Page 2 of 2

Re: Sessionless Security

Posted: Mon Oct 27, 2008 9:33 am
by Mordred
VladSun wrote: It still suffers from the "empty challenge string" issue.
...
I.e. the MITM gets the SH256 of "hashedpassword:lowercaseusername:" - still offline "dehashing" attack is possible. There is no time window limit for doing this.
And when the MITM has successfully "dehashed" the "hashedpassword:lowercaseusername:" he can respond with a correct challenge-response string to any server sent challenge string.
My mistake was that I thought he was sending hash(password + challenge). If that were the case, one could do rainbow table attacks on the unsalted password.
With the current setup the empty challenge leads to:
hash(username + hash(password)), which is still a "personally salted" password which cannot be attacked with precomputational methods, it will have to be bruteforced.

Continuing this line of though, since Mallory sits in the middle and has the challenge value (even if he cannot control it, i.e. a read-only MITM scenario) he has:
hash(username + hash(password) + challenge)
Since he knows the username and challenge, the task is essentially the same as before - bruteforcing a "personally salted" password. Being able to manipulate the challenge doesn't change anything.

So in this case Mallory wouldn't have any advantage over having a write-able MITM attack, that's why I said I was wrong in my original scenario (which was much more severe because of the precomputated attack possibility)

Re: Sessionless Security

Posted: Mon Oct 27, 2008 9:39 am
by VladSun
Oh, OK. My bad :)
Thanks, Mordred.

Re: Sessionless Security

Posted: Mon Oct 27, 2008 9:48 am
by VladSun
Chalks wrote:... HMAC is (sort of... expect another thread in a day or two).
viewtopic.php?f=34&t=69781

And a HMAC function:

Code: Select all

function hmac($algo, $data, $passwd)
{
/* md5 and sha1 only */
$algo = strtolower($algo);
$p = array('md5'=>'H32','sha1'=>'H40');
 
if(strlen($passwd) > 64) $passwd=pack($p[$algo], $algo($passwd));
if(strlen($passwd) < 64) $passwd=str_pad($passwd, 64, chr(0));
 
$ipad = substr($passwd, 0, 64) ^ str_repeat(chr(0x36), 64);
$opad = substr($passwd, 0, 64) ^ str_repeat(chr(0x5C), 64);
 
return($algo($opad.pack($p[$algo], $algo($ipad.$data))));
}

Re: Sessionless Security

Posted: Thu Nov 27, 2008 3:02 am
by Maugrim_The_Reaper
I guess I need to check my tutorial in more depth and address any risks associated with it. Unfortunately the damn thing is getting old in the tooth. The last similar system I used did create a small javascript library for checking, double checking and validating all incoming challenges. I almost DH'd the whole thing but then Firefox would crash probably :).

Just to note the C/R system on the browser is a refuge of last resort :). It should only be used where https is not possible with a browser. It's clearly a second class citizen.

Also, in case it's ever suggested, online web services should never ever use this approach. The accepted non-browser solution is to implement the Diffie Hellman algorithm (just make sure ext/gmp is installed) - for which purpose I've released PEAR's Crypt_DiffieHellman and Zend's Crypt_DiffieHellman (in the ZF Incubator) - to generate a MITM proof shared secret. Thereafter you can sign all messages using HMAC with the shared secret as a salt (and make sure the salt becomes invalid after a specific timeframe). Even then - https is preferable (not to mention more private!).

If anyone wants to update the tutorial themselves give me a shout. More than willing to post in a revised version.