//Security Tools/Hashing & Password Activity

Rubik's Hash


Rubik's Hash: An Analogy to Hash Functions

Salt: Strengthening Hash Functions

Properties of a Good Cryptographic Hash Function

There are several properties that a good cryptographic hash function should have.
  1. It should be easy to compute the hash of an input.
  2. If all you have is a hash value, it should be very hard to find an input that hashes to that value. Our Rubik's Cube Hash has this property (and the first property), at least if you accept Rubik's cube solving as being difficult.
  3. It should be difficult to find two inputs with the same hash. Related to that, it should be hard to take a hash value and a input that hashes to it, and engineer from the first input another input that hashes to that same value. It might not be obvious that someone could cause trouble if they could do this, but what should be obvious is that if we can do this, our hashing scheme is not capable of guaranteeing the integrity of messages, and that's bad.

Password Authentication

If you contact a company/site to tell them you've forgotten your password, and they can tell you what your password was ... they're storing your actual password and not the hash (how do we know that?). You should be indignant! Do you think it never happens? Check out this New York Times article about the RockYou.com break-in. Hackers broke into rockyou.com and stole files with the passwords of over 32 million RockYou.com users. This was only possible because RockYou.com stored actual passwords, not hashes-of-passwords. [Here's a brief follow-up article.]

450k Yahoo Passwords Leaked (7/2012)

It's been a few years since the RockYou.com incident. Surely no company would store passwords "in the clear", i.e. no cryptographic protections ... right? Wrong! In July 2012, attackers used an SQL injection attack to steal user credentials of about 450,000 yahoo.com accounts. Apparently, the database was storing the actual passwords for those accounts, not hashes! [CNET article] [net-security.org article] This blog post has a breakdown of the most common passwords in the bunch (notice that '123456' is on top). Similar occurrence at Billabong too!

Strength of passwords

If you like the xkcd-style passwords (as described in the comic to the right), you can use the sy110 xkcd-style password generator. You can check out this graphic for some tips — you'll have to click to expand it in order to make it readable.

Client and Server Responsibilities

Two factor authentication

Dropbox hacked ... will now offer 2-factor authentication
In July 2012, hackers managed to break into the account of an employee at dropbox.com, a well-known "cloud storage" site, using a stolen password. This gave them access they should not have had — access to dropbox.com user information, for example. Dropbox.com has decided to offer a two-factor authentication option (using your cell-phone as the second factor) to add another layer of defense against this kind of attack. Check out this arstechnica article.
Password Cracking in the Navy
Navy commands routinely run password cracking software on their own password files to ensure users are using strong passwords. Specifically, the Navy uses L0phtCrack, a program that can crack Windows and UNIX passwords. L0phtCrack can be configured to use dictionary attacks (like the attacks we performed during the class activities). Results from the routine password cracks are reported to and monitored by upper levels of the chain of command.
Security means never standing still
To keep their information systems secure, the Navy has to constantly update and upgrade not only their hardware and software, but even the cryptographic algorithms the hardware and software use. MD5 was the standard for a long time, but as researchers started to discover flaws (or even potential flaws), the Navy had to migrate to a newer, better hashing algorithm, which was SHA1. Even that is now less secure than it was a few years ago. Consider this brief article covering the Department of the Navy's announcement that systems will be migrating (gradually changing) to a still stronger cryptographic hashing algorithm: SHA-256.