Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl.

Slides:



Advertisements
Similar presentations
By Wild King. Generally speaking, a rainbow table is a lookup table which is used to recover the plain-text password that derives from a hashing or cryptographic.
Advertisements

Use of a One-Way Hash without a Salt
Location Tracker Maciej Mensfeld Presented by: Maciej Mensfeld Location Tracker dev.mensfeld.pl github.com/mensfeld.
Lecture 5: Cryptographic Hashes
Password Cracking Lesson 10. Why crack passwords?
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Digital Signatures and Hash Functions. Digital Signatures.
Ruby: An introduction - Who am I? Maciej Mensfeld Presented by: Maciej Mensfeld Ruby: An introduction dev.mensfeld.pl github.com/mensfeld.
Some more on user- authentication. A web-page which requires that the user be logged-in Page is here:
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
HASH ALGORITHMS - Chapter 12
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Chapter 3.1 – RoR: An introduction Maciej Mensfeld Presented by: Maciej Mensfeld RoR: An introduction dev.mensfeld.pl github.com/mensfeld.
Authentication Approaches over Internet Jia Li
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Chapter 3.2 – RoR: easier, faster, better Maciej Mensfeld Presented by: Maciej Mensfeld RoR: easier, faster, better mensfeld.pl github.com/mensfeld.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 4.1 – Deeper into Rails Maciej Mensfeld Presented by: Maciej Mensfeld Deeper into Rails mensfeld.pl github.com/mensfeld senior.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Databases and security continued CMSC 461 Michael Wilson.
Sayed Ahmed Computer Engineering, BUET, Bangladesh MSc., Computer Science, Canada
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.
Fall 2002CS 395: Computer Security1 Chapter 11: Message Authentication and Hash Functions.
Chapter 11 Privacy and Secrets. Chapter Outline Privacy and Regulation What to do about passwords Random Number generation Cryptography Secrets in Memory.
6fb52297e004844aa81be d50cc3545bc Hashing!. Hashing  Group Activity 1:  Take the message you were given, and create your own version of hashing.  You.
Lecture 2: Introduction to Cryptography
Week 4 - Friday.  What did we talk about last time?  Snow day  But you should have read about  Key management.
What do you know about password? By Guang Ling Oct. 8 th,
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
Cryptographic Hash Functions Prepared by Dr. Lamiaa Elshenawy
Web applications – what & why? Maciej Mensfeld Presented by: Maciej Mensfeld Web applications – what & why? dev.mensfeld.pl github.com/mensfeld.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Cryptographic Hash Functions
IS2803 Developing Multimedia Applications for Business (Part 2) Lecture 1: Introduction to IS2803 Rob Gleasure
Project: Simulated Encrypted File System (SEFS) Omar Chowdhury Fall 2015CS526: Information Security1.
1.NET Web Forms Applications: Main Form © 2002 by Jerry Post.
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
Network Security. Three tools Hash Function Block Cipher Public Key / Private Key.
Chapter 2 - OOP Maciej Mensfeld Presented by: Maciej Mensfeld More about OOP dev.mensfeld.pl github.com/mensfeld.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Best ways to Hack Facebook Account Now a days Facebook becomes the number 1 social networking portal that touches every one’s life. People are now a days.
1-way String Encryption Rainbows (a.k.a. Spectrums) Public Private Key Encryption HTTPS Encryption.
CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Encryption 1-way String Encryption Rainbows (a.k.a. Spectrums)
Cryptographic Hash Function
ICS 454 Principles of Cryptography
Web Systems Development (CSC-215)
An Introduction to Web Application Security
ICS 454 Principles of Cryptography
Elections Choose wisely, this is your chance to prove if election by popular vote works or not.
Exercise: Hashing, Password security, And File Integrity
CS5220 Advanced Topics in Web Programming Secure REST API
Computer Security Protection in general purpose Operating Systems
Presentation transcript:

Chapter User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl github.com/mensfeld senior ruby senior ruby

Chapter User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl github.com/mensfeld senior ruby senior ruby

Ruby on Rails: User authorization & safety Maciej Mensfeld Please… …ask me to slow down, if I speak to quickly; …ask me again, if I forget; …ask questions, if anything i say is not clear; …feel free to share your own observations User authorization & safety

Chapter User authorization & safety Maciej Mensfeld Let’s start with a naive approach! Password Login DB Password Login DB

Chapter User authorization & safety Maciej Mensfeld And… let’s do it! User model (or an update if already exist) rails g migration NAME login: string, null: false, unique: true password: string, null: false

Chapter User authorization & safety Maciej Mensfeld Quite good but… What’s wrong with this approach?

Chapter User authorization & safety Maciej Mensfeld But we don’t have any data that… Most of stolen data can be used somehow!

Chapter User authorization & safety Maciej Mensfeld Simple case study SHA + Shippuuden.pl

Maciej Mensfeld You should not use MD5 You should not use MD5(MD5) Any Hash algorithm can be broken with bruteforce attack Any bruteforce attack can be faster with rainbow tables It is way easier when passwords are short :) Static vs dynamic salt md5(md5), sha2(sha2) Chapter User authorization & safety Simple case study

Secure Salted Password Hashing Maciej Mensfeld Chapter User authorization & safety

Secure Salted Password Hashing Maciej Mensfeld Chapter User authorization & safety

Maciej Mensfeld What is a cryptographic hash? A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The data to be encoded is often called the “message,” and the hash value is sometimes called the message digest or simply digest. 4e2ecff8f8be5a7d4d d956d844aa5b8eebd5983edbaaa6fa7fc9bc9e21 de42d443f50d8608a79f6507b7e95c6d4a913615c85710f86a40bc23cdc5d5d

Chapter User authorization & safety Maciej Mensfeld Passwords should not be weak! When we store users passwords in our systems (databases, files, etc), they should be safe. If we get hacked and our database will get stolen, passwords should be protected. No one should be able to read them. Most users have one password for all their web-activities, so if this password get stolen, probably cracker will be able to log in into victim Facebook, Twitter and any other web accounts. But what about brute-force attacks? Any password should be validated before use. They should not be to short or two simple. We can do it by using regular expression: ^(?=.*\d)(?=.*([a-z]|[A-Z]))([\x20-\x7E]){8,40}$

Maciej Mensfeld Chapter User authorization & safety Salt, salt, salt How tu generate and use salt? The easiest way is to use one, global salt. Example: As you can see above – using salt will dramatically increase password power. One global salt has one major and really big disadvantage. If two users have same password they will also have same output hash. So, if we have a lot of users and some of them have same hashed password, we need to figure out only one hash and we will have access to accounts of the rest of users with same hash. We can also generate our own rainbow table dedicated for our cryptographic hash function and salt.

Maciej Mensfeld Chapter User authorization & safety Salt, salt, salt To protect against such behaviours we should use uniq per user salt. How to generate such salt? Combine some per user data and some random stuff. Example: We store salt with password hash. Don’t worry – it is safe. Since each user has his own uniq hash, there does not exist any general rainbow table. Mix password, dynamic and static salt and you will be safe. Furthermore, when mixing salts and password in a uniq way – until cracker steals database and source codes, he will not know how to generate rainbow tables. Example:

Maciej Mensfeld Chapter User authorization & safety Let’s implement! require ‘digest/sha2’ What do we need? Password and password confirmation salt (persisted) hashed_password (persisted) Login Logout password checker hashed password generator salt generator

Maciej Mensfeld Chapter User authorization & safety Spec for User model Put the test spec into test/units directory ruby -Itest./test/units/user_test.rb

Ruby: User authorization & safety Maciej Mensfeld Live long and prosper! Presented by: Maciej Mensfeld dev.mensfeld.pl github.com/mensfeld

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.