RE: password hashing and crypt()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: Eric Butera [mailto:eric.butera@xxxxxxxxx]
> Sent: Sunday, January 20, 2008 12:24 AM
> To: Jochem Maas
> Cc: Nathan Nobbe; PHP General List
> Subject: Re:  password hashing and crypt()
> 
> On Jan 19, 2008 8:02 PM, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:
> > Nathan Nobbe schreef:
> > > hi all,
> > >
> > > recently ive been debating a bit about the use of the crypt()
> function and
> > > the best practice thereof, im hoping you can help to clarify this
> for me.
> > >
> > > so, the crypt function
> > > http://www.php.net/manual/en/function.crypt.php
> > > has a second parameter, $salt, which, if not supplied will be
> automatically
> > > generated and presumably become a prefix or suffix of the returned
> string.
> > >
> > > now, the article on the phpsec website
> > > http://phpsec.org/articles/2005/password-hashing.html
> > > recommends to externally create a salt and to store that in a
> separate field
> > > in the database, which would then be used for subsequent password
> > > verification.
> > >
> > > theoretically, however, if the password is generated without a user
> supplied
> > > salt,
> > > there is a salt already embedded in the password anyway.
> > >
> > > so, i have the following questions
> > >
> > >    1. is the phpsec technique bloated or unnecessary
> >
> > I can't see a dictionary attack being thwarted by the salt given that
> the salt
> > is made available when a password is checked. I'm struggling to see
> how a salt
> > will help if it's made available. but it's late, may be better brain
> can enlighten us :-)
> >
> > then again your question is a little skewed due to the fact that
> sha1() is
> > used in the phpsec article and your talking about crypt - which
> encryption is
> > better as it stands is the first question to ask no? AFAIK sha1() is
> > recommended over DES but maybe I'm misinformed.
> >
> > >    2. is it better to create a user supplied salt, and why or why
> not
> > >    3. is crypt() 'intended' to be used w/o a user provided salt,
> since it
> > >    is a stable algorithm
> >
> > depends on the use - i.e. using it inconjunction with a .htpasswd
> file
> > will required no salt (auto-generated salt), other usage recommends
> using
> > an explicit salt.
> >
> > all this salt is hurting my eyes - I have a blind spot.
> >
> >
> > >
> > > any other direction or hints you can supply are much appreciated.
> > >
> > > thanks,
> > >
> > > -nathan
> > >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> 
> They say sha1 has been compromised.
> http://en.wikipedia.org/wiki/SHA_hash_functions
> 
> I always make sure that I use a site specific salt which is just
> appended on the user supplied value.  I started doing that when I read
> that people had created huge databases of hashed values that they can
> just search on.  At least this way no matter what the password isn't a
> dictionary word.  As for if that really adds value in the end I can't
> say as I'm not really a security expert.
> 
> Eg. hash('sha256', $input.$salt);
> 
> --

Let me share what I've read in a cryptography book some time ago. I hope to
remember it well, but for me it served as an explanation about what the
"SALT" is all about (for those of you who don't have a clue, like me). I
will put aside any cryptographic considerations like the strength of the
algorithms or steganography analysis. 

Let's build a scenario (yeah, I was kind of a teacher in the past, lol). For
the sake of simplicity, let's assume the following:

1 - You have a database (actually, a table) of 10 rows with user encrypted
passwords, and somebody (the cracker) had made it to sniff in and get access
to it. Let's assume passwords are encrypted using MD5 and the cracker knows
it.
2 - No other data has been compromised, or no other compromised data means
anything to the cracker. He only wants to reverse engineer your passwords,
meaning by that "to get valid passwords that match the encrypted (hashed is
the word) ones". Let's say that having those passwords, the cracker can
login to your system and do some interesting stuff, which is the only
ultimate goal of his.
3 - The cracker has a dictionary of 100 words to try, he hopes to find a
match within that dataset. Whether he finds one or more passwords using the
dictionary is not relevant to this scenario, but the metric here is how much
computational effort he has to make to reverse engineer the encryption.

Now, what would the cracker have to do to get one or more valid passwords?
Probably something like:

1 - Apply the MD5 function to the words in the dictionary. He gets a "hashed
dictionary" which probably he has already built long a go (for doing some
other "obscure task").
2 - Compare each of the values in the hashed dictionary to the passwords
table to find matches.

Step 2 can be optimized in several ways, but I'll not get deeper into it (I
won't either give you O[X] values, as I don't have a clue, but some figures
can be made). Also, there's the chance that two users chose the same
password, and the hashes would be equal (in this case you would have only 9
passwords to match).

Now, let's change the scenario and let's say that instead of a table of 10
encrypted passwords you have a table of 10 encrypted passwords and 10 random
SALT values that were used to generate them. According to that, you have the
following equivalence:

$encryptedPassword = md5($password.$salt); // Or similar

This complicates things for the cracker, because:

1 - He must know how the salt was used to generate the password (was it
concatenated before the password, after the password or both)?
2 - He has to generate 10 dictionary hashes (one for each salt value,
assuming each salt value is different). So now the hashed dictionary has
actually 1000 entries instead of 100. And he MUST recreate the hashed
dictionary for each attack he wants to perpetrate to one of these tables
(assumed he has sniffed in more than one place).
3 - Even if he finds two hashes are equal in the passwords table, he won't
guess two passwords in one shot, because the SALT values for each password
would be different.

I remember I first came across to the SALT thing while doing an SMF
integration (don't remember the SMF version, but I remember I had to do
things manually that time, now SMF has an API of some sort I think).

Ok, that's all folks. Now, I'll have a glass of water (or better yet, wine).

Regards,

Rob


Andrés Robinet | Lead Developer | BESTPLACE CORPORATION
5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308
| TEL 954-607-4207 | FAX 954-337-2695
Email: info@xxxxxxxxxxxxx  | MSN Chat: best@xxxxxxxxxxxxx  |  SKYPE:
bestplace |  Web: http://www.bestplace.biz | Web: http://www.seo-diy.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux