samiux

利申: 係中學讀過電腦科咁大把, 以下乃個人知識最真切見解。有錯就笑一下就好
讀得書少, 唔太識(打)英文

1 ...
wdtech 發表於 2014-8-31 00:58

First of all, my English is not good indeed but I cannot input Chinese.  My bad.

In the view of a hacker, hash with or without salt can be cracked.  The key is time and money (electricity bill).  As far as I know, you can identify the type of hash by the structure of the hash, such as MD5, MD5+salt, and etc.  The typical cracking tool - John the Ripper can detect the type of hash automatically.

Basically, oclhashcat can handle hash with or without salt (please see below).  As oclhashcat uses OpenCL or CUDA to crack, the performance is quite good, such as 15445M c/s for a AMD HD7970 display card.  (where c/s stands for crack per second and M stands for million).  If oclhashcat combines with password/hash policy, the time of successful cracking will be reduced a lot.

The basic operation of cracking tools is to compare the hash of the generated string/data and the original hash.  If the hashes are matched, the crack is successful.  The cracking tools are not cracking the hash.  They are comparing the hashes instead.  If the cracking tools are working with password/hash policy, such as oclhashcat, the cracking time will be shorter.  The password/hash policy of HKID card number is mentioned at the Post #1, please refer to that.

The following is the list of algorithms that oclhashcat can handle :

Algorithms

    MD4
    MD5
    SHA1
    SHA-256
    SHA-512
    SHA-3 (Keccak)
    RipeMD160
    Whirlpool
    GOST R 34.11-94
    HMAC-MD5 (key = $pass)
    HMAC-MD5 (key = $salt)
    HMAC-SHA1 (key = $pass)
    HMAC-SHA1 (key = $salt)
    HMAC-SHA256 (key = $pass)
    HMAC-SHA256 (key = $salt)
    HMAC-SHA512 (key = $pass)
    HMAC-SHA512 (key = $salt)
    LM
    NTLM
    DCC
    DCC2
    NetNTLMv1
    NetNTLMv1 + ESS
    NetNTLMv2
    Kerberos 5 AS-REQ Pre-Auth etype 23
    AIX {smd5}
    AIX {ssha1}
    AIX {ssha256}
    AIX {ssha512}
    FreeBSD MD5
    OpenBSD Blowfish
    descrypt
    md5crypt
    bcrypt
    scrypt
    sha256crypt
    sha512crypt
    DES(Unix)
    MD5(Unix)
    SHA256(Unix)
    SHA512(Unix)
    OSX v10.4
    OSX v10.5
    OSX v10.6
    OSX v10.7
    OSX v10.8
    OSX v10.9
    Cisco-ASA
    Cisco-IOS
    Cisco-PIX
    GRUB 2
    Juniper Netscreen/SSG (ScreenOS)
    RACF
    Android PIN
    Android FDE
    MSSQL
    MySQL
    Oracle
    Postgres
    Sybase
    DNSSEC (NSEC3)
    IKE-PSK
    IPMI2 RAKP
    iSCSI CHAP
    WPA
    WPA2
    1Password, cloudkeychain
    1Password, agilekeychain
    Lastpass
    Password Safe v2
    Password Safe v3
    TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES
    TrueCrypt 5.0+ PBKDF2 HMAC-SHA512 + AES
    TrueCrypt 5.0+ PBKDF2 HMAC-Whirlpool + AES
    TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES + boot-mode
    TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES + hidden-volume
    TrueCrypt 5.0+ PBKDF2 HMAC-SHA512 + AES + hidden-volume
    TrueCrypt 5.0+ PBKDF2 HMAC-Whirlpool + AES + hidden-volume
    TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES + hidden-volume + boot-mode
    SAP CODVN B (BCODE)
    SAP CODVN F/G (PASSCODE)
    Lotus Notes/Domino 5
    Lotus Notes/Domino 6
    Lotus Notes/Domino 8
    PeopleSoft
    Citrix Netscaler
    Netscape LDAP SHA/SSHA
    Apache MD5-APR
    Skype
    hMailServer
    EPiServer
    Drupal
    IPB
    Joomla
    MyBB
    osCommerce
    Redmine
    SMF
    vBulletin
    PHPS
    Mediawiki B type
    Woltlab Burning Board
    xt:Commerce
    Wordpress
    phpBB3
    Half MD5 (left, mid, right)
    Double MD5
    Double SHA1
    md5($pass.$salt)
    md5($salt.$pass)
    md5(unicode($pass).$salt)
    md5($salt.unicode($pass))
    md5(sha1($pass))
    md5($salt.md5($pass))
    sha1($pass.$salt)
    sha1($salt.$pass)
    sha1(unicode($pass).$salt)
    sha1($salt.unicode($pass))
    sha1(md5($pass))
    sha256($pass.$salt)
    sha256($salt.$pass)
    sha256(unicode($pass).$salt)
    sha256($salt.unicode($pass))
    sha512($pass.$salt)
    sha512($salt.$pass)
    sha512(unicode($pass).$salt)
    sha512($salt.unicode($pass))

The following is the cracking speed of oclhashcat :



To answer your (Item 5).  Basically, HKID card number has maximum 2 letters in front.  For Hong Kong citizens, the letter is range from A to Z (single letter).  For foreigners, it should be two letters, such as XA, XD, XE and etc.  However, this policy is changed after 1997.  For example, domestic helpers, their HKID card numbers letters will be W or WX.

The screenshot shows on the top portion - users enter their HKID card number from the second letter of the input field.  While the bottom portion of the screenshot shows - users enter their HKID card number in the beginning of the input field.

One thing that I should mention is that the HKID card numbers and telephone numbers are not hashed and they are stored in the database in plain text from the captioned hack.

Finally, if the data is hashed with salt and transmitted via SSL, the data still can be cracked if the hacker can access the database.  The key is time and money.  With the help of oclhashcat, the time will be reduced a lot if working with suitable hardware.  Cracking tools are comparing the hashes instead of cracking the hash, you should keep in mind about that.

Meanwhile, the hash algorithm used in web application is usually MD5 or MD5+salt due to the performance.  If the web application uses SHA-256 as hash algorithm, the web application will response very slowly and it will looking like hang when it is busy.  

I am not a computer science expert.  I only express my point of view in term of a hacker.

Update reason : typo fix

snoopy11hk

First of all, my English is not good indeed but I cannot input Chinese.  My bad.

In the view of a ...
samiux 發表於 2014-8-31 02:12

    If the web application uses SHA-256 as hash algorithm, the web application will response very slowly and it will looking like hang when it is busy.

I wonder if popvote will out source most of the work load to the browser (i.e. Javascript asymmetric encryption/hashing)

samiux

If the web application uses SHA-256 as hash algorithm, the web application will response very ...
snoopy11hk 發表於 2014-8-31 02:49

In my opinion, if the hash generation is at the client side, it is not wise to do so in term of security.

Samiux

tsangwailam

用sha256 應該都唔會太慢，佢submit result先做一次，或者係佢係client己經做左，send出去己係hash code，係server加salt再md5 hash一次，勁難先解到。

stephenwong

What you guys said, using GPU, blah blah blah, can find out the original plaintext of hash codes, captured by PopVote, 'easily', it's simply wrong.  You made a wrong assumption that there is ONE hash for HKID, ONE hash for telephone number, and you know the combinations of 'alphabets' in HKID, and telephone number are limited, so, you can 'easily' exhaust all the combinations and compare with the hash (to find out the original HKID and telephone number of the voters.)  There must be a data structure to put the HKID and telephone number before hashing is applied.  Usually, the data structure will be of some fixed size (or padding will be applied), for example, if the data structure is 16 bytes (128-bits) in size, you don't know which bytes correspond to HKID and which bytes are used to store telephone number.  Although the plaintext still won't exhaust all 2^128 combinations, due to some plaintext combinations are not valid (eg. no such HKID, no such telephone number), you can't reduce your brute force trial space.  Because you don't know the data structure in the first place.  Assume you can achieve 10,000M hash per sec, you still need roughly 1E28 years to find out the plaintext of a given hash.  This has nothing to do with 'salt'.  Without 'salt', if you have enough time, you can generate a 'dictionary' of all 2^128 hash codes correspond to all possible plaintext combinations, and with the dictionary, you can find out the plaintext by searching your 'dictionary'.  By adding 'salt', you just make the 'dictionary' approach even more complex, say, if you add a 2-bytes 'salt', you add 65536 times complexity, because there are 65536 dictionaries to be generated.

But hey, I just illustrated an example IF the data structure is 16-bytes in size, who knows if the data structure is 64-bytes in size, 128-bytes in size.  You cannot tell from the hash how big was the original plaintext!

You guys also question how the apps work, whether the hash and encryption was done on the client or on the server.  There are a lot of possibilities, and even the hash and encryption was done on the client, it can be designed such that you won't be able to cheat, say, by adding a round of asymmetric cryptography.  

You said, the server won't be able to handle the encryption / hashing?  You must be joking, there were 700k voters in the last PopVote?  A simple Intel i5 can sustain easily 20MB to 30MB AES encryption per second.  Just like using Bitlocker in Windows, usually, the bottleneck is still the speed of your hard disk.  Those 700k voters did not vote in the same second (but spread in a few weeks), so, don't worry about the server, worry more about the DDoS attack from North!

KoolFreeze

You made a wrong assumption that there is ONE hash for HKID, ONE hash for telephone number
stephenwong 發表於 2014-8-31 10:01

How can you know that assumption is wrong? Are you the developers of PopVote?
You are also making an assumption that the developers of PopVote genuinely care about security and know the right way to implement it, which might be also a wrong assumption.
Maybe the developers are lazy so they just implement it with the simplest way possible to satisfy the request of their boss.

dsscss

回覆 26# KoolFreeze

你唔明白佢既意思...
總括 0黎 講,
佢成段既意思就係話
1) 一開始既ASSUMPTION已經係唔 0岩, 因為你唔知佢點樣IMPLEMENT...
本身個FACT係唔 0岩 既話, 你唔可以再用呢樣 0野 推論落去..

2) 正常情況下(即係唔係用DDOS攻擊),係唔需要考慮HASH 既PERFORMANCE.

就好似我之前講,"你唔可以話佢易CRACK,又唔可以話佢難CRACK,
因為你都唔知佢點IMPLEMENT"
...

stephenwong

I also has my own assumption, the PopVote developers, supposedly some RAs working in HKU, were properly trained in computer programming / security implementation.  Of course, I don't have a chance to see the actual code, but for a secured system, it doesn't matter the source code is published or not.  Digital security is basically an art of very large permutations.  You can brute force try all combinations, but it will take a long long time, that's it.

Well, put data into a data structure (record) is also an assumption, but it is so basic that any programming course will teach data structure in a very early stage.  So, if the developers did not put data into a record (and hash that afterwards), I don't think those developers are qualified.

samiux

I also has my own assumption, the PopVote developers, supposedly some RAs working in HKU, were prope ...
stephenwong 發表於 2014-8-31 15:17

In the first beginning, I assumed that the data is hashed or encrypted according to official wording.  The GPUs and oclhashcat as well as HKID card number policy can made the job done easily but it requires two keys, that is time and money.  The more complicate it is, the more time and money it requires for the cracking as well as lesser performance of the web application is.  For the performance of hashing or encrypting, we can setup a lab for the experiment of hashing/encrypting of 10+ threads in parallel.

As far as I know, the https://secure.popvote.hk is installed on AWS (Amazon Web Services) and behind Cloudflare protection.  The AWS and Cloudflare are situated in USA (very far away from Hong Kong).  I think the bandwidth of voters (2.5G to 1Gbps) is also important for the performance too.  You will find out that MD5 or MD5+salt have the better performance.   I have discussed the DDoS and Cloudflare matter on the site before and I will not going to talk about them here.

However, not related to the topic here, it is very hard to explain this attack (http://www.freebuf.com/articles/web/41533.html).  Why the attacker can extract the data from the database that are in plain text (assumed that the database is from the https://secure.popvote.hk, but it is believed to be from the site according to the screenshots.)?

Samiux

Charcoal99

就 20# 那個 screenshot 而言, 數據顯然已經排序了, 就只得這麼少???