Elections Choose wisely, this is your chance to prove if election by popular vote works or not.

Slides:



Advertisements
Similar presentations
Use of a One-Way Hash without a Salt
Advertisements

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Chapter User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
Secure Password Storage JOSHUA SMALL LHNSKEYHTTPS://GITHUB.COM/TECHNION/ LHNSKEY - ROOT PASSWORD GENERATOR FOR CVE
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Time-Memory tradeoffs in password cracking 1. Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all.
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.
Databases and security continued CMSC 461 Michael Wilson.
David Evans CS200: Computer Science University of Virginia Computer Science Class 35: Cookie Monsters and Semi-Secure.
David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.
Exercises Information Security Course Eric Laermans – Tom Dhaene.
1 Network Security Lecture 5 Hashes and Message Digests Waleed Ejaz
6fb52297e004844aa81be d50cc3545bc Hashing!. Hashing  Group Activity 1:  Take the message you were given, and create your own version of hashing.  You.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Modern Cryptography.
Week 4 - Friday.  What did we talk about last time?  Snow day  But you should have read about  Key management.
What do you know about password? By Guang Ling Oct. 8 th,
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Lecture 5 User Authentication modified from slides of Lawrie Brown.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
FERPA & Data Security:FERPA & Data Security: Passwords and Authenticators.
Cryptography Hyunsung Kim, PhD University of Malawi, Chancellor College Kyungil University February, 2016.
MIGHTY CRACKER Chris Bugg Chris Hamm Jon Wright Nick Baum We could consider using the Mighty Cracker Logo located in the Network Folder.
Effective Password Management Neil Kownacki. Passwords we use today PINs, smartphone unlock codes, computer accounts, websites Passwords are used to protect.
Chapter 9 Digital Forensics Analysis and Validation
Authentication Schemes for Session Passwords using Color and Images
DTTF/NB479: Dszquphsbqiz Day 26
CII Badging Program for CLAMP Xue Gao, Pierre Close, Anael Closson
How to: Register and Login
Cryptographic Hash Function
Authentication CSE 465 – Information Assurance Fall 2017 Adam Doupé
Topic 14: Random Oracle Model, Hashing Applications
Security.
Cryptographic Hash Functions Part I
Cryptography Lecture 13.
Cryptographic Hash Functions
Cryptography Lecture 4.
ICS 454 Principles of Cryptography
Web Systems Development (CSC-215)
Cryptography Lecture 19.
PHP: Security issues FdSc Module 109 Server side scripting and
Lesson Objectives Aims You should know about: 1.3.1:
Kiran Subramanyam Password Cracking 1.
ICS 454 Principles of Cryptography
Engineering Secure Software
Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé
Cryptographic Hash Functions Part I
Cryptography Lecture 4.
Cryptography Lecture 14.
Exercise: Hashing, Password security, And File Integrity
CS5220 Advanced Topics in Web Programming Secure REST API
Cryptography Lecture 14.
Hashing Hash are the auxiliary values that are used in cryptography.
Cryptography Lecture 13.
Security: Integrity, Authentication, Non-repudiation
Lecture 4: Hash Functions
One-Way Hash Functions
Blockchains Lecture 4.
Authentication CSE 365 – Information Assurance Fall 2019 Adam Doupé
Presentation transcript:

Elections Choose wisely, this is your chance to prove if election by popular vote works or not

Announcements Congratulations to all graduating members Next week is Movie Night

Elections Voting Method No fake voters here! http://j.mp/2oapeMQ

President Kaan Goksal Brice Nsiangani

Vice-President Tyler Flynn Brice Nsiangani Kaan Goksal

CTF Captain Wesley Cheung Brice Nsiangani

Vice-CTF Captain Wesley Cheung Joshua Jacob Tyler Flynn Brice Nsiangani

External Communications Admin Caleb Hess Jacob Butler Brice Nsiangani Tommaso Pieroncini

Internal Communications Admin Brice Nsiangani Tommaso Pieroncini

Website Admin Andrew Ray Harsh Gupta Brice Nsiangani Tommaso Pieroncini

A/V Admin Harsh Gupta Brice Nsiangani

Allow the votes

Congratulations to all our new officers!

Password Hashing

What’s going on Logging on requires two things Imagine you’re a hacker Username Password Imagine you’re a hacker Discover a vulnerability in the web application Get access to list of all the usernames and passwords Game over for every single one of those users

So passwords are bad How do you store a password without storing the password? With a ton of this

What is password hashing? Hashes are one way functions Fixed length “fingerprint” Ex. hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 hash("hbllo") = 58756879c05c68dfac9866712fad6a93f8146f337a69afe7dd238f3364946366 How does login process work Want cryptographic hashes (SHA256, SHA512, WHIRLPOOL) Not hash functions used to implement data structures – designed to be fast, not secure

So we’re safe now! Not quite Dictionary and Brute Force Attacks Easy – guess the word, if it’s the same hash as the one you’ve got, then you’ve found the password! Difference between dictionary and brute force? Derive every hash from scratch every time?

Lookup Tables Lookup Table: https://crackstation.net/ Rainbow Table Input: Your hash Output: The password https://crackstation.net/ E4ba5cbd251c98e6cd1c23f126a3b81d8d8328abc95387229850952b3ef9f904 Rainbow Table Similar to lookup table, but uses less space Not as fast but fast enough There are tables to crack any md5 hash of a password up to 8 characters Fundamental problem – you hash your pass and I hash my pass, and we get the same hash every time

Adding Salt Hash the password differently each time Hash(“hello” + “QxLUF1bgIAdeQX”) hash("hello" + "bv5PehSMfV11Cd") Salt does not need to be secret – attacker can’t precompute their lookup tables without the salt Salt = random string prepended/appended to password before hashing To check if hash is correct, we need the salt to be stored with password hash

Common errors Using the same salt for all your passwords Using the username as the salt Using a short salt If only 3 ASCII characters, 95x95x95 possibilities = 857,375 salts If each lookup table costs 1MB of most common passwords, collectively less than 1 TB Good rule of thumb: Make hash same size as output of hash function: Ex. If SHA256 generates 32 byte value, then have a 32 byte salt Same salt? Can compute a lookup table Username? Predictable, lookup tables can be computed for common usernames Short salt? Attacker can build lookup table for every possible salt

sash wringing, mash flinging, hash-slinging slasher Some fun schemes people have used md5(sha1(password)) md5(md5(salt) + md5(password)) sha1(sha1(password)) sha1(str_rot13(password + salt)) md5(sha1(md5(md5(password) + sha1(password)) + md5(password))) Problem: attacker typically has source code access Not difficult to reverse engineer algorithm – only ups the difficulty by a constant factor Better to use well tested, well known functions NO. JUST NO.

Hash Collisions Cryptographic hash functions MD5 Collision resistance in 2^18 time. Less than a second on normal computer With dedicated FPGAs or GPUs, easily break insecure hashes Best for now 256 bit output and above Standard construction such as PBKDF2 SHA-256, SHA-512, WHIRLPOOL, etc. Crypto functions – designed to make collisions very small Attacks can make collisions easier Password-Based Key Derivation Function 2 – RSA labs

Takeaways Don’t make your own hash functions Use well known libraries that already implement this for you Java.security.SecureRandom Python’s os.urandom C/C++’s CryptGenRandom /dev/random or /dev/urandom Ton of great info from Crackstation.net Bcrypt is a scalable hash function - slow Just increase a weight factor

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.