[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Salt Storage - web.config or database?

From: Andres Andreu <andres@xxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Salt Storage - web.config or database?
Date: Thu, 17 Jan 2008 16:25:21 -0500
--Apple-Mail-5--1040377779
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

I was simply making a point about protecting salt values when in use  
because an exposure on that level could effectively lead to a crack.  
My thoughts came from some recent cracking work done against data  
extracted from LDAP "userPassword" attributes. The more sophisticated  
models are based off the SHA2 family of hashes yet the  
implementations I have run into handle the salt in the same way as  
when salted SHA1 was used. So the hashing algorithm is new and  
stronger but the structure of the resulting binary hash can still be  
deconstructed and in turn cracked (in the LDAP model).

A more effective model would be to store numerous elements of data in  
some storage mechanism (DB, etc). Then generate a salt based on those  
elements. Thus the salt itself would never get stored but numerous  
elements required to recreate the salt would be available. Those  
elements could be random and/or timestamp based in nature but any one  
exposed element wouldn't be enough to allow a successful crack. When  
a query comes into play and a match of clear text data is necessary  
the salt has to be dynamically constructed as opposed to just looked  
up or extracted from some embedded model. Just some thoughts on the  
subject .....




Andres Andreu, CISSP-ISSAP, GSEC





On Jan 17, 2008, at 4:00 PM, Andy Steingruebl wrote:

> On Jan 17, 2008 9:09 AM, Andres Andreu <andres@neurofuzz.com> wrote:
>>
>> On the subject of storing salt's for use with hashes please  
>> understand that
>> the protection of the salt is critical. The LDAP model is now  
>> exploitable
>> and we recently released a proof of concept cracker for LDAP  
>> salted hashes.
>> It cover the majority of the SHA family of algorithms (up to  
>> SHA512) as
>> currently used in major LDAP implementations. The point is that  
>> since the
>> salt is available attacks become all too possible once the  
>> structure of the
>> resulting hash is understood. Even if the salt is saved in a  
>> separate DB
>> field or even table you must ensure it is not exposed via sqli or  
>> anything
>> of that nature.
>
> The hashes used weren't intended to be HMACs, they were intended to
> defeat rainbow tables and/or standard brute forcing against large hash
> databases.  Unix password fields traditionally included the salt as
> the first two characters of the hashed password value.
>
> Are you simply saying that this isn't an HMAC with a secret key?  They
> weren't intended to be...
>
> -- 
> Andy Steingruebl
> steingra@gmail.com


--Apple-Mail-5--1040377779
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=ISO-8859-1

<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; ">
<div>I was simply making a point about protecting salt values when in =
use because an exposure on that level could effectively lead to a crack. =
My thoughts came from some recent cracking work done against data =
extracted from LDAP "userPassword" attributes. The more sophisticated =
models are based off the SHA2 family of hashes yet the implementations I =
have run into handle the salt in the same way as when salted SHA1 was =
used. So the hashing algorithm is new and stronger but the structure of =
the resulting binary hash can still be deconstructed and in turn cracked =
(in the LDAP model).=A0</div><div><br =
class=3D"webkit-block-placeholder"></div><div>A more effective model =
would be to store numerous elements of data in some storage mechanism =
(DB, etc). Then generate a salt based on those elements. Thus the salt =
itself would never get stored but numerous elements required to recreate =
the salt would be available. Those elements could be random and/or =
timestamp based in nature but any one exposed element wouldn't be enough =
to allow a successful crack. When a query comes into play and a match of =
clear text data is necessary the salt has to be dynamically constructed =
as opposed to just looked up or extracted from some embedded model. Just =
some thoughts on the subject .....</div><div><br =
class=3D"webkit-block-placeholder"></div><div><br =
class=3D"webkit-block-placeholder"></div><div><br =
class=3D"webkit-block-placeholder"></div><br><div> <span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; orphans: 2; text-align: auto; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; -webkit-border-horizontal-spacing: =
0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); =
font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; -webkit-text-decorations-in-effect: none; =
text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; =
orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; =
-webkit-text-decorations-in-effect: none; text-indent: 0px; =
-webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; =
-webkit-text-decorations-in-effect: none; text-indent: 0px; =
-webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><div>Andres Andreu, =
CISSP-ISSAP, GSEC</div><div><br></div><div><br =
class=3D"khtml-block-placeholder"></div><br =
class=3D"Apple-interchange-newline"></span></span></span></span><br =
class=3D"Apple-interchange-newline"> </div><br><div><div>On Jan 17, =
2008, at 4:00 PM, Andy Steingruebl wrote:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">On Jan 17, 2008 9:09 AM, Andres Andreu &lt;<a =
href=3D"mailto:andres@neurofuzz.com";>andres@neurofuzz.com</a>&gt; =
wrote:</div> <blockquote type=3D"cite"><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><br></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">On the subject of storing salt's =
for use with hashes please understand that</div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">the =
protection of the salt is critical. The LDAP model is now =
exploitable</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">and we recently released a proof =
of concept cracker for LDAP salted hashes.</div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">It cover =
the majority of the SHA family of algorithms (up to SHA512) as</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">currently used in major LDAP implementations. The =
point is that since the</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">salt is =
available attacks become all too possible once the structure of =
the</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">resulting hash is understood. =
Even if the salt is saved in a separate DB</div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">field or =
even table you must ensure it is not exposed via sqli or =
anything</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">of that nature.</div> =
</blockquote><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">The hashes used weren't intended to be HMACs, they =
were intended to</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">defeat rainbow tables and/or =
standard brute forcing against large hash</div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">databases.<span class=3D"Apple-converted-space">=A0 </span>Unix =
password fields traditionally included the salt as</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">the first two characters of the hashed password =
value.</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Are you simply saying that this isn't an HMAC with a =
secret key?<span class=3D"Apple-converted-space">=A0 =
</span>They</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">weren't intended to =
be...</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">--<span =
class=3D"Apple-converted-space">=A0</span></div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Andy =
Steingruebl</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; "><a =
href=3D"mailto:steingra@gmail.com";>steingra@gmail.com</a></div> =
</blockquote></div><br></body></html>=

--Apple-Mail-5--1040377779--
Follow-Ups:
- Re: [WEB SECURITY] Salt Storage - web.config or database?
  - From: Brian Eaton
References:
- RE: [WEB SECURITY] Salt Storage - web.config or database?
  - From: Andres Andreu
- Re: [WEB SECURITY] Salt Storage - web.config or database?
  - From: Andy Steingruebl
Prev by Date: Re: [WEB SECURITY] Salt Storage - web.config or database?
Next by Date: Re: [WEB SECURITY] Salt Storage - web.config or database?
Previous by thread: Re: [WEB SECURITY] Salt Storage - web.config or database?
Next by thread: Re: [WEB SECURITY] Salt Storage - web.config or database?
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site