AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure Cryptographic Hash

An attacker can circumvent the hashing algorithm used by reversing the hashed value into original plain text

Severity

Critical

Fix Cost

Medium

Trust Level

High

Cryptographic hash algorithms claim that when applied to a given plain text they will produce non-reversible fixed-size hashes. The basic another premise of these hash algorithms is being fast, very fast.

There are many cryptographic hash functions, however, most of them are insecure. Two examples of insecure hash functions are;

  • MD5, has been broken in 2008
  • SHA-1, considered to be weak starting from 2005

The above are the most used hash functions that should be abandoned for their practical and theoretical weaknesses.

One of the most important practical attacks against hash functions is called Rainbow Tables. In this attack hackers precompute millions of simple plain text passwords into hashed values and store them offline with hash values to be indexes. This of course creates huge databases in terabytes. However, given a hash value lookup time shortens into milliseconds without even trying to break the algorithm.

            
var md5 = new MD5CryptoServiceProvider();
var hashValue = md5.ComputeHash(input);
                
            

The code snippet above uses both theoretically and practically proven to be insecure MD5 algorithm.

Cryptographic hash algorithms claim that when applied to a given plain text they will produce non-reversible fixed-size hashes. The basic another premise of these hash algorithms is being fast, very fast.

There are many cryptographic hash functions, however, most of them are insecure. Two examples of insecure hash functions are;

  • MD5, has been broken in 2008
  • SHA-1, considered to be weak starting from 2005

The above are the most used hash functions that should be abandoned for their practical and theoretical weaknesses.

One of the most important practical attacks against hash functions is called Rainbow Tables. In this attack hackers precompute millions of simple plain text passwords into hashed values and store them offline with hash values to be indexes. This of course creates huge databases in terabytes. However, given a hash value lookup time shortens into milliseconds without even trying to break the algorithm.

                
MessageDigest mdaAlg = MessageDigest.getInstance("SHA-1");
byte[] hashBytes = mdaAlg.digest(text.getBytes("UTF-8"));
                

The code snippet above uses both theoretically and practically proven to be insecure SHA-1 algorithm.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!