Friday, August 1, 2014

Rainbow Tables' s forget worst nightmare

If you think that the pictures are a range of amenities rainbow of colors, you are not to discuss. The rainbow tables that are talking, be used to break passwords and other tool in the growing arsenal intruder.

What the hell are the pictures of the rainbow? How can something so cute and cuddly his name so dangerous?

This is the basic idea behind Rainbow Tables:

I'm a bad boy just stuck restarted a USB flash drive in a server or a workstation, and ran a program that copies of the security database with user names and passwords for my USB stick.

The passwords are encrypted in the file, so you can not read. I'll passwords in a file (or at least the administrator's password) to break, so that I can use to access the system need.

What are my options for cracking passwords? I can try to use a password cracking brute force program as John the Ripper, pounding file password iteratively guess all possible password combinations. My second option is a password cracking dictionary to load hundreds of thousands of commonly used passwords and see if you get results. These methods can be weeks, months or even years, if the passwords are strong enough.

If a password is "assessed" against a system that is "crushed" encryption used, so that the actual password never sent in clear text over the communication line. This prevents attackers from intercepting the password. The password hash usually looks like a pile of garbage and is usually a different length to the original password. Your password can "shitzu" be, but the password hash would be something like being "7378347eedbfdd761619451949225ec1".

To verify a user, a system of the hash value with the hash value of the password is generated in the client computer and compares the data stored in a table on the server hash value. If the hashes match, the user is authenticated and granted access.

Password hash is a one-way function, which means that you can not decrypt the hash to see what the password in plain text. There is no key for decrypting the hash has been generated. There is no "decoder ring" if you want.

Programs passwords function in a manner similar to the connection procedure. The program starts by breaking passwords in plain disclosure of a MD5 hash algorithm, and compares the output hash hashes stolen password file. If a match is found, the program has cracked the password. As I said, this process can take a long time.

Enter rainbow tables Rainbow tables are essentially huge amounts of precomputed tables full of hash values that are adapted to the possible passwords in plain Pre. Rainbow Tables essentially allow hackers to reverse the hash function to determine what might be the plain text password. It is possible that two different passwords result in the same hash, so no matter what the original password, unless you have the same hash. Password in clear text might not be the same password that the user was created, but only if the hash is the case, no matter what the original password.

With rainbow tables passwords can in a short time compared with brute-force methods are broken, but the downside is that a lot of storage space (sometimes terabytes) is necessary to keep rainbow tables, these days plenty of storage and cheap, so this compromise is not as big a deal as it was ten years ago when a terabyte drives are not something that you look at the location, Best Buy.

Hackers can use pre-computed rainbow tables for cracking the passwords vulnerable operating systems like Windows XP, Vista, Windows 7, and applications that use MD5 and SHA1 password hashing mechanism buy (many developers web applications with this hash) algorithms.

How can you protect yourself from the attacks of rainbow tables based Forgot?

I wish I had better advice to them all. I would pick a good password that would help to say, but that is not true because it is not the weakness of the password, the problem is the weakness is to be used with the hash function to encrypt password connected.

The best advice I can give is for users of the web applications that keep limit the length of passwords for a small number of characters. This is a clear sign of the old password authentication vulnerable school routines. Word length and complexity of the extended password can help a little, but not a guaranteed form of protection. The longer the password, the largest rainbow tables have to be to crack, but a pirate with a lot of resources can still perform this task.

My advice on how to be to defend against rainbow tables really are application developers and system administrators. You are at the front, when it comes to protecting users against this type of attack.

Here are some tips on developing a defense against attacks bow table:

1 Should not use MD5 or SHA1 hash of the password function.

MD5 and SHA1 hashes are outdated and most rainbow tables that are used to crack passwords are designed to provide applications and systems using these methods, the hash address. Consider using modern methods such as SHA2 hash.

February. Hash routine use of encryption password "Salt"

Adding salt to the hash function support password encryption in order to defend decrypt the passwords of the application against the use of rainbow tables that are used. Some examples to help with coding of a cryptographic salt "Rainbow Proof" of the application to see, check the webmasters in website design, which has an excellent article on the subject.

When you see how to perform hacker Forgot attack with rainbow tables, you can read PC this excellent article by About.com 's own Tim Fisher on the support Web site About.com.

No comments:

Post a Comment