Risky • Anything done in code can be undone. • Humans are predictable • Split the key. • Change file permissions.

  15. Store Key on External Storage Device • Key is stored on USB or External Hard Drive • Attack must be executed locally or attacker must try every possible key to see if your database decrypts (brute force) • Requires user to provide key at start up. • Unreasonable. • USB is lost or damaged • My favorite solution

  16. Do not store the key at all • Most interesting • Relies on password strength • When the user attempts to log in, take the user’s password, do the hash  cipher  hash steps, see if it decrypts the database

  17. Hashing • Irreversible function. • Used to mainly store passwords • How to log in • Hash the password given by the user • Check to see if the hash given by the user equals the hash stored in the database. • Do they match? • Must be cautious when hashing • Susceptible to • Look-up tables • Brute-force and dictionary attacks

  18. Types of attacks • Look-up table • Brute Force and Dictionary Attacks

  19. Look up tables • Pre-computed table for reversing hash functions. • Takes the hashes of commonly used passwords and matches them to the hashes stored in the database • Hash matching game • Used to crack multiple passwords at a time • Work because each password is hashed the exact same way. • Hash of “dog” will result in the same hash every time. • As long as you are using the same algorithm. • Hash of “dog” using md5 != hash of “dog” using SHA

  20. How to defend your HASH… • Look Up tables • Salt the Master Password using Cryptographically Secure Pseudo-Random Number Generator • hash(“password" + “RxFLuENMsoeD") = 9c22122442a125612s62310219e025218129210 • USING SHA-256 • Avoids collision • This is done N amount of times • The salt and hash are stored in the database • Works because it takes a lot of time to rework a table.

  21. Example

  22. Salting the Correct Way • do not do this • Hash( hash( hash( password+salt ) ) ) • Hashing the same value does not increase security • Hash( hash( password ) + hash( salt ) ) • These are argued by others • Access to source code • Use a Cryptographically Secure Pseudo Random Number Generator (CSPRNG) • A Random Number Generator was not made to be used for cryptography. • Use a large enough CSPRNG

  23. Pigeon Hole Principle • If there are more balls than boxes, then some box must contain more than one wall.

  24. Salt Size • Do not want to reuse salts • Chances of collision become non-negligible at 2^n/2 salts • Byte[] salt = new Byte[8] • 8 bytes * 8 bits per byte = 64 • 2^64 possible salts • It is better to be safer than sorry • Use a 16 byte array • 2^128 possible salts.

  25. There are other methods to hash collision • Concatenating the salt with other variables • User name, session id, curser location, etc…

  26. Brute Force and Dictionary Attacks • Brute Force • Try every possible combination to a fixed length. • Dictionary Attack • Can be used to crack individual passwords. • List of words (dictionary) or commonly used passwords.

  27. Slowing Brute Force Attacks • SHA-256 is designed to be fast • Can’t use wait statements • PBKDF2 • Has multiple parameters • Value that will be hashed • Salt • Work factor • Has tons of algorithms that it can be used with • SHA-256 • SHA-1 • AES • BlowFish • Etc.

  28. None of this really matters if • Law #5: None of this matters if it’s a weak password. • Technet.microsoft.com

  29. Password Length • Suppose there are 95 ASCII characters • Lower Case Letters = 26 • Upper Case Letters = 26 • Digits = 10 • Special Characters = 33 • TOTAL = 95

  30. How does hashing work?

  31. Introduction • Review the hash function SHA-256 • Goal: understand how SHA-256 computes it’s hash. • Why have I decided to focus on Sha-256 algorithms? • Battle tested • Considered to be some of the “safest” algorithms • Bitcoin is based around SHA-256. • The way the algorithm is implemented using MessageDigest left a lot of unknowns. • Was under the impression that I would need to code the algorithm.

  32. More intro • Named after it’s digest length. • Will not focus on • SHA-1 because it has been “broken” • Would rather focus on today’s standard rather than the past. • SHA-384 and SHA-512 because they are essentially the same. • Why go over the code? • I believe it is necessary to understand the code of an algorithm in order to comprehend how hashing works.

  33. What is a hash? • Hash function takes a string of any length, and generates fixed-length output data. • It is not reversible. • Because a lot of data is discarded during the hash process. • If you have lost information about the original input, then it is nearly impossible to reverse the hash.

  34. What makes a good hash? • Same input will always lead to the same output. • Avoids collision attacks • What is a collision attack? • Find two input strings that produce the same hash. • “abc” • “aiieagnea;[sagjeiao;iaeohgao;ejagea” • Hash functions can have infinite input length, but a fixed output. • Sha 256 is more safe from collision attacks than other algorithms. • MD5 = 128 byte output, 64 bits of security • SHA-1 = 160 byte output, 80 bits of security. • SHA 256 = 256 byte output, 128 bits of security

  35. How does it work? • Padding aka Preprocessing • Block decomposition • Hash Algorithm

  36. Preprocessing • Message (M) is l bits long. • Append message with a 1 • Followed by n zero bits. N is smallest, non-negative solution to the equation. • L + 1 + n = 448 mod 512 • This leaves enough room to append what we have so far with a 64-bit block that equals our message represented in binary. • Message = “abc” • 24 + 1 + N = 448  N = 423 zero bits

  37. Notation • Algorithm uses AND, XOR, OR, Circular Right Shift, and Logical Right Shifts in order to compute the hash.

  38. AND Java symbol: & Produces 1 if both p and q are 1’s.

  39. OR Java symbol: | Produces 1 if p or q are 1

  40. XOR Java: ^ Produces 1 if p or q is 1, but not both.

  41. Circular Shift Right ShR(variable, number) • >> signed right shift

  42. Logical Right ShiftRotR(variable, number) • >>> unsigned right shift

  43. Equations

  44. Where it starts to get complicated. • Generally H1– H8 are set to the first 32 bits of the fractional parts of the square roots of the first eight primes.

  45. Example • Square root of 2 = 1.414213562373095048801 • Fractional part = 0.41421356237309504. • Hexadecimal = 6A09E667.

  46. Where does our password come into play? • Or original password was padded to 512 bits. Which is 16, 32 bit components. • A 64 component array is created we will refer to as W • W0 – W15 are initialized to our padded password. • The rest (W16 – W63) are set to a value determined by this function • J is just the counter in a for loop.

  47. Algorithm Computation(executed 64 times)

  48. A – H are initialized with H1– H8

  49. Last Step • Take your original and H1– H8 add a – h to them.

  50. Demonstration

More Related