[关闭]
@1qaz 2015-08-27T14:38:15.000000Z 字数 3617 阅读 1414

Password Hashing and Key Derivation Function

password hash


如何安全的储存password?

如何用随机性不足的password生成足够熵的key,encrypt files,communication?

1.What's in /etc/shadow

man crypt

$id$salt$encrypted
$6$I/XCu0iC$B/tjIk7R6vvFxblqf6Cby1Sfy.Mec5EtP7q3Z8fzionmybnDF7V9xe2XMA5lbe.qYGwkuMlscSx9k/fLnevFV0

id=1 MD5,
id=2a blowfish,
id=5 SHA-256,
id=6 SHA-512
[a-zA-Z./]

default:SHA-512,5000 rounds

2.Modern hash function

PBKDF2(Password-Based Key Derivation Function2)

唯一成为NIST标准的KDF(2000)

标准建议至少1000 iteraion,64 bits salt.迭代用来增加攻击的时间成本,随机的盐降低了用彩虹表进行预计算的能力。同样的密码在盐不同的情况下需要被分别计算。

DK = PBKDF2(PRF,Password,Salt,c,dkLen)
DK = T1 || T2 || T3 || ... || TdkLen/hlen
Ti = F(Password,Salt,c,i)
F(Password,Salt,c,i) = U1 ^ U2 ^ U3 ... ^ Uc

U1 = PRF(Password,Salt || INT_32_BE(i)) //大端
U2 = PRF(Password,U1)
......
Uc = PRF(Password,Uc-1)

HMAC(k,m) = H((k xor opad)||H((k xor ipad)||m))

以WPA2为例,
DK = PBKDF2(HMAC-SHA1, passphrase, ssid, 4096, 256)

其他使用PBKDF2的软件还有WinZip,LastPass,TrueCrypt

优点:

  • 被NIST标准化,在不同平台下都有实现
  • 高度的可定制化,PRF,输出长度,迭代次数

缺点:

  • 只有密集的CPU计算,攻击者可用GPU并行计算
  • 需要自己管理参数,盐的产生和存储

bcrypt

出现于1999,BSD,基于分组加密算法blowfish,
bcrypt(cost, salt, input) 迭代次数2^cost

由于分组密码的特性,需要不断访问和修改内存中的数组(4kB)

优点:

  • 抗GPU的并行计算,大量流处理器争夺显存总线
  • 输出中包括了cost和salt,方便存储管理

缺点:

  • 输入输出长度受限
  • 难以抵挡FPGA(现场可编程门阵列)

scrypt

出现于2009,也被litecoin用来作为工作量证明的哈希算法
基于PBKDF2 HMAC-SHA256,增加大量的内存访问和修改
Time-Memory Trade-off

优点:

  • PC才是计算scrypt最有效的工具,GPU和FPGA并不会带来性能上的提升

缺点:

  • 太新,缺少实现和使用该算法的产品
  • 增加了新的参数:内存大小

3.Discussion

性能和安全的权衡

出于安全性的考虑,password hash可以牺牲性能,但是当有大量客户端同时连接时,就给服务器带来了负担
Hash Table DoS

java.lang.String
public int hashCode()

s[0]*31^(n-1) + s[1]*31^(n-2) + ... + s[n-1]

"Aa".hashCode() == "BB".hashCode()

"AaAa", "AaBB", "BBAa", "BBBB"

"AaAaAaAa", "AaAaBBBB", "AaAaAaBB", "AaAaBBAa",
"BBBBAaAa", "BBBBBBBB", "BBBBAaBB", "BBBBBBAa",
"AaBBAaAa", "AaBBBBBB", "AaBBAaBB", "AaBBBBAa",
"BBAaAaAa", "BBAaBBBB", "BBAaAaBB", "BBAaBBAa",

......

Hash table退化成单链表,插入n个元素的复杂度为O(n2)

《Denial of Service via Algorithmic Complexity Attacks》

服务器/客户端hash

strong/weak hash
pass-the-hash attack
360Ent,http


var curForm = document.getElementById('loginform');
    if (curForm)
    {
        var pass = $('#userpass').val(), hashStr;
		$('#pwlevel').val(checkPasswordLevel(pass))
        if(pass.length > 0)
        {
            hashStr = '360EntWebAdminMD5Secret';
            pass = hex_md5(pass + hashStr);
        }
        $('#userpass').val(pass);
        curForm.onsubmit = 'javascript:return true';
        //document.GetDocumentByID('loginsubmit').click();

        curForm.submit();
        return true;
    }

SRP:Secure Remote Password

盐和哈希的存储
当数据库泄露时。。。

Password Hashing Competition

2013-2015
比赛考虑的衡量因素:
安全性:

简洁性:

功能性:

Argon2
Argon2d and Argon2i
data-(in)dependent memory access VS side-channel timing attacks
hash算法 BLAKE2b

Tradeoff resilience:time-memory tradeoff
Parallelism:threads
Server relief:client hash
GPU/FPGA/ASIC unfriendly:针对x86的优化

CPU-friendly

GPU-friendly

4.Attacker's view

Crack Me If You Can
John The Ripper,Hashcat

cudaHashcat v1.37 starting in benchmark-mode...
Device #1: GeForce GTX TITAN Black, 6144MB, 980Mhz, 15MCU

Hashtype: MD5
Workload: 512 loops, 128 accel
Speed.GPU.#1.: 6613.5 MH/s

Hashtype: SHA1
Workload: 128 loops, 64 accel
Speed.GPU.#1.: 1881.9 MH/s

Hashtype: SHA256
Workload: 128 loops, 64 accel
Speed.GPU.#1.: 950.1 MH/s

Hashtype: PBKDF2-HMAC-SHA1
Workload: 200 loops, 2 accel
Speed.GPU.#1.: 557.6 kH/s

Hashtype: PBKDF2-HMAC-SHA256
Workload: 200 loops, 2 accel
Speed.GPU.#1.: 238.8 kH/s

Hashtype: PBKDF2-HMAC-SHA512
Workload: 200 loops, 2 accel
Speed.GPU.#1.: 69623 H/s

Hashtype: scrypt
Workload: 1 loops, 4 accel
Speed.GPU.#1.: 36745 H/s

Hashtype: bcrypt, Blowfish(OpenBSD)
Workload: 16 loops, 2 accel
Speed.GPU.#1.: 1211 H/s

What I learned from cracking 4000 Ashley Madison passwords

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注