Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
Enough With The Rainbow Tables - What You Need To Know About Secure Password Schemes - Article by Thomas Ptacek (2007)

Enough With The Rainbow Tables - What You Need To Know About Secure Password Schemes - Article by Thomas Ptacek (2007)

Ratings: (0)|Views: 490|Likes:
Published by Dhruv Jain
Uploaded by Hack Archives - http://undergroundlegacy.co.cc -
Uploaded by Hack Archives - http://undergroundlegacy.co.cc -

More info:

Published by: Dhruv Jain on Mar 19, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

07/20/2013

pdf

text

original

 
SecurityFocus
 
Search:
 
 
 
 
 
 
 
q
 
News 
q
 
q
 
q
 
q
 
Unix 
q
 
IDS 
q
 
q
 
q
 
q
 
q
 
q
 
q
 
q
 
q
 
q
 
q
 
q
 
q
 
q
 
q
 
q
 
q
 
q
 
Jobs 
q
 
q
 
q
 
q
 
q
 
 
Thomas Ptacek
, Matasano
2007-09-10
The socialbookmarkosphereis abuzzwithtalkof “rainbow tables” , what they mean for password security, and why they prove that Microsoft did a shoddy job of securing Windowsfor Workgroups 15 years ago. This really freaks me out. If the “advanced” pole of your threatmodel is “rainbow tables”, stop working on your social shopping cart calendar applicationright now: I can’t trust you with my Reddit karma score, let alone my credit card number.
.
To begin, password storage 101
: servers don’t usually store actual passwords. Instead,they hash the password, store the hash, and discard the password. The hash can verify apassword from a login page, but can’t be reversed back to the text of the password. So whenyou inevitably lose your SQL password table, you haven’t exposed all the passwords; just thecrappy ones.Now let’s re-explain rainbow tables:
1.
take a “dictionary” —- say, of all combinations of alphanumerics less than 15characters
2.
hash all of them
3.
burn the results onto a DVD.You now have several hundred billion hash values that you
can
reverse back to text —- a“rainbow table”. To use,
http://www.securityfocus.com/blogs/262 (1 of 8)9/20/2007 7:42:29 PM
 
SecurityFocus
q
 
RSS 
q
 
News 
q
 
1.
take your stolen table of hashes
2.
for each hash
3.
find it in the rainbow table.If it’s there, you cracked it.
.
Here’s what you need to know about rainbow tables: no modern password schemeis vulnerable to them.
Rainbow tables are easy to beat. For each password, generate a random number (a
nonce
).Hash the password with the nonce, and store both the hash and the nonce. The server hasenough information to verify passwords (the nonce is stored in the clear). But even with asmall random value, say, 16 bits, rainbow tables are infeasible: there are now 65,536“variants” of each hash, and instead of 300 billion rainbow table entries, you needquadrillions. The nonce in this scheme is called a “salt”.Cool, huh? Yeah, andUnix crypt—- almost the lowest common denominator in securitysystems —- has had this featuresince 1976. If this is news to you, you shouldn’t bedesigning password systems. Use someone else’s good one.
.
No, really.Use someone else’s password system. Don’t build your own.
Most of the industry’s worst security problems (like the famously bad LANMAN hash)happened because smart developers approached security code the same way they did therest of their code. The difference between security code and application code is, whenapplication code fails, you find out right away. When security code fails, you find out 4 yearsfrom now, when a DVD with all your customer’s credit card and CVV2 information startscirculating in Estonia.
.
Here’s a “state of the art” scheme from a recent blog post on rainbow tables and salts:
hash = md5('deliciously-salty-' + password)
http://www.securityfocus.com/blogs/262 (2 of 8)9/20/2007 7:42:29 PM
 
SecurityFocus
There are at least two problems with this code. Yeah, the author doesn’t know what a salt is;“deliciously-salty-” is not a nonce (
also, Jeff, your computer really doesn’t care if youseperate the password from the nonce with a dash; it’s a computer, not a 2nd gradeteacher
).
But there’s a much bigger problem with this code: the letters “md5”.
Two reasons.
1.
You’re expecting me to go off on a rant about how there isno redeeming qualityto justifyusing MD5 in 2007. That’s true (MD5 is broken; it’s too slow to use as a general purposehash; etc). But that’s not the problem.
2.
The problem is that MD5 is fast. So are its modern competitors, like SHA1 and SHA256.Speed is a design goalof a modern secure hash, because hashes are a building block of almost every cryptosystem, and usually get demand-executed on a per-packet or per-message basis.
Speed is exactly what you don’t want in a password hash function.
Modern password schemes are attacked with incremental password crackers.Incremental crackers don’t precalculate all possible cracked passwords. They consider eachpassword hash individually, and they feed their dictionary through the password hashfunction the same way your PHP login page would. Rainbow table crackers like Ophcrack usespace to attack passwords; incremental crackers like John the Ripper, Crack, and LC5 workwith time: statistics and compute.The password attack game is scored in time taken to crack password X. With rainbow tables,that time depends on how big your table needs to be and how fast you can search it. Withincremental crackers, the time depends on how fast you can make the password hashfunction run.The better you can optimize your password hash function, the faster your password hashfunction gets, the weaker your scheme is. MD5 and SHA1, even conventional block cipherslike DES, are designed to be fast. MD5, SHA1, and DES are weak password hashes. Onmodern CPUs, raw crypto building blocks like DES and MD5 can bebitsliced,vectorized, and  parallelizedto make password searches lightning fast.Game-over FPGA implementations 
http://www.securityfocus.com/blogs/262 (3 of 8)9/20/2007 7:42:29 PM

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->