Presentation is loading. Please wait.

Presentation is loading. Please wait.

Elections Choose wisely, this is your chance to prove if election by popular vote works or not.

Published byВасилије Станић Modified over 5 years ago

Similar presentations

Presentation on theme: "Elections Choose wisely, this is your chance to prove if election by popular vote works or not."— Presentation transcript:

1 Elections Choose wisely, this is your chance to prove if election by popular vote works or not

2 Announcements Congratulations to all graduating members
Next week is Movie Night

3 Elections Voting Method No fake voters here!

4 President Kaan Goksal Brice Nsiangani

5 Vice-President Tyler Flynn Brice Nsiangani Kaan Goksal

6 CTF Captain Wesley Cheung Brice Nsiangani

7 Vice-CTF Captain Wesley Cheung Joshua Jacob Tyler Flynn
Brice Nsiangani

8 External Communications Admin
Caleb Hess Jacob Butler Brice Nsiangani Tommaso Pieroncini

9 Internal Communications Admin
Brice Nsiangani Tommaso Pieroncini

10 Website Admin Andrew Ray Harsh Gupta Brice Nsiangani
Tommaso Pieroncini

11 A/V Admin Harsh Gupta Brice Nsiangani

12 Allow the votes

13 Congratulations to all our new officers!

14 Password Hashing

15 What’s going on Logging on requires two things Imagine you’re a hacker
Username Password Imagine you’re a hacker Discover a vulnerability in the web application Get access to list of all the usernames and passwords Game over for every single one of those users

16 So passwords are bad How do you store a password without storing the password? With a ton of this

17 What is password hashing?
Hashes are one way functions Fixed length “fingerprint” Ex. hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e b9824 hash("hbllo") = c05c68dfac fad6a93f8146f337a69afe7dd238f How does login process work Want cryptographic hashes (SHA256, SHA512, WHIRLPOOL) Not hash functions used to implement data structures – designed to be fast, not secure

18 So we’re safe now! Not quite Dictionary and Brute Force Attacks
Easy – guess the word, if it’s the same hash as the one you’ve got, then you’ve found the password! Difference between dictionary and brute force? Derive every hash from scratch every time?

19 Lookup Tables Lookup Table: https://crackstation.net/ Rainbow Table
Input: Your hash Output: The password E4ba5cbd251c98e6cd1c23f126a3b81d8d8328abc b3ef9f904 Rainbow Table Similar to lookup table, but uses less space Not as fast but fast enough There are tables to crack any md5 hash of a password up to 8 characters Fundamental problem – you hash your pass and I hash my pass, and we get the same hash every time

20 Adding Salt Hash the password differently each time
Hash(“hello” + “QxLUF1bgIAdeQX”) hash("hello" + "bv5PehSMfV11Cd") Salt does not need to be secret – attacker can’t precompute their lookup tables without the salt Salt = random string prepended/appended to password before hashing To check if hash is correct, we need the salt to be stored with password hash

21 Common errors Using the same salt for all your passwords
Using the username as the salt Using a short salt If only 3 ASCII characters, 95x95x95 possibilities = 857,375 salts If each lookup table costs 1MB of most common passwords, collectively less than 1 TB Good rule of thumb: Make hash same size as output of hash function: Ex. If SHA256 generates 32 byte value, then have a 32 byte salt Same salt? Can compute a lookup table Username? Predictable, lookup tables can be computed for common usernames Short salt? Attacker can build lookup table for every possible salt

22 sash wringing, mash flinging, hash-slinging slasher
Some fun schemes people have used md5(sha1(password)) md5(md5(salt) + md5(password)) sha1(sha1(password)) sha1(str_rot13(password + salt)) md5(sha1(md5(md5(password) + sha1(password)) + md5(password))) Problem: attacker typically has source code access Not difficult to reverse engineer algorithm – only ups the difficulty by a constant factor Better to use well tested, well known functions NO. JUST NO.

23 Hash Collisions Cryptographic hash functions
MD5 Collision resistance in 2^18 time. Less than a second on normal computer With dedicated FPGAs or GPUs, easily break insecure hashes Best for now 256 bit output and above Standard construction such as PBKDF2 SHA-256, SHA-512, WHIRLPOOL, etc. Crypto functions – designed to make collisions very small Attacks can make collisions easier Password-Based Key Derivation Function 2 – RSA labs

24 Takeaways Don’t make your own hash functions
Use well known libraries that already implement this for you Java.security.SecureRandom Python’s os.urandom C/C++’s CryptGenRandom /dev/random or /dev/urandom Ton of great info from Crackstation.net Bcrypt is a scalable hash function - slow Just increase a weight factor

Download ppt "Elections Choose wisely, this is your chance to prove if election by popular vote works or not."

Similar presentations

Use of a One-Way Hash without a Salt

Use of a One-Way Hash without a Salt
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl.

Chapter User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
Secure Password Storage JOSHUA SMALL HTTPS://GITHUB.COM/TECHNION/ LHNSKEYHTTPS://GITHUB.COM/TECHNION/ LHNSKEY - ROOT PASSWORD GENERATOR FOR CVE-2013-2352.

Secure Password Storage JOSHUA SMALL LHNSKEYHTTPS://GITHUB.COM/TECHNION/ LHNSKEY - ROOT PASSWORD GENERATOR FOR CVE
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Time-Memory tradeoffs in password cracking 1. Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all.

Time-Memory tradeoffs in password cracking 1. Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all.
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.

Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.
Databases and security continued CMSC 461 Michael Wilson.

Databases and security continued CMSC 461 Michael Wilson.
David Evans CS200: Computer Science University of Virginia Computer Science Class 35: Cookie Monsters and Semi-Secure.

David Evans CS200: Computer Science University of Virginia Computer Science Class 35: Cookie Monsters and Semi-Secure.
David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.

David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.

Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.

Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.

 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.
Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene.

Exercises Information Security Course Eric Laermans – Tom Dhaene.

Similar presentations

Ads by Google