snoopy11hk

Is distributed computing necessary?

According to the benchmark by oclHashcat, a single typical co ...
KoolFreeze 發表於 2014-8-30 14:55

    what if they used an encrypted algo before hashing?
e.g. AES-256 + (SHA-256 + Salt)?

samiux

unreservable  ???
Do you mean irreversible.
Charcoal99 發表於 2014-8-30 18:15

My bad,  thanks.

samiux

Due to the performance of the web application,  the data should be MD5  + salt.   If it is too complicate,  the web application will response very slowly.

Samiux

Charcoal99

原文是這個 https://popvote.hk/english/project/vote_May2014/privacy/
佢地無話到個 algorithm 是irreversible, 只是話果堆gen 出嚟嘅 HashCodes 無法reverse 為原本嘅 data,
只能比較新輸入data 所gen 嘅 HashCode, 看有沒有重覆，僅此而矣。
而且佢嘅陳述重係  effectively no one can reverse or decode them.

KoolFreeze

HASH的話通常會配合埋SALT, 唔係就咁HASH就算...
dsscss 發表於 2014-8-30 17:18

In the article PopVote: A Revolution in Gathering Opinions in Hong Kong in year 2013, the following sentence is included at the section "Future Development"

"As for privacy, a random salt can be added to data before hashing to make it difficult to work out the original data by the hashed pattern, while iterating the hashing process a few more times will increase the difficulty of hacking."

So we can be sure that at least in the past, PopVote did use single iteration plain hash without salt. It's still unknown whether it has implemented it now.

samiux

原文是這個
佢地無話到個 algorithm 是irreversible, 只是話果堆gen 出嚟嘅 HashCodes 無法reverse 為原本 ...
Charcoal99 發表於 2014-8-30 20:46

The statements at https://popvote.hk/english/project/vote_May2014/privacy/ is not for the 6.22 Civil Referendum.  The data destroy date should be later than June 2014.  I think the data has not been destroyed until now.

Personal Information Collection Statements

Notice: All personal information collected during the event has been destroyed on 7th May, 2014.

- All personal information collected is used only for identity verification and avoiding duplicate voting for this activity.
- All personal information collected in electronic way will be encrypted using SSL during the transfer and converted into an irreversible chain of Hash Codes marked on the server so that effectively no one can reverse or decode them.
- All personal information will be deleted from the server within one week after voting.

Samiux

samiux

In the article  in year 2013, the following sentence is included at the section "Future Developmen ...
KoolFreeze 發表於 2014-8-30 21:19

According to http://hkupop.hku.hk/english/columns/columns153.html, it stated that :

As for privacy, a random salt can be added to data before hashing to make it difficult to work out the original data by the hashed pattern, while iterating the hashing process a few more times will increase the difficulty of hacking.

However, how to explain the data captured by the hacker here? (http://www.freebuf.com/articles/web/41533.html)

The HKID numbers and the telephones have not been hashed or encrypted.

Samiux

KoolFreeze

However, how to explain the data captured by the hacker here? (http://www.freebuf.com/articles/web/41533.html)

The HKID numbers and the telephones have not been hashed or encrypted.
samiux 發表於 2014-8-30 21:40

It's their future development , so they probably haven't done it yet.

BTW, has anyone here verified whether the data captured by the hackers are really those from PopVote? They only released a password encrypted .7z file. HKU claims otherwise.

Unless the data are verified, we can't exclude the possibility that the "hacking" is a completely fake attack that didn't happen.

samiux

It's their future development , so they probably haven't done it yet.

BTW, has anyone here ve ...
KoolFreeze 發表於 2014-8-30 22:25

The dump.7z is password protected.  There are some tools to crack this kind of protection.  The only things are time and money (the electricity bill).  By the way, the size of the dump.7z is only 2MB in size.  It seems only a part of the whole database.

According to the screenshots, it seems that the data is from the server of popvote.hk but not sure it is from https://secure.popvote.hk or not.

I have read the news that some of the HKID card numbers and telephone numbers owners on the screenshots confirmed that they are the voters but some claimed not to be (if they are telling the truth).

Update reason : typo fix

wdtech

利申: 係中學讀過電腦科咁大把, 以下乃個人知識最真切見解。有錯就笑一下就好
讀得書少, 唔太識(打)英文

1) Hash function既大概原理係將資料(data) 變成一D index. 如有31個學生, 阿john 既香港考試及評核局[會考學生號]係 01, Marry 係 02... Peter 係 31.
你問Marry, 佢永遠會答你佢會考學生號係 02. 但如果你係街邊執到份HKEAA 既試卷上面好多個大交叉, 而個[會考學生號] 03, 其實你想找返個學生出黎恥笑既機會係零。因為你都無個table (or algorithm, de facto) 可以俾你對返係邊個學生豬咁蠢....

2) 而? 但唔係有D叫oclHashca 既野可以俾你Brute-force attack D hash 既??
係, 但其實你要知個 hash 既algorithm, 之後對返個program randomised 既data 如 (sorry*for%my!ignorance1, sorry*for%my!ignorance2, sorry*for%my!ignorance3, sorry*for%my!ignorance4..... ) 既hash 同你手上偷返黎既data 個hash 係唔係一樣. 如一個32byte 既hash, 理論上係有16^32 既組合(combinations) (而唔係26 * 10^6...... 因為我地係crack個hash) . 當然, 世上有D叻人會用number theory 去將collision attack 既combinations 次數減少。[好老實, 如果我係叻人, 我唔會有時間去打D野俾大家笑甩牙]

3) 唔係wo, 我知有D情況, 我用D program 好快會crack 到個(e.g.) MD5 password!?
呢個咁既情況, 我地只可以怪D人唔正確咁用hash function 去store 個password.
好似我用google, 查散列值字典"d5aedf560b928e289dc4a76d8765bc4e" 就會出到佢係"newbie" 既MD5 hash. 其實如果寫database program 個newbie 係個hash function 加d鹽 (糖好似唔得), 就唔會出事....

4) "所有以電子方式收集的個人資料會於傳送時使用SSL進行加密，並會以不能還原的散列代碼形式記錄於伺服器，以確保有關資料實際上無法被人破解和還原。"
請留意"並會" 這兩個字

5) [個人意見] 佢D用紅線mask 左既身份證號碼, 點解好似有D mask左一個字, 有D兩個字。搞到我覺得身份證號碼有D共有8個字, 有D有9個字咁得意

最後, 如果popvote 係在手機apps generate hash (md5, sha-256 etc) 再加鹽 再用SSL/TSL 建立安全連線到database, 而又無機會俾人middle man attack, 個人資料理應安全, "can crack the irreversible encryption data very easily." 未必成立。

最後八掛問一問, 各位大大對cryptography 有什麼經驗和心得 (用crack tool 不計)。小弟/女在此拋磚引玉。完