Password Cracking Prof. Tom Austin San Jos State University How - - PowerPoint PPT Presentation

password cracking
SMART_READER_LITE
LIVE PREVIEW

Password Cracking Prof. Tom Austin San Jos State University How - - PowerPoint PPT Presentation

Apr 19, 2023 236 likes •360 views

CS 166: Information Security Password Cracking Prof. Tom Austin San Jos State University How should you store users' passwords? Reverse-lookup tables A cryptographic hash is irreversible. However, you can make a table of common hashes.

slide-1
SLIDE 1

CS 166: Information Security

  • Prof. Tom Austin

San José State University

Password Cracking

slide-2
SLIDE 2

How should you store users' passwords?

slide-3
SLIDE 3

Reverse-lookup tables A cryptographic hash is

  • irreversible. However, you can

make a table of common hashes.

MD5 hash value Password 5ebe2294ecd0e0f08eab7690d2a6ee69 "secret" 084e0343a0486ff05530df6c705c8bb4 "guest" 5f4dcc3b5aa765d61d8327deb882cf99 "password" 482c811da5d5b4bc6d497ffa98491e38 "password123" 0d107d09f5bbe40cade3de5c71e9e9b7 "letmein"

slide-4
SLIDE 4

***WARNING***

The passwords.txt file is LARGE. It may kill your text editor. It is still small compared to what serious password crackers use.

slide-5
SLIDE 5

Lab: Part 1

Download Cracker.java and passwords.txt from http://www.cs.sjsu.edu/~austin/cs166- spring18/labs/lab08/. What username/password combinations can you identify in input.txt?

slide-6
SLIDE 6

Salted hashes

  • With lookup tables, a

single hash allows you to check all passwords for matches.

  • Using salt values forces the attacker to

check each password individually.

Salt Password Hash "AE" "secret" 25c2f2345300e540d4f2b6a86002874e "19" "secret" 675c17712c444cd7512ceadb29fde6cf "E0" "secret" d0633e11f62c38ad06d13545908ee223 "0B" "secret" 5fb6bf90896adb43a2eb625d8e75f9f9

slide-7
SLIDE 7

Lab: Part 2

Download inputSalted.txt. These credentials include salt values used in the hash, created by: md5hash(salt+password) Extend Cracker.java to break as many

  • f these passwords as you can.

How much slower is this program?

slide-8
SLIDE 8

Pepper Value

  • Salt values slow

down an attacker, but an attacker can still get many passwords.

  • A pepper value is a secret value added to

the hash input.

  • Adding a pepper value requires

additional work from the attacker (until it is broken).

slide-9
SLIDE 9

Modern Password Hashing

  • Newer algorithms use key stretching

to increase the work required per hash.

–The initial key is fed into an algorithm that outputs an enhanced key.

  • Examples:

–Bcrypt –PBKDF2 (Password-Based Key Derivation Function 2)

slide-10
SLIDE 10

One Key Stretching Algorithm

String hashStretchKey( String password, String salt, String pepper, int workFactor) { String hash = ""; for (int i=0; i<workFactor; i++) { hash = hashFun(hash + salt + pepper + password); } return key; }

slide-11
SLIDE 11

Lab: Part 3

Download inputSaltedPeppered.txt. These credentials include salt values used in the hash, along with an unknown pepper value, created by: md5hash(salt+pepper+password) Extend Cracker.java. The pepper value is a number between 1 and 10. How much slower is this program?