AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure PBE Work Factor

The attacker executing a brute force attack can find original passwords from hashed ones

Severity

High

Fix Cost

High

Trust Level

High

Cryptographic hash algorithms claim that when applied to a given plain text they will produce non-reversible fixed-size hashes. The basic another premise of these hash algorithms is being fast, very fast.

One of the most important practical attacks against hash functions is called Rainbow Tables. In this attack hackers precompute millions of simple plain text passwords into hashed values and store them offline with hash values to be indexes. This of course creates huge databases in terabytes. However, given a hash value lookup time shortens into milliseconds without even trying to break the algorithm.

One of the mitigations against this attack is using stronger hash algorithms with salt. The salt is added to every input before the hash algorithm is applied and the salt is stored along side with the hashed output. This way the huge pre-built databases of attackers won’t help much.

However, with the ever-increasing computational power it is now possible to compute 500 billion hashes in a second using daily cloud resources. Yes, that’s right, in a second. Therefore, a slower and adaptive hash algorithm that slows down the attacker should be employed. Password based key derivation function (PBKDF) is one of those algorithms but the work factor determines how slow the algorithm runs. This work-factor shouldn’t be low, otherwise, the whole premise of using PBKDF will not be true. The code below uses a work factor of 5000 that is considered to be insecure.

                                       
public string ComputeHash(string passwd, string salt)
{
byte[] saltBytes = Convert.FromBase64String(salt);
 
using (var pbkdf2 = new Rfc2898DeriveBytes(passwd, saltBytes,5000))
{
var key = pbkdf2.GetBytes(64);
return Convert.ToBase64String(key);
}
}

                 
            

Cryptographic hash algorithms claim that when applied to a given plain text they will produce non-reversible fixed-size hashes. The basic another premise of these hash algorithms is being fast, very fast.

One of the most important practical attacks against hash functions is called Rainbow Tables. In this attack hackers precompute millions of simple plain text passwords into hashed values and store them offline with hash values to be indexes. This of course creates huge databases in terabytes. However, given a hash value lookup time shortens into milliseconds without even trying to break the algorithm.

One of the mitigations against this attack is using stronger hash algorithms with salt. The salt is added to every input before the hash algorithm is applied and the salt is stored along side with the hashed output. This way the huge pre-built databases of attackers won’t help much.

However, with the ever-increasing computational power it is now possible to compute 500 billion hashes in a second using daily cloud resources. Yes, that’s right, in a second. Therefore, a slower and adaptive hash algorithm that slows down the attacker should be employed. Password based key derivation function (PBKDF) is one of those algorithms but the work factor determines how slow the algorithm runs. This work-factor shouldn’t be low, otherwise, the whole premise of using PBKDF will not be true.

The code below uses a work factor of 5000 that is considered to be insecure.

            
char[] passwordChars = password.toCharArray();
byte[] saltBytes = salt.getBytes();

PBEKeySpec spec = new PBEKeySpec(passwordChars, saltBytes, 5000, KEY_LENGTH);

SecretKeyFactory key = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
byte[] hashedPassword = key.generateSecret(spec).getEncoded();
                 
            

Cryptographic hash algorithms claim that when applied to a given plain text they will produce non-reversible fixed-size hashes. The basic another premise of these hash algorithms is being fast, very fast.

One of the most important practical attacks against hash functions is called Rainbow Tables. In this attack hackers precompute millions of simple plain text passwords into hashed values and store them offline with hash values to be indexes. This of course creates huge databases in terabytes. However, given a hash value lookup time shortens into milliseconds without even trying to break the algorithm.

One of the mitigations against this attack is using stronger hash algorithms with salt. The salt is added to every input before the hash algorithm is applied and the salt is stored along side with the hashed output. This way the huge pre-built databases of attackers won’t help much.

However, with the ever-increasing computational power it is now possible to compute 500 billion hashes in a second using daily cloud resources. Yes, that’s right, in a second. Therefore, a slower and adaptive hash algorithm that slows down the attacker should be employed. Password based key derivation function (PBKDF) is one of those algorithms but the work factor determines how slow the algorithm runs. This work-factor shouldn’t be low, otherwise, the whole premise of using PBKDF will not be true.

The code below uses a work factor of 5000 that is considered to be insecure.

            
char[] passwordChars = password.toCharArray();
byte[] saltBytes = salt.getBytes();

PBEKeySpec spec = new PBEKeySpec(passwordChars, saltBytes, 5000, KEY_LENGTH);

SecretKeyFactory key = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
byte[] hashedPassword = key.generateSecret(spec).getEncoded();
                 
            

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!