@1qaz
2015-08-27T06:38:15.000000Z
字数 3617
阅读 1311
password hash
如何安全的储存password?
如何用随机性不足的password生成足够熵的key,encrypt files,communication?
man crypt
$id$salt$encrypted $6$I/XCu0iC$B/tjIk7R6vvFxblqf6Cby1Sfy.Mec5EtP7q3Z8fzionmybnDF7V9xe2XMA5lbe.qYGwkuMlscSx9k/fLnevFV0
id=1 MD5,
id=2a blowfish,
id=5 SHA-256,
id=6 SHA-512
[a-zA-Z./]
default:SHA-512,5000 rounds
唯一成为NIST标准的KDF(2000)
标准建议至少1000 iteraion,64 bits salt.迭代用来增加攻击的时间成本,随机的盐降低了用彩虹表进行预计算的能力。同样的密码在盐不同的情况下需要被分别计算。
DK = PBKDF2(PRF,Password,Salt,c,dkLen)
DK = T1 || T2 || T3 || ... || TdkLen/hlen
Ti = F(Password,Salt,c,i)
F(Password,Salt,c,i) = U1 ^ U2 ^ U3 ... ^ Uc
U1 = PRF(Password,Salt || INT_32_BE(i)) //大端
U2 = PRF(Password,U1)
......
Uc = PRF(Password,Uc-1)
HMAC(k,m) = H((k xor opad)||H((k xor ipad)||m))
以WPA2为例,
DK = PBKDF2(HMAC-SHA1, passphrase, ssid, 4096, 256)
其他使用PBKDF2的软件还有WinZip,LastPass,TrueCrypt
优点:
- 被NIST标准化,在不同平台下都有实现
- 高度的可定制化,PRF,输出长度,迭代次数
缺点:
- 只有密集的CPU计算,攻击者可用GPU并行计算
- 需要自己管理参数,盐的产生和存储
出现于1999,BSD,基于分组加密算法blowfish,
bcrypt(cost, salt, input) 迭代次数2^cost
由于分组密码的特性,需要不断访问和修改内存中的数组(4kB)
优点:
- 抗GPU的并行计算,大量流处理器争夺显存总线
- 输出中包括了cost和salt,方便存储管理
缺点:
- 输入输出长度受限
- 难以抵挡FPGA(现场可编程门阵列)
出现于2009,也被litecoin用来作为工作量证明的哈希算法
基于PBKDF2 HMAC-SHA256,增加大量的内存访问和修改
Time-Memory Trade-off
优点:
- PC才是计算scrypt最有效的工具,GPU和FPGA并不会带来性能上的提升
缺点:
- 太新,缺少实现和使用该算法的产品
- 增加了新的参数:内存大小
性能和安全的权衡
出于安全性的考虑,password hash可以牺牲性能,但是当有大量客户端同时连接时,就给服务器带来了负担
Hash Table DoS
java.lang.String
public int hashCode()
s[0]*31^(n-1) + s[1]*31^(n-2) + ... + s[n-1]
"Aa".hashCode() == "BB".hashCode()
"AaAa", "AaBB", "BBAa", "BBBB"
"AaAaAaAa", "AaAaBBBB", "AaAaAaBB", "AaAaBBAa",
"BBBBAaAa", "BBBBBBBB", "BBBBAaBB", "BBBBBBAa",
"AaBBAaAa", "AaBBBBBB", "AaBBAaBB", "AaBBBBAa",
"BBAaAaAa", "BBAaBBBB", "BBAaAaBB", "BBAaBBAa",
......
Hash table退化成单链表,插入n个元素的复杂度为O(n2)
《Denial of Service via Algorithmic Complexity Attacks》
服务器/客户端hash
strong/weak hash
pass-the-hash attack
360Ent,http
var curForm = document.getElementById('loginform');
if (curForm)
{
var pass = $('#userpass').val(), hashStr;
$('#pwlevel').val(checkPasswordLevel(pass))
if(pass.length > 0)
{
hashStr = '360EntWebAdminMD5Secret';
pass = hex_md5(pass + hashStr);
}
$('#userpass').val(pass);
curForm.onsubmit = 'javascript:return true';
//document.GetDocumentByID('loginsubmit').click();
curForm.submit();
return true;
}
SRP:Secure Remote Password
盐和哈希的存储
当数据库泄露时。。。
Password Hashing Competition
2013-2015
比赛考虑的衡量因素:
安全性:
简洁性:
功能性:
Argon2
Argon2d and Argon2i
data-(in)dependent memory access VS side-channel timing attacks
hash算法 BLAKE2b
Tradeoff resilience:time-memory tradeoff
Parallelism:threads
Server relief:client hash
GPU/FPGA/ASIC unfriendly:针对x86的优化
CPU-friendly
GPU-friendly
Crack Me If You Can
John The Ripper,Hashcat
cudaHashcat v1.37 starting in benchmark-mode...
Device #1: GeForce GTX TITAN Black, 6144MB, 980Mhz, 15MCU
Hashtype: MD5
Workload: 512 loops, 128 accel
Speed.GPU.#1.: 6613.5 MH/s
Hashtype: SHA1
Workload: 128 loops, 64 accel
Speed.GPU.#1.: 1881.9 MH/s
Hashtype: SHA256
Workload: 128 loops, 64 accel
Speed.GPU.#1.: 950.1 MH/s
Hashtype: PBKDF2-HMAC-SHA1
Workload: 200 loops, 2 accel
Speed.GPU.#1.: 557.6 kH/s
Hashtype: PBKDF2-HMAC-SHA256
Workload: 200 loops, 2 accel
Speed.GPU.#1.: 238.8 kH/s
Hashtype: PBKDF2-HMAC-SHA512
Workload: 200 loops, 2 accel
Speed.GPU.#1.: 69623 H/s
Hashtype: scrypt
Workload: 1 loops, 4 accel
Speed.GPU.#1.: 36745 H/s
Hashtype: bcrypt, Blowfish(OpenBSD)
Workload: 16 loops, 2 accel
Speed.GPU.#1.: 1211 H/s