OAuth, OpenID Password Crack Could Affect Millions

CWmike writes "Researchers Nate Lawson and Taylor Nelson say they've discovered a basic security flaw that affects dozens of open-source software libraries — including those used by software that implements the OAuth and OpenID standards — that are used to check passwords and user names when people log into websites such as Twitter and Digg. By trying to log in again and again, cycling through characters and measuring the time it takes for the computer to respond, hackers can ultimately figure out the correct passwords. This may all sound very theoretical, but timing attacks can actually succeed in the real world. Three years ago, one was used to hack Microsoft's Xbox 360 gaming system, and people who build smart cards have added timing attack protection for years. The researchers plan to discuss their attacks at the Black Hat conference later this month in Las Vegas."

Add a random delay

[clone53421]

n/t

Or do not have variable delays at all

[betterunixthanunix]

This is neither a new problem nor an unsolved problem. This problem stems from using functions like strcmp, which return as soon as a difference is detected, and are thus unsuitable for password checks. Solution? Set a flag when the first difference is found, and continue checking subsequent characters.

Re:

[Anonymous Coward]

Which is just a waste of CPU resources. It's better to use the function that returns immediately, and sleep briefly instead. At least then you're freeing up the CPU for other processes that may have real work to do.

I know, I know, you'll say it's "not a big deal", but you probably just don't deal with real servers that experience heavy load.

Re:

[betterunixthanunix]

I presume this is the same sort of logic that lead to the decision to use plaintext passwords, rather than salted and hashed passwords.

Re:Or do not have variable delays at all

[Anonymous Coward]

Absolutely not. There is valuable computation done when hashing passwords. There isn't when you continue comparing passwords well after you know they don't match, when you could just as easily yield the CPU to other processes.

You've been proved wrong. Try to argue the point next time, rather than throwing up strawmen.

Re:

[kyrio]

It's you who is sounding like a troll. The AC is correct, you are not.

Re:

[kyrio]

He is correct about everything. You are just a troll.

Re:Or do not have variable delays at all

[doublebackslash]

Sure thing.
# openssl speed sha1
Doing sha1 for 3s on 16 size blocks: 4925162 sha1's in 3.00s
Doing sha1 for 3s on 64 size blocks: 3460802 sha1's in 2.99s
Doing sha1 for 3s on 256 size blocks: 1972423 sha1's in 3.00s
Doing sha1 for 3s on 1024 size blocks: 722903 sha1's in 3.00s
Doing sha1 for 3s on 8192 size blocks: 104552 sha1's in 2.99s
OpenSSL 0.9.8g 19 Oct 2007
built on: Mon Jun 7 19:28:26 UTC 2010
options:bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) aes(partial) blowfish(ptr2)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DMD32_REG_T=int -DMD5_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 26267.53k 74077.37k 168313.43k 246750.89k 286451.50k

26 MB/sec on small blocks in sha1sum. String compares I don't have a command handy to time, but I know that they will be in the hundreds of megabytes / sec range. Now this does not cover security concerns at all. I think that, since we are talking about a security system, we should talk about them.

Passwords are salted and hashed because storing a plaintext password is a grave security mistake. Anyone working with the database could grab a single table and know what everyone's passwords were. That is exceptionally bad, even if they only used the password in that one place. Someone could use that knowledge to legitimately log in as a user. Extrapolate from there. Worse still, many people use the same passwords in a few places, perhaps with a few variants.

Without just telling you to Read More Schneier (which would be rude) , I'd like to make you aware that hashing is one of the most amazingly cheap non-arbitrary things one can do on a modern processor, and that all other operations in a useful system take vastly longer (database lookups, disk access, network access, public key cryptography to establish an SSL session which you better hope your password travels over).

Cryptographic hashes are one of the best building blocks for secure systems, and you may find their application interesting. Give it a look-see. I do recommend Schneier, but some free links follow:
http://unixwiz.net/techtips/iguide-crypto-hashes.html [unixwiz.net] (decent primer, little long winded)
http://mathworld.wolfram.com/BirthdayAttack.html [wolfram.com] (simple explanation of the birthday attack)
http://en.wikipedia.org/wiki/Salt_(cryptography) [wikipedia.org] (I know a wiki link, but this ties in VERY closely with password security)
http://en.wikipedia.org/wiki/Message_authentication_code [wikipedia.org] (another, I know. But it has a lot of titillating links in it that should be followed)

Also for further reading: Package transforms and Schneier's book Applied Cryptography.

Security is important, and I'd think that if you have such strong opinions you could put them to good use. Happy reading!

PS: None of the links I provided talk about timing attacks. That is very important, but once you've got your head around cryptographic hashes you will know that a well salted and properly implemented hash library will not be vulnerable to many timing attacks. Figured I'd warn you.

Re:

[rgviza]

Since passwords are usually stored hashed, you need to hash the plaintext input. You can either do it in the database or the front end code, but you still need to do it.

Generally you do a select password, username where username = inputusername and password = password(inputpassword);

where password() is the hashing algorithm. If you get a row, it's a successful login.

The database usually does an indexed lookup against the first 4 (lets assume the index is on 4 characters) characters of the hash so the fails

Re:

[moderatorrater]

Nevermind that hashing will take a hell of a lot longer than check the entire plaintext password. Nevermind that checking the entire plaintext password is valuable if security matters

Yes, but there is an acceptable alternative to checking the entire plaintext password while there is no acceptable alternative to hashing the password. If there's an equally secure alternative that requires less computation, why not use it?

Re:

[something_wicked_thi]

But if you sleep, you may not wake up for a long time. Processes that relinquish the cpu could take a while to schedule again on machines with heavy load. When you're talking just a few dozen instructions for the additional compares, since most strings ought to be short, it's far better to finish the comparison.

I know, I know, you'll say it's "not a big deal", but you probably just don't deal with real users that expect to have low latency responses to their requests.

Re:Or do not have variable delays at all

[Trepidity]

It's really hard to get that perfect, though. If you're actually doing the same work, it's harder to accidentally leak information than if you're doing less work but trying to fake the equivalent amount. In the case of using a sleep, you're vulnerable to the particular scheduling implementation; it's pretty hard to make it so there's no visible timing differences between the sleep-using and non-sleep-using code paths.

There are cases where it's worth the effort, but I don't think strcmp() is one of them. When an attacker can gain information by detecting that you took different code paths, it's worth being somewhat conservative in unnecessarily introducing branching paths.

Seriously?

[FranTaylor]

Are you serious?

In the course of an entire web session's worth of CPU consumption, you are worried about the time taken to compare password characters? Any modern optimized processor should require one clock cycle per character.

Do you actually profile your code or do you just make funny noises? Or maybe you're running your web server on a Commodore 64?

Re:

[Galestar]

ditto parent. talking about "wasting" 6 cycles on a one off event (non-loop) is ludicrous.

Re:Seriously?

[disambiguated]

Compiler-optimized code on a 64 bit machine compares 8-bit characters 8 at a time. This guy is trying to force a context switch (upwards of thousands of instructions) to save 4 or 5 instructions. It doesn't save CPU (because of the context switch), it increases the latency, it's harder to code, and may be still vulnerable! sweet.

Re:

[Galestar]

Considering that passwords are generally 8-12 characters long, I'd think yielding the CPU would take more resources then just checked the remaining x characters.

Re:

[natehoy]

Excellent idea, but if you institute a random delay you might actually make your system more secure (and you use less CPU doing it because you're not walking through the entire checking algorithm, thereby making yourself less susceptible to CPU overload DOS attacks).

A fixed-time-to-answer would quickly tell the time-based algorithm that it was not dealing with something that is susceptible to it, and the attacker would immediately move on to a dictionary attack or some other method.

If you institute a random

Re:

[betterunixthanunix]

but if you institute a random delay you might actually make your system more secure

Random delays are easy to filter out. In fact, given that the authors performed this attack over a network (which will add random delays anyway), you should already know that they are capable of doing that.

Re:

[mandelbr0t]

Actually, the ideal would be to tune the timing to infer to the attacker something utterly unlike the actual password, and if someone sends in the password you are inferring by your timing you are now aware that a time-based attack is underway, and you can stop trying to check passwords sent by that connection entirely - just keep replying "access denied" with the delay continuing to infer the same key. Puts a lot less load on your system, and keeps the attacker busy and armed with lots of incorrect information.

Now that's just spiteful! Remind me never to piss you off...

Re:

[JackDW]

That's interesting. For the benefit of other readers, it should be clarified that this attack is still possible even if the password is hashed, because a given hash value must be compared to the known correct value (as you stated below).

However the situation may be even worse than you suggest. The behaviour of the CPU may change as a result of setting that flag, perhaps causing its timing to change. For instance a cache miss may (or may not) occur, or memory accesses may be reordered, or a branch might be

Re:

[betterunixthanunix]

The behaviour of the CPU may change as a result of setting that flag, perhaps causing its timing to change. For instance a cache miss may (or may not) occur, or memory accesses may be reordered, or a branch might be mispredicted.

We can actually prevent cache timing attacks somewhat by aligning the flag to a cache line boundary, and writing the password exactly one byte ahead of the flag. Thus, to compare the password at all, the flag will have to be cached, and so setting/checking the flag should not create a cache miss. This assumes that the password will not be too huge (i.e. a long enough password could "wrap around" and evict the line with the flag on it), but I think that it is fairly safe to assume that passwords are not

Re:

[An Onerous Coward]

Hashing should make a huge difference, though. If you're comparing the passwords themselves, it's pretty straightforward. To crack the hash, you have to find an acceptable-length string that hashes to each subset of the target hash (a..., a0..., a0f..., a0f4..., a0f49..., etc.) I don't know if there is a way to do that other than brute force, and toward the end the search space is prohibitive.

I think the best you could to would be to get the first several digits of the hash, then use it to prefilter the

Re:

[KingMotley]

A better solution is to use a pre-defined salt, and md5 hash the input with it. Then generate an appropriate random hash, and re-hash using sha1 both the input and a pre-salt-hashed stored password with it, then compare both with strcmp.

Good luck trying to reverse that. It's not impossible, but it's the best I can come up with, and likely to withstand any (reasonable) attack in the next 50 years on conventional hardware.

Re:Add a random delay

[Enleth]

No, a random delay just makes it harder for an attacker to determine the nect correct character. The exact theory behind eliminating the random factor eludes me, but several smart people found a way and it's supposedly correct.

I think the proper way is to "pad" the time so that it's constant. Say, if the password checking algorithm can take from 50us up to 600us, pad it to 1500us (safety margin!) with as much precision as posiible. There might be other code paths to pad, too, such as the one that fires when there's not even such a user, but you still want to display the "wrong password" message, as some systems do.

Re:

[Mr. Spontaneous]

What about having a strcmp that compares strings using a randomized series of indexes?

E.g.

compare position 4, then 1, then 3, then 10, etc.

Re:

[wall0159]

exactly. A random delay is merely adding noise to the signal, not removing the signal altogether (in the way that using a consistent delay does)

Re:

[XanC]

No, the signal is the amount of time it takes to do the password comparison, and the noise is the random amount of time on top of it.

To circumvent: try each password 100 times. It'll become clear what the actual time to compare the password is.

Re:

[clone53421]

GODDAMN. You really ARE that stupid.

We are NOT fucking talking about a SINGLE measurement of time.

We are talking about hundreds - possibly thousands - of "value", plus your random number. Guess what. Your stupid random number averages out to its median over about 1000 attempts. Meanwhile the CONSTANT value remains CONSTANT and as only the RELATIVE position of the values was important, we can compare it to OTHER attempts and determine which was faster REGARDLESS of your stupid random number.

You average it ou

Re:Add a random delay

[Eternauta3k]

the amount of delay caused by the password check and the amount of delay randomly added can NOT be differentiated.

Take a bunch of samples, average them.

Re:

[Stan Vassilev]

Take a bunch of samples, average them.

Sounds easy. Since the researchers apparently said Python/Perl/scripts and so on are easier to hack than C++, let's take typical factors in script execution.

You have an ASM-level operation that takes nanoseconds, and you have the following factors that take a random amount of milliseconds (millions of nanoseconds):

1) garbage collection 'jitter'
2) dynamic optimization of runtime (tracing, JIT, caching) and so on 'jitter'
3) parallel execution of thousands of tasks per second jitter (you measure just one rando

Re:

[An Onerous Coward]

You're making it a lot harder, true. But you seem to be claiming that it makes it mathematically impossible. Which it doesn't, but it's probably close enough.

According to the article, the attack uses algorithms to weed out network latency. So if you add much of that randomness back in, in a way that they can't factor out, you're probably good.

Still, it seems to make more sense to just require the comparison to always make exactly 64 comparisons. That's faster and more certainly invulnerable than adding

Re:

[betterunixthanunix]

The exact theory behind eliminating the random factor eludes me, but several smart people found a way and it's supposedly correct.

It is fairly basic and necessary to pull off the attack (i.e. because this is being done over a network). Let's simplify things and suppose that the comparison is performed bit-by-bit rather than byte-by-byte; we want to determine if a particular bit is a 0 or a 1. We'll take 1000 measurements when the bit is a 0, and 1000 when it is a 1, and then take the average of the delays in each case. Invoking the law of large numbers, we can conclude that despite random noise, the average of a large number of s

Re:

[something_wicked_thi]

That makes sense. If you have a 300us processing time for a particular incorrect password and you pad by 1000us +- 500us in all cases, with a uniform distribution, then it's relatively easy to guess, with known confidence, how long the real processing took, since the average of multiple attempts will come out to 1300us. moe generally, adding a random sleep with any known distribution is doomed to failure.

The easiest way to do this is to define a time, X, that is longer than all expected processing times. Th

Re:

[clone53421]

Yeah, that was basically my thought, but instead of a constant X you use a random number that’s guaranteed to be longer than all expected processing times.

In my haste to get first post I couldn’t think of any way to express that quickly, but yeah.

Re:

[clone53421]

My idea of a “random delay” isn’t quite a random delay but rather more of a “pad to a random length”. I.e. if the operation takes between 50-600us, pick a random length between 1000-2000us, start the timer at the beginning, call the routine, and when all is said and done just go to sleep until the total elapsed time reaches the random value you initially picked.

You are correct in that simply delaying for a random amount of time merely blurs the window for detection.

I.e. if you

Re:

[clone53421]

Taking a constant amount of time is likely just as hard as taking a random amount of time as I described. The only difference is that you are padding to a fixed number instead of a random one.

Re:

[crow]

Not good enough. A random delay will add noise, increasing the number of attempts required, but will not break the attack vector.

What is needed is to insure that the algorithm will respond in the same time when a match fails, regardless of how close the match is. If this were a simple string comparison, you would need a function that compares every character in the input to a padded version of the password, not one that stops at the first mismatch. In most cases, that same approach can be extended to cov

Re:

[clone53421]

Not just a random delay, per se. You are absolutely right.

To avoid contaminating the random delay with a fixed bias (which can easily be determined by running the same query enough times), the timer has to start at the very beginning, delay for longer than the password-checking algorithm will ever take, then return the result after the preset random length of time has elapsed.

I.e. wrong:

Verify + Random = Result

Result depends on Verify. You just have to average out Random by repeating it enoug

Re:

[micheas]

will "random delay" improve things much? you'd have to have a small upper bound for the delay (pausing for a year
is not likely to carry much favour) - and on most machines, the granulative of 'delays' is limited to 1/100s or 1/1000s.
Surely, given enough iterations, you could quickly average out the delay factor?
Would it not be better to just return results after a fixed elapsed time from the moment the login attempt began? Then
no information seeps out.

A random delay is non-trivial and expensive to implement. (/dev/random is generally blocking, and does run out of entropy)

An approach like the following pseudo code would help:

ReturnErrorTime = now() + 2 seconds;

if FunctionCheckPassword() == false:
return LoginFunction at ReturnErrorTime;
else:
continue;

OpenID

[Reason58]

Wait, doesn't slashdot use OpenID?

Re:OpenID

[Reason58]

Wait, doesn't slashdot use OpenID?

hahahah

DISREGARD THAT I SUCK COCKS

Re:

[DocSavage64109]

Wow. Guess it's no longer theoretical...

Re:

[roman_mir]

No no, it's all good, good thing /. is not US army though, otherwise Reason58 would be 'honorably separated' from this place in a short while.

Re:

[something_wicked_thi]

I suddenly wish I hadn't posted in this thread so I could mod up you to offset that troll mod someone lacking a sense of humor gave you.

For the uninitiated...

[ThoughtMonster]

http://bash.org/?5775 [bash.org]

Every password can be broken

[Some.Net(Guy)]

It's just a matter of time. Anyone seen Swordfish?

lolswordfish

[crow_t_robot]

Just drop a logic bomb through the trap door, right?

That movie makes me cringe.

Who doesn't hash/encrypt passwords?

[MankyD]

"On some login systems, the computer will check password characters one at a time, and kick back a "login failed" message as soon as it spots a bad character in the password."

If you do almost any sort of reasonable hashing or encryption algorthm on a password, this becomes a moot point, since the place that fails to match in the string will change. Are there still sites out there that don't do this? Really?

Re:

[TubeSteak]

If you do almost any sort of reasonable hashing or encryption algorthm on a password, this becomes a moot point, since the place that fails to match in the string will change.

This might be a stupid question, but how do they check a password one character at a time unless they're saving the password in plaintext or some other reversible method?

Re:

[betterunixthanunix]

They check the hash one character (or word, quadword, whatever) at a time.

Re:

[Abcd1234]

If that's true, a timing attack is useless, as the place where the comparison would fail is random, and certainly doesn't provide information about how to tune the input to get closer to the "correct" answer.

Re:

[betterunixthanunix]

However, it could allow an attacker to determine some part of the hashed password, which the attacker might then be able to crack using his own computers (which can just sit there trying to crack the password without dealing with any other work). This depends on the attacker's ability to do two things:

1. Compute the salt; this is not trivial, and a long enough salt should make this infeasible
2. Compute hashes that begin with a particular sequence; this is not necessarily difficult (certainly not as difficult as

Re:

[Shimbo]

This might be a stupid question, but how do they check a password one character at a time unless they're saving the password in plaintext or some other reversible method?

I think that's just a slightly sloppy writeup. You probably get to know individual bytes of the hashed password. It's likely that you can vastly reduce the key space for an attack by this method, with carefully chosen plaintext. No, you probably don't get individual plain text characters, one at a time, like in a bad movie.

Re:

[roman_mir]

here is a solution I implemented a little while ago:

public boolean isUserAuthenticated(User user, String password) throws TCAppException {
String encryptedPassword = Encryption.encryptString(password, AppConstants.AUTH_KEY);
if (user.getPassword().equals(encryptedPassword)) {
return true;
}
return false;
}

User object contains password that is encrypted, the password that is passed as 'password' from the login page is also e

Re:

[adonoman]

Good job not storing the plain text. But there are still problems with your code.

First, if two users have the same password, they will have the same hash stored in the db. If an attacker gets a hold of the list of hashes, it's trivial to generate hashes of a few million common passwords and compare them to the list. In any moderately sized user list, you'll get hundreds of matches. The trick is to also generate a random string of "salt" for each user. Append the salt to the password before hashing, a

Re:

[roman_mir]

Salt, you are looking right at it.

AppConstants.AUTH_KEY

Somebody getting a copy of my DB and getting the hash keys? That means they have access to my production server and I have bigger issues than some silly thing like them signing in as some user.

Re:

[Lord Ender]

That is a terrible auth function. Where is the randomly-generated salt? Where is the expensive hash function, like bcrypt?

Re:

[roman_mir]

As I replied, the AUTH_KEY is actually salt, if you care you can check my reply above to some other doubter.

Re:

[roman_mir]

You 'doubt' it's a hash?

public static String encryptString(String toHash, String key) throws TCAppException {
if (toHash==null || toHash.length()==0) {
throw new TCAppException("Invalid parameter toHash.");
}
if (key==null || key.length()==0) {
throw new TCAppException("Invalid auth key.");
}
String result = null;
try {
String s = toHash + k

Re:

[roman_mir]

Oh, it obviously returns the result, I cut that out and cut out some test code and added the closing brace by hand here rather than copying all the code.

Re:

[Stewie241]

http://www.computerworld.com/comments/node/9179224#comment-588733 [computerworld.com]

That comment there is insightful. This has nothing to do with passwords, it has to do with SSO keys. I was confused originally because OpenID says nothing about how systems store or verify passwords, so it wouldn't make sense to check in that manner.

Re:

[betterunixthanunix]

You'd be surprised. Salting and hashing passwords seems like common practice, but most programmers have minimal security training (yes, even those programmers who implement password based authentication systems) and may fail to realize the significance of not hashing.

Now, the fact that open source projects have this problem is a bit disturbing...

Re:

[Bert64]

Windows doesn't bother to salt its hashes either...

What open source systems don't do hashing? Must be pretty niche applications or someone would have contributed a patch by now.

Re:

[betterunixthanunix]

It seems that the systems described in TFA were open source, and that they checked plaintext passwords. Maybe I misread something (the article is full of inaccuracies anyway; timing attacks go back much further than 25 years, and reducing the noise added by a computer network is not ground breaking at all).

Re:

[Qzukk]

If you do almost any sort of reasonable hashing or encryption algorthm on a password, this becomes a moot point,

You risk making the problem WORSE, especially if you compare the ASCII (hexadecimal) representation of your hashes. If I know what hash algorithm you use, I can produce a rainbow table, and attempt to log in 16 times to determine the first hexadecimal character of the hash, 16 more times to determine the second and so on. For md5 (128 bits, 32 nibbles) it would take 512 (16*32) login attempts to

Re:

[ironicsky]

I'm pretty sure this is easily fixed... Any authentication system I write queries the database for both the username and password at the same time(all passwords stored as MD5 hashes) and only checks to see if a row was returned. If it is, the credentials are correct. If nothing is returned, the credentials are wrong. I never tell the user which was wrong, thats up to them to figure out.

$query = "SELECT uid from users where username='" . $_POST['username'] . "' AND password=MD5('" . $_POST['password'] . "

Re:

[MankyD]

I don't think a reasonable password hashing algorithm works like that. If I change one character in the password (any single character) the entire hash could/should change. You can't look at it and say "well, 90% of the hash matches, let's tweak it a bit more."

Re:

[EsbenMoseHansen]

No, since A) the hash will be salted and B) changing one character gives a completely different hash result (just try running md5sum on some strings). E.g:
password 286755fad04869ca523320acce0dc6a4
passwore 530bbcd6551386c86cbc0ebc6b007cc4

Re:

[EsbenMoseHansen]

Yeah, but the IDEA of using a hash is that it is inreversible, so getting the hash out gives you nothing. Notes that this only works if it is salted.

The attack could still be valid, though, if the hashing occurs client side. I'm guessing that this is what the attack requires (it sound quite plausible that openid involves some kind of cryptographic hash that needs to match something).

Or...

[hypergreatthing]

they could just impliment a simple
if passwordcheck(password)=false then
wait random(15)
end if

OMG so very hard!

Re:

[Stewie241]

The point isn't that it is hard to do... the point is that it isn't being done. The other point is that it wasn't being done because of the contention that the exploit was so unfeasible it wasn't worth it. The research demonstrates that the exploit is more feasible than people thought.

Re:

[Carnildo]

This doesn't fix the problem, it just slows down the attacker. Statistical analysis of the delay will still tell the attacker exactly how long it took to check the password.

The correct fix is:

if passwordcheck(password)=false then
run_a_delay_loop_until_it_takes_as_long_as_a_success()

Re:

[something_wicked_thi]

Congratulations. You've just implemented a system that is exactly no more secure. See posts above for why.

Time for a secure strcmp()?

[Qzukk]

One that will always loop through the longest string (would need to figure out something to compare it to once past the end of the short string), even after it has decided they're not equal.

Re:

[mmkkbb]

Go back to the beginning of the short string. You know the comparison will fail, so it doesn't really matter as long as you don't follow some random pointer.

Re:

[Stewie241]

One that will always loop through the longest string (would need to figure out something to compare it to once past the end of the short string), even after it has decided they're not equal.

That seems like a silly idea to me. Why would you implement it in strcmp() when most of the time you want to maximize performance. The proper place to do this is not in strcmp but in the password verification routine. As noted above also, sleeping is a more efficient use of processor resources than performing non-important calculations.

Does no-one else put a 10-second delay in?

[Xugumad]

Last time I coded a web based auth system, if you failed to log in it would refuse to check your next attempt until 10 seconds after the previous one (blocked by IP and by username). I, apparently foolishly, assumed most people would do the same...

Re:

[Bert64]

Do you block the combination of IP and user? If so, couldnt an attacker simply cycle through a block of usernames such that each user wasnt tried more than once every 10 seconds?

I like systems which block the user after failed attempts, but leave your IP alone... Makes it absolutely trivial to DoS the system by simply sending invalid auth requests for all the users.

Not affected

[pathological liar]

Looks like I'm safe... [openid.aliz.es]

Doesn't MD5 make this hard?

[tthomas48]

I hate this kind of announcement because it usually ends up that they found a hack in a revesion Bozo's poorly constructed library from 5 years ago, but I like this kind of announcement because it makes me consider my security.

I'm using a PHP OpenID library that's using md5 for comparison in the database. I don't really see how that would be feasible, since even if you were cycling through characters you need all characters to make the hash which mysql is making its string comparison based on.

Or am I missing something?

Re:

[mandelbr0t]

This reminds me of a similar flaw in Apache HTTPS a while back. It takes considerable timing resolution (i.e. not remote) to accomplish, but the problematic construct looks something like this:

if (!md5match) { return FAIL; } else { // do something long and complicated return SUCCESS; }

Basically, by using enough attacks and cycling through the bits of the calculated hash, you can determine which bits are and aren't in the private key. It takes some time to accomplish, and the network latency mu

Re:

[tthomas48]

But in that case the user is supplying the hash, right?

Re:

[mandelbr0t]

True, but the basis of the vulnerability is the same: do not provide timing indications of success/failure if its possible to cycle and record to deduce the password. I'm not saying it's not possible to invent a login mechanism that doesn't have this particular vulnerability, just that it's not something even security-concious people immediately think of.

Re:

[tthomas48]

But the problem isn't success/failure. It's differences of timing in failure, that tell how successful you were. It's basically like that old game of mastermind, but rather than colored pegs you're getting different times for your failure message.

Re:

[owlstead]

If the library is not using a salt, you can still retrieve the value of the hash using the exact same method. Furthermore, if the hash is intercepted they can use it for looking up the password in a rainbow table or similar. Just hashing is not enough.

first side channel attack I learned

[owlstead]

This was the first time-based side channel attack I learned. Within Minix you initially could place a password right at a page boundary and try and login. If there was a page fault before the password was rejected, you knew you had the right character right before the page bound. Of course, the solution is very simple: check all the characters for correctness, simply setting a boolean to false each time you find an incorrect character. Probably even better is to pad the input to a maximum length (in a time

Re:

[owlstead]

That's what you get from using an outdated college lecture as starting point. Of course, as already mentioned in the responses, the correct way is to have a full length random salt, XOR the password in it (in case the RNG is broken, possibly use an additional counter or something), hash it and then send the salt & hash to the other side. Sending the password in plain or relying just on SSL is a stupid idea for an online system.

Re:

[Guy Harris]

This was the first time-based side channel attack I learned. Within Minix you initially could place a password right at a page boundary and try and login. If there was a page fault before the password was rejected, you knew you had the right character right before the page bound.

That dates back before Minix - Butler Lampson's Hints for Computer System Design [microsoft.com] speaks of a similar issue in Tenex. (Look for "Tenex" in that paper for the example.)

Xbox 360? A better example!

[VGPowerlord]

A better example from the past of this same sort of attack was back in OpenSSH Portable. Specifically, OpenSSH/PAM timing attack allows remote users identification [marc.info]

Note that this didn't apply to finding passwords, just that invalid users would immediately return an error after the password was entered, while a valid user and incorrect password would have a delay.

Would you ike to play a game?

[damonlab]

I always thought a big flaw in the movie War Games was that the launch code was figured out one character at a time. Now this happens and flips my world upside down.

Hm, my BS alarm...

[Stan Vassilev]

The researchers also found that queries made to programs written in interpreted languages such as Python or Ruby -- both very popular on the Web -- generated responses much more slowly than other types of languages such as C or assembly language, making timing attacks more feasible. "For languages that are interpreted, you end up with a much greater timing difference than people thought," Lawson said.

Sure, scripts are slower than C. They're slower in general, but when you compare two binary strings, it's still mostly the same C memcmp call that's being called. You also have semi-random events like mark and swipe garbage collection, dynamic optimizations, I/O delays.

This means scripts may be slower and more random, while the password check call still isn't, how the heck would that make is easier to hack scripted sites?

I'm not even mentioning the fact most web apps don't have passwords hardcoded, but actu

What the heck?

[selven]

On some login systems, the computer will check password characters one at a time, and kick back a "login failed" message as soon as it spots a bad character in the password.

Why the hell are they checking against the password in plaintext, and not some kind of hash?

Re:Why the fuzz?

[maxume]

The sarcastic answer is development.

Re:

[SQLGuru]

If you just transmit the hash, then all I need to do is generate hashes; I don't actually need your password at all. This would be more or less the same as sending the password in clear-text.....it's just that the password is some fixed length string that can't be pronounced.

The server needs to do the hash, not the client.

Re:

[guruevi]

Not necessarily absurdly slow - there are extensive rainbow tables out there that probably cover just about any common password.

First you'll need to use the hash-side of the rainbow table to get about 36 hashes which start with [a-z0-9] and then filter right on down. You might run into some trouble finding matching hashes as you near the end of the hash but it's not impossible.

It will no matter what take long. Given enough time and resources, anyone could crack anything. The only solution for now:

- Use non-

Re:

[betterunixthanunix]

TENEX was found to be vulnerable to this sort of attack; you could guess a password one character, by literally measuring the delay in the password comparison (identical to TFA's attack, really).

Welcome back to the 1960s!

Re:

[Bert64]

Only NT already has RPC functions available remotely by default which let you see the password policy, see accounts that are locked, see what usernames exist, see what groups the accounts are in etc...

Re:

[icebraining]

If this breaks the passwords, maybe https://certifi.ca/ [certifi.ca] is secure?

With a certifi.ca account, you can log into thousands of sites around the Web without needing a password. We use client-side SSL certificates to give you a secure authentication service based on public-key encryption.

Re:

[Stewie241]

post a news story when an authentication scheme which /doesn't/ invite users to type their usernames and passwords into dozens of random websites is broken.

The point of OpenID is that you *don't* type your password into dozens of random websites.

Re:

[Ant P.]

So in your system, I could lock you out of the site simply by doing a bad login on your username three times? Nice.