Data Storage and Security Strategies of Network Identity

Data Storage and Security Strategies of
Network Identity
(YOCSEF Report)
Antiy Labs
12/30/2011

Self Introduction
Identity: Xinguang, Xiao (real name); Haike, Jiang (online name);
Seak (English name);
Profession: antivirus researcher, not algorithm researcher;
Major: Automation Control, not Computer Science;
English skill: poor, but like using acronyms such as AV.
Wish: do not embarrass an antivirus researcher.

8/2/2012 Security Every Day Page 2

Terms in This Report
 Encryption/cipher text: Encryption is the process of
transforming plain text to cipher text.
 Computation speed: As for the computation speed of hash
and other encryption algorithms, there is no consensus of
whether we should use the length of plain text/computation
time, or the computation number in unit time.
 Zhang’s Theorem/ Zhang’s Hypothesis: Zhang is the CTO of
Antiy. Whenever any hypothesis occurs to me, I name it as
“Zhang’s Theorem”. In order to differentiate the ideas of us
two, the idea Zhang comes up with is “Zhang’s Hypothesis”.

Outline
 Background
 Cipher text attack methods and current solutions
 Find suitable security products
 Extra topics


When Moore Law becomes a disaster.
BACKGROUND


Computation Speed
Host Environment:
Core 2 (T7250) 2.0 G, 2M cache, 4GB RAM, 64-byte
Windows server 2008

VM Environment:
Vmware Server, Ubuntu 10.04, 512MB RAM

Compute MD5 of the 16 bytes in the virtual machine, the
computation number in 2.99 seconds is 1,759,393.


Computation Resources
Low-cost cloud computation Super Computer: GPU


Node Resources
 Botnet


Plain Text Resources

Infected Infected accounts
Vendors/Websites
Sony 101,600,000
Sega Corporation 1,300,000
City Bank 200,000
CSDN 6,000,000
Duo Wan 8,000,000
Tian Ya 30,000,000


Rainbow Table/Online Query

Name Functionality Application scenarios
md5 Encrypt the passwords by MD5 Lots of common websites
md5(md5($pass)) Encrypt the MD5 value by MD5 Lots of common websites
md5($pass.$salt) Connect the password with the salt to form a new password, and open source CMS operating system such as
then encrypt the new password by MD5 Joomla
md5($salt.$pass) Connect the password with the salt to form a new password, and open source electrical business system
then encrypt the new password by MD5 osCommerce
md5(md5($pass).$salt) Connect the MD5 value with the salt, and then encrypt the newly Forum systems such as Vbulletin, IceBB, and
generated password by MD5 Discuz
md5(md5($salt).$pass) Connect the MD5 value of the salt with the password, and then
encrypt the newly generated password by MD5
md5($salt.$pass.$salt) Connect the salt with the password, and then encrypt the newly Online P2P systems such as TBDev
generated password by MD5
md5($salt.md5($pass)) Connect the salt with the MD5 value of the password, and then
encrypt the newly generated password by MD5
md5(md5($pass).md5($salt)) Connect the MD5 value of the password and the MD5 value of the
salt, and then encrypt the newly generated password by MD5
md5(md5($salt).md5($pass)) Connect the MD5 value of the salt and the MD5 value of the Forum systems sucha s ipb and mybb
password, and then encrypt the newly generated password by
MD5
MD5(Unix) Encrypt the password by MD5, and then save the value with Unix Forum systems such as phpBB3; blog system s
shadow format such as WordPress
md5(unicode) Encrypt the Unicode of the password by MD5 Unix/Linux systems
sha1 Encrypt the password by SHA-1 Lots of common websites
sha1($salt.$pass) Connect the salt with the password, and then encrypt the newly
generated password by SHA-1
sha1(lower($username).$pass) Connect the lower-case user name with the password, and then Forum systems such as SMF
encrypt the newly generated password by SHA-1
sha1(upper($username).’:’.upper($pass)) Connect the upper-case user name with “:”, and the upper-case Online game server systems such as ManGOS
password, and then encrypt the newly generated password by
SHA-1
sha1($username.’:’.$pass) Connect the user name with “:” and the password, and then
encrypt the newly generated password by SHA-1
sha256 Encrypt the password by SHA-256
sha512 Encrypt the password by SHA-512
mysql Encrypt the password of MySQL accounts MySQL database (Version 4.0 and earlier versions)
mysql5 Encrypt the password of MySQL accounts MySQL database (Version 5.0 and later versions)
mssql Encrypt the password of SQL Server accounts
Des(unix)
Resources that can be queried SQL ServerMicrosoft
Encrypt the password by DES, and save the value with Unix Unix/Linux systems

Current cipher text attack methods; some wrong methods;
our open-source samples
CIPHER TEXT ATTACK METHODS AND
CURRENT SOLUTIONS


High Frequency Match (Continued)


Plain text Password Match
Normal Speed

After GPU Acceleration

引自http://www.insidepro.com/eng/egb.shtml

Some Wrong Methods
 Use standard hash algorithms
 Use several hash values
 Use non-unidirectional algorithms
 Add salt
 Design algorithms

引自安天2010.03《基于内存对象对26种HASH方法的测试结果》


Antiy Password Mixer
Introduction Resources
• Algorithm • Open source
– RSA, SHA256 – http://code.google.com/p/pa
ssword-mixer/
• User/Salt
– Accounts
– The salt table
– UID and registration time
• Provide restoration mode


Not every security product is useful. We should recognize the fake ones.

FIND SUITABLE SECURITY PRODUCTS


Design Slow Hash
Questions Perspective
• Fake slow hash
• It’s difficult to design a slow
– Another algorithm
hash algorithm. Such a
• User’s experience algorithm is of low payload
• DDoS attacks for X86 CPUs. Moreover, it is
difficult to bypass certain
software and hardware.

Biometric Recognition
Question Perspective
• It is not what we are talking • The identity recognition
about here. technology based on the Internet
• It’s not renewable. is widely used; it is disastrous
since users’ information might be
stolen.
• Some websites advocate the
identity recognition technologies.
They might be driven by
economic interests.

You seem
quite
tired, try
Dabao.

Zhang’s Hypothesis
 Any Web/DB targeted logon strategies must be based on the
following conditions.
– open source algorithms
– Rapid hash algorithm
– The rainbow table is only limited by storage.

Avoid Using Frequently Used Passwords
Don’t use Frequently Used
Passwords Dynamic Balance
• Check the passwords that are used • Microsoft Hotmail
for several accounts;
– Frequency balance
• High frequency password and
leaked passwords – Shortcomings


Encryption Hardware Used for WEB/DB
Scenarios
Idea Design
• Protect passwords and
parameters via hardware
design;
• Acceleration functionality;
• Support VM scenarios


Operation and Maintenance
The following problem must
be settled Try the following one
• Counter password and the • Protect records via records
online passwords should be – Create lots of bot users;
different.
– Misled by algorithms
– Fake table


The pseudo propositions …
EXTRA TOPICS


Some Pseudo Propositions
 Unidirectional security?
– Cracking situation（MD5 security is not relevant with this event)
– intensity
 Dual factor security?
– Financial institutes should bear the responsibilities.

8/2/2012
Security Every Day Page 25

References
 Password related article:
– http://blog.csdn.net/antiy_seak

 Antiy Password Mixer
– http://code.google.com/p/password-mixer/

 Speed of GPU acceleration related algorithms
– http://www.insidepro.com/eng/egb.shtml


Thank You
www.antiy.com
seak@antiy.com
http://Weibo.com/seak

Data Storage and Security Strategies of Network Identity

More Related Content

What's hot (20)

Similar to Data Storage and Security Strategies of Network Identity (20)

More from Antiy Labs (8)

Recently uploaded (20)

Data Storage and Security Strategies of Network Identity