This podcast is brought to you by the Greater Lafayette Security Professionals (GLSP) group and the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.

Show Notes

Hosts

• Preston Wiley, CISSP, CCNA
• Mike Hill, CISSP
• Keith Watson, CISSP, CISA

Announcements

• The next Greater Lafayette Security Professionals Meeting on July 12 will be a workshop using Metasploit and other tools used for assessing and exploiting virtual environments. Please bring your laptop, an ethernet cable, and some lunch.

Security Updates

• Adobe updated Flash Player on Windows, Mac OS X, Linux, and Android to fix 6 high and 1 medium ranked vulnerabilities, June 8th. >
• Opera Software released Opera 12.00 fixing 3 moderate ranked vulnerabilities, June 14th.
• Oracle updated Java to version 7 update 5 which incorporated 14 security fixes, June 12th.

Discussion

• Password Salting (Mike)
  • What is a good salt? How long should it be? How should it be stored?
  • Good Salt (http://crackstation.net/hashing-security.htm)
    • A good salt is one that is randomly generated.  One method for creating random strings is to use a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) which are designed to be cryptographically secure and provide a high level of randomness.  

  • Length
     

    • The recommended length of a salt is that it should be at least as long as the output of the hash function.  In the case of SHA256 which is 32 bytes, the salt that is used should also be 32 bytes.  

  • Storage
     

    • The salt should be stored in the database along with the password hash.  The salt and hash could be stored together in one field or be kept separate in two fields.  It’s important to remember that security in password salting does not result in the salt being secret, but instead comes from the randomness of the salt this is used.  

  • Tips
     

    • Never reuse a salt
    • Never use a short salt
    • Never use a salt that can be predicted (username)  

     

• Password Hashing Methods (Keith)
   

  • Cryptographic vs. Password hashing
  • GLSP June 2012 meeting presentation on Password Hashing  

• Password Cracking Methods (Preston)
   

  Brute force

  This is the method of cracking the will work no matter what method you use for storing passwords. This is the method that you are hoping crackers need to revert to. Using a slow hashing function for the password will slow down the number of guess that cracker can achieve.

  Dictionary

  This method uses a dictionary of common password as well as words (could be from various languages). Typically passwords that are significantly less than random, are not strong password, and are based on dictionary words can fall victim to this type of attack.

  Lookup tables

  A list of precomputed hash values for all passwords of a given length. When a hash value is available, it is looked up on the table. If found, the password is recovered. Salting a password hash can effectively defeat this method of password recovery.

  Rainbow tables

  Similar to a lookup table, but uses an algorithm to make lookups significantly faster than doing a table scan. This allow the cracker to go through a list of hashed password much faster than with a simple lookup table. This method can again be defeated by using a salt for the password hash.

   
  • Free Rainbow Tables Project