SlideShare a Scribd company logo

Hacknbeers sqli and cryptography

M
Miguel Ibarra

The document discusses information security topics like SQL injection and cryptography. It provides an overview of SQL injection vulnerabilities and how they can be exploited to access private data. It then explains techniques for securely storing passwords like hashing and salting. Hashing involves applying a one-way algorithm to a password to generate a fixed-length string, while salting adds a random string to the password before hashing to strengthen security.

Technology
1 of 79
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
ì   Information  Security   SQL  Injec*on  and  Cryptography  
About  me   ì  Miguel  Ibarra   ì  PHP  developer  since  2000   ì  Actually,  coding  since  1986   ì  Projects  from  simple  web  pages  to  GRP’s   ì  SoLware  Engineer  @  Tiempo  Development   ì  Webservices,  security  and  cryptography  fan  
ì   I  can  has  ur  data?    
I  can  has  ur  data?     ì  Today,  informa*on  assets  can  be  more  valuable   than  physical  assets…   ì  Lost  your  USB  s*ck  lately?   ì  Data  theL  is  becoming  an  every-­‐day  issue  and   concern…  
ì   Data  Dump   I  can  has  ur  data?    
I  can  has  ur  data?     ì  linkedin.com   ì  6th  June  2012   ì  More  than  6  million   passwords   ì  eharmony.com   ì  6th  June  2012   ì  More  than  1.5  million   passwords   ì  last.fm   ì  7th  June  2012   ì  ?  Million  passwords   ì  yahoo.com   ì  12th  June  2012   ì  443K  passwords   ì  Sql  injec*on   ì  Passwords  in  plain  text…  
ì   I  can  has  ur  data?     Hot  news!  
ì   2010  -­‐  2013   World’s  biggest  data  breaches  
ì   2010  –  2013  (Web  only)   World’s  biggest  data  breaches  
I  can  has  ur  data?     ì  Public  web  applica*ons  expose  an  authen,cated   and  authorized  connec,on  to  DBMS  servers   ì  DBMS  have  their  own  authen*ca*on  and   authoriza*on  systems   ì  Applica*ons  that  use  such  DBMS  need  creden*als  to   connect  to  DB  servers   ì  This  type  of  apps  can  have  their  own  auth   procedures   ì  They  can  be  vulnerable  
I  can  has  ur  data?     ì  It  does  not  maeer  if  your  DBMS  is  behind  a  firewall   and/or  private  network   User   Public  network   Web  server   Private  network   DBMS  Server  
ì   SQL  Injection   How  I  got  your  data  
SQL  Injection   ì  Golden  rule:   ì  Filter/Validate  inputs,  escape  outputs   ì  …many  ‘developers’  do  not  follow  this  rule…  
SQL  Injection   ì  Our  database  schema       ì  Sample  resultset   WTF?  
SQL  Injection   ì  Live  demonstra*on  
ì  Protecting  your  data  –  Password   Hashing  
Protecting  your  data  –  Password  Hashing   ì  Hash   ì  Algorithm  that  maps    data  of  variable  length  to  data   of  fixed  length   ì  One  way  func*on   ì  Output  cannot  be  reversed  using  an  efficient   algorithm   ì  Also  called  ‘pseudo-­‐random  func*on’   ì  Output  indis*nguishable  from  true  random  data   ì  Popular  hashing  algorithms   ì  md5   ì  sha1  
Protecting  your  data  –  Password  Hashing   ì  Hash  proper*es   ì  Output  yields  a  fixed  length  result   ì  md5(‘1’)  =    ‘c4ca4238a0b923820dcc509a6f75849’   ì  md5(‘Hello  world’)  =   ‘3e25960a79dbc69b674cd4ec67a72c62’   ì  The  slightest  change,  totally  different  results   ì  md5(‘Hello  World’)  =   ‘b10a8db164e0754105b7a99be72e3fe5’  
Protecting  your  data  –  Password  Hashing   Message  space   Result  space  
Protecting  your  data  –  Password  Hashing     Hashing              encryp*ng  
Protecting  your  data  –  Password  Hashing   ì  Our  new  schema   ì  Sample  resultset  
Protecting  your  data  –  Password  Hashing   ì  Again,  cannot  revert  a  hash  using  an  efficient   algorithm   ì  …  but  can  be  cracked…   ì  Crack  <>  Hack   Hash   Algorithm   Data  
Protecting  your  data  –  Password  Hashing   ì  Brute  force  aeack   ì  Generate  hashes  from  a  dic*onary   ì  Common  words   ì  Generate  character  combina*ons   ì  Exhaus*ve  search   ì  Generated  hash  =  target  hash?   ì  Bingo   ì  Inneficient,  but…   ì  CPU  power  is  growing  (mul*ple  cores)   ì  GPU  can  be  used  too  (thousands  of  cores)   ì  Cloud  systems  
ì   ATI  HD  5970     String  consis*ng  of  a-­‐z|A-­‐Z|0-­‐9   Algorithm   Speed   8  chars   9  chars   10  chars   md5   5600   million  h/s   10  hours   27  days   4.5  years   sha1   2300   million  h/s   26  hours   68  days   11.5  years  
Protecting  your  data  –  Password  Hashing   ì  Hash  database  aeack   ì  Query  a  database  with  pregenerated  hashes   ì  Several  sites  offer  this  service,  free   ì  Google.com   ì  hep://bit.ly/15O4SLN  
Protecting  your  data  –  Password  Hashing   ì  Gesng  a  hash  through  sql  injec*on   ì  Live  demonstra*on  
ì   Password  salting  
Password  salting   ì  Salt   ì  Random  character  string   ì  f(password,  salt)  =  hash(password  +  salt)  
Password  salting   Result   Salt   Password  
Password  salting   ì  Our  new  schema   ì  Sample  resultset  
Password  salting   ì  Salt  has  to  be  stored  in  clear  text  as  to  authen*cate   a  user   ì  if(  hash(<provided  password>  +  <salt  field>)  ==   <password  field>  )  then   ì  User  creden*als  are  valid  
Password  salting   ì  Hash  database  aeack  becomes  improbable   ì  If  hash  remains  unknown,  brute  force  aeack   becomes  improbable   ì  Total  characters:  42   ì  Calcula*ons  per  second:  4  billion   ì  Possible  combina*ons:  522  duovigin*llion   ì  Total  *me  to  crack:  4  septendecillion  years*   ì  According  to  heps://howsecureismypassword.net/  
Password  salting   ì  But  the  aeacker  could  modify  the  aeack  to  obtain   the  salt  field…   ì  DEMO   ì  The  aeacker  would  only  need  to  launch  a  brute   force  aeack   ì  Generate  some  character  combina*on  string   ì  Concatenate  salt  and  hash   ì  Compare  hashes  
ì   Password  stretching  
Password  stretching   ì  To  mi,gate  men*oned  aeack,  use  password   stretching  technique   ì  Create  a  recursive  /  itera*ve  algorithm  that   calculates  a  hash  value  over  itself  thousand  (or   more)  *mes  
Salt  Password  Hash   Salt  Password  Hash   Salt  Password   Hash  Algorithm   Hash  Algorithm   Thousands  of  *mes  
Password  stretching   ì  This  algorithm  should  iterate  enough  to  delay  each   calcula*on  by  1  second   ì  In  order  to  crack  with  a  brute  force  aeack,  the   aeacker…   ì  Should  know  the  exact  itera*on  count   ì  +/-­‐  1  itera*on  will  result  in  totally  different  hash  value   ì  Should  wait  1  second  between  each  aeemp   ì  This  makes  the  aeack  highly  improbable  
Password  stretching   ì  Several  standard  algorithms  for  password   stretching   ì  PBKDF2   ì  Bcrypt   ì  Scrypt   ì  …  
ì   I  can  still  has  ur  data…  
I  can  still  has  ur  data…   ì  We  give  it  away  freely…   ì  Facebook   ì  Twieer   ì  Foursquare   ì  If  it  is  free,  you  are  the  product  
I  can  still  has  ur  data…   ì  We  uninten*onally  give  it  away…   ì  Phishing  scams   ì  Social  engineering   ì  Adware  /  Spyware  /  Browser  bars  /  Apps   ì  Weak  passwords   ì  Names   ì  Birthdays   ì  Phone  numbers   ì  Common  passwords  
I  can  still  has  ur  data…   ì  It  is  forcibly/unlawfully  taken  from  us…   ì  Extor*ons  /  black  mail   ì  Unethical  prac*ces   ì  banks   ì  Government  spy  programs   ì  NSA’s  PRISM   ì  Communica*ons  Intercept  System  Mexico   ì  Requested  by  USDoS  to  Mexican  Federal  Government  in   2007   ì  Request  cancelled  in  2012…   ì  Unknown  sponsored  spy  programs   ì  Rumored  FinFisher  program  probably  running  in   networks  belonging  to  Uninet,  Iusacell  and  Televisa  
ì   Cryptography  101  
Cryptography  101   ì  Krypto   ì  Hidden   ì  Graphos   ì  Script   ì  Tecnique  to  modify  a  linguis*cal  or  caligrafical   presenta*on  of  a  message   ì  Ruled  by  an  algorithm   ì  Must  allow  forward  and  backward  process  
Cryptography  101   ì  700BC  -­‐  Scytale  
Cryptography  101   ì  <40BC  –  Caesar  Cipher    
Cryptography  101   ì  1467  –  Alber*  Cipher  
Cryptography  101   ì  1797  –  Jefferson  Wheel  
Cryptography  101   ì  1943  –  Enigma  machine  
Cryptography  101   ì  Today,  cryptography  is  performed  by  an  automated   algorithm:  Cipher   ì  Short  name  for  pseudo-­‐random  permuta*on   ì  Takes  an  input   ì  Applies  a  reversible  algorithm   ì  Outputs  data  indis*nguishable  from    a  truly  random   data  stream   ì  Result  space  is  equal  to  message  space   ì  No  collisions  
Message   space   Result   space  
Cryptography  101   ì  Modern  algorithms  use  a  ‘key’   ì  They  key  is  used  to  transform  a  message  into  a   pseudo-­‐random  string   ì  This  is  called  ‘cipher’   ì  This  pseudo-­‐random  string  can  be  transformed   back  to  the  original  message  only  with  this  key   ì  ‘decipher’  
Cryptography  101   ì  2  key  types   ì  Symetric   ì  Asymetric  
ì   Symetric  ciphers  
Symetric  ciphers   ì  The  same  key  is  used  to  cipher  and  decipher   ì  The  2  endpoints  must  agree  on  this  key   ì  Security  relies  mainly  in  this  key   ì  Key  must  be  improbably  guessed   ì  Key  space  has  to  be  large…  
Symetric  ciphers   ì  Simple  and  safest  symetric  key  chipher  algorithm   ì  XOR   ì  1  ⊕  0  =  1   ì  1  ⊕  1  =  0   ì  0  ⊕  0  =  0   ì  ‘a’  =  ascii(97)   ì  9710  =  110000012   ì  Random  key  =  01010000  
1   1   0   0   0   0   0   1   0   1   0   1   0   0   0   0   1   0   0   1   0   0   0   1   1   0   0   1   0   0   0   1   0   1   0   1   0   0   0   0   Data  to  cipher   Random  key   Ciphered  data   Data  to  decipher   Random  key   Original  data  
Symetric  ciphers   ì  Ciphered  data  is  impossible  to  decipher  without  the   key  by  an  efficient  algorithm   ì  This  is,  no  exhaus*ve  search  for  the  key   ì  Is  very  simple   ì  Key  length  must  be  the  same  as  message  length   ì  Security  measures  applied  while  securily  sharing   the  key  might  as  well  we  applied  to  the  unciphered   message  
Symetric  ciphers   ì  In  fact,  every  symetrical  cipher  weakest  link  is  the   key   ì  An  aeacker,  instead  of  brute  forcing  the  key,  might   as  well  focus  on  incercep*ng  the  key   ì  Popular  cipher  algorithms   ì  DES   ì  3DES   ì  AES  
ì   Asymetric  ciphers  
Asymetric  ciphers   ì  Has  a  key  pair   ì  Private  key:  only  the  owner  can  know  it   ì  Public  key:  owner  can  share  it  freely   ì  Message  ciphered  with  the  public  key  can  only  be   deciphered  with  the  private  key   ì  Message  ciphered  with  the  private  key  can  be   deciphered  with  the  public  key   ì  This  adds  a  message  authen*ca*on  mechanism  
Asymetric  ciphers   ì  Algorithms  are  based  on  prime  number  and  one   way  func*ons   ì  Way  too  easy  to  mul*ply  to  prime  numbers   ì  Factorizing  a  number  into  its  prime  factors  is  very   difficult   ì  Usually  involves  very  large  prime  numbers   ì  Hundreds  of  digits  
Asymetric  ciphers   ì  Asymetric  ciphers  require  more  processing  *me   ì  Keys  are  required  to  be  large   ì  As  today’s  standards,  2048  bits   ì  Ciphered  message  is  bigger  than  the  original  message   ì  Popular  algorithms   ì  RSA   ì  Hybrid  symetric/asymetric  algorithms   ì  HTTPS/TLS  
ì   Just  encrypt  it  and  you  are  safe   …are  you?  
Just  encrypt  it  and  you  are  safe…  are  you?   ì  Weakest  links  in  cryptography   ì  Again,  the  key…   ì  …  and  how  it  is  implemented   ì  Aircrack  anyone?   ì  WEP  algor*hm:  example  of  bad  crypto   implementa*on  
Just  encrypt  it  and  you  are  safe…  are  you?   ì  Common  cryptography  implementa*on   misconcep*on   C   Message   Key   Cipher  Message  
Just  encrypt  it  and  you  are  safe…  are  you?   ì  Do  not…   ì  Use  a  short  key   ì  Use  weak  random  data  to   generate  a  key   ì  Use  directly  the  generated   key   ì  Try  to  derive  the  key  first   ì  PBKDF2   ì  Pseudo-­‐random   func*on   ì  Use  the  same  key  to  cipher   iden*cal  messages   ì  Informa*on  leak   ì  Use  the  same  key  to  cipher   mul*ple  messages   ì  WEP’s  Achilles’  heel   ì  If  you  need  to,  use  nonces   ì  Nonce  ≃  salt   ì  Nonce  is  included  with   the  message   ì  Cipher  and  send…   ì  Always  add  signature   verifica*on  mechanism   ì  Hash-­‐mac   ì  Hash  with  a  key   ì  Hash-­‐mac  signature   included  in  message  
ì   Do  not  use  weak  random  data   Random  data,  PHP  4’s  rand()  func*on  output  on  Windows  converted  to  bitmap  
ì   Encryption  in  databases  
Encryption  in  databases   ì  We  have  the  following  schema  
Encryption  in  databases   ì  The  aeacker,  unable  to  get  login  details,  could   modify  the  aeack  to  get  personal  informa*on:  
Encryption  in  databases   ì  MySQL  supports  AES  cipher  algorithm,  then  we   could  modify  our  schema  
Encryption  in  databases   ì  If  the  aeacker  executes  the  injec*on  
Encryption  in  databases   ì  S*ll  informa*on  can  be  leaked   ì  Suppose  the  2  users  share  the  same  phone  number,   the  aeacker  could  no*ce  this  since  data  was   ciphered  with  the  same  key  
ì   Tweakable  encryption  
Tweakable  encryption   ì  Remember,  do  not  use  the  same  key  to  cipher   mul*ple  messages…   ì  Do  we  need  to  generate  a  new  key  for  each  record?   ì  Say,  we  have  thousands  of  records,  do  we  need   thousand  keys?   ì  NO   ì  Use  a  tweak  
Tweakable  encryption   ì  Every  table  should  have  a  primary  key   ì  So  the  values  inside  the  primary  key  must  be  unique   to  every  record   ì  Use  the  master  key  +  primary  key  value,  then  hash   ì  f(key,  pk  value)  =  hash(key  +  pk  value)   ì  You’ll  have  an  unique  cipher  key  for  each  record   ì  Now,  fields  with  the  same  plain  text  value  will   appear  to  be  completely  different  when  ciphered  
Last  Words   ì  Last  words…   ì  Informa*on  privacy  is  YOUR  RIGHT   ì  Do  you  consider  it  to  be  a  paranoid  idea…   ì  …or  a  daily  life  concern?   ì  First  informa*on  privacy  law  from  1890  US   ì  Laws  cannot  keep  up  with  technology  
QA   ì  QA   ì  Thank  y’all!  

More Related Content

PPTX
Password cracking and brute force tools
zeus7856
 
PPS
Hacking Client Side Insecurities
amiable_indian
 
PPTX
Honeywords - BSides London 2014
Gavin Holt
 
PPTX
SecTor '09 - When Web 2.0 Attacks!
Rafal Los
 
PDF
Securious talk at the SWCSC event on 24th Feb 2016.
Peter Jones
 
PPTX
Presentation 3 1 1 1
Ashwin Kumar
 
PDF
OSINT tools for security auditing with python
Jose Manuel Ortega Candel
 
PPTX
Honeywords
Pratiksha Kale
 
Password cracking and brute force tools
zeus7856
 
Hacking Client Side Insecurities
amiable_indian
 
Honeywords - BSides London 2014
Gavin Holt
 
SecTor '09 - When Web 2.0 Attacks!
Rafal Los
 
Securious talk at the SWCSC event on 24th Feb 2016.
Peter Jones
 
Presentation 3 1 1 1
Ashwin Kumar
 
OSINT tools for security auditing with python
Jose Manuel Ortega Candel
 
Honeywords
Pratiksha Kale
 

What's hot (7)

PDF
Adversary Pattern Analysis - A Journey with APNIC Honeypot
A. S. M. Shamim Reza
 
PPTX
Storing passwords-honey words
kandulasindhu
 
PDF
Enterprise Password Worst Practices
Imperva
 
PPTX
Detecting Malicious SSL Certificates Using Bro
Andrew Beard
 
DOCX
Achieving flatness selecting the honeywords
Kamal Spring
 
PPS
Information Gathering With Google
Zero Science Lab
 
PDF
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
Adversary Pattern Analysis - A Journey with APNIC Honeypot
A. S. M. Shamim Reza
 
Storing passwords-honey words
kandulasindhu
 
Enterprise Password Worst Practices
Imperva
 
Detecting Malicious SSL Certificates Using Bro
Andrew Beard
 
Achieving flatness selecting the honeywords
Kamal Spring
 
Information Gathering With Google
Zero Science Lab
 
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 

Similar to Hacknbeers sqli and cryptography (20)

PPTX
TM112 Meeting12-Cryptography.pptx
MohammedYusuf609377
 
PDF
Passwords good badugly181212-2
Iftach Ian Amit
 
PDF
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Fego Ogwara
 
PPTX
TM112 Meeting10-Dangerous Data.pptx
MohammedYusuf609377
 
ODP
All Your Password Are Belong To Us
Charles Southerland
 
PPTX
Securing Passwords
Mandeep Singh
 
ODP
Passwords
Kevin OBrien
 
PPT
Kieon secure passwords theory and practice 2011
Kieon
 
PDF
Password (in)security
Enrico Zimuel
 
PDF
Cracking Salted Hashes
n|u - The Open Security Community
 
PPTX
Techniques for password hashing and cracking
Nipun Joshi
 
PPT
Unit-4 Cybercrimes-II Mobile and Wireless Devices.ppt
ajajkhan16
 
PDF
Data Storage and Security Strategies of Network Identity
Antiy Labs
 
PDF
A Survey of Password Attacks and Safe Hashing Algorithms
IRJET Journal
 
PPTX
What Video Games and BotCoin Did To The World Of Security... On Accident
Ben Finke
 
PPTX
Secure passwords-theory-and-practice
Akash Mahajan
 
PPT
introduction to cryptography
Priyamvada Singh
 
PPTX
P@ssw0rds
Will Alexander
 
PPTX
Ethical hacking Chapter 12 - Encryption - Eric Vanderburg
Eric Vanderburg
 
PPTX
Password Storage Sucks!
nerdybeardo
 
TM112 Meeting12-Cryptography.pptx
MohammedYusuf609377
 
Passwords good badugly181212-2
Iftach Ian Amit
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Fego Ogwara
 
TM112 Meeting10-Dangerous Data.pptx
MohammedYusuf609377
 
All Your Password Are Belong To Us
Charles Southerland
 
Securing Passwords
Mandeep Singh
 
Passwords
Kevin OBrien
 
Kieon secure passwords theory and practice 2011
Kieon
 
Password (in)security
Enrico Zimuel
 
Cracking Salted Hashes
n|u - The Open Security Community
 
Techniques for password hashing and cracking
Nipun Joshi
 
Unit-4 Cybercrimes-II Mobile and Wireless Devices.ppt
ajajkhan16
 
Data Storage and Security Strategies of Network Identity
Antiy Labs
 
A Survey of Password Attacks and Safe Hashing Algorithms
IRJET Journal
 
What Video Games and BotCoin Did To The World Of Security... On Accident
Ben Finke
 
Secure passwords-theory-and-practice
Akash Mahajan
 
introduction to cryptography
Priyamvada Singh
 
P@ssw0rds
Will Alexander
 
Ethical hacking Chapter 12 - Encryption - Eric Vanderburg
Eric Vanderburg
 
Password Storage Sucks!
nerdybeardo
 

Recently uploaded (20)

PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 

Hacknbeers sqli and cryptography

  • 1. ì   Information  Security   SQL  Injec*on  and  Cryptography  
  • 2. About  me   ì  Miguel  Ibarra   ì  PHP  developer  since  2000   ì  Actually,  coding  since  1986   ì  Projects  from  simple  web  pages  to  GRP’s   ì  SoLware  Engineer  @  Tiempo  Development   ì  Webservices,  security  and  cryptography  fan  
  • 3. ì   I  can  has  ur  data?    
  • 4. I  can  has  ur  data?     ì  Today,  informa*on  assets  can  be  more  valuable   than  physical  assets…   ì  Lost  your  USB  s*ck  lately?   ì  Data  theL  is  becoming  an  every-­‐day  issue  and   concern…  
  • 5. ì   Data  Dump   I  can  has  ur  data?    
  • 6. I  can  has  ur  data?     ì  linkedin.com   ì  6th  June  2012   ì  More  than  6  million   passwords   ì  eharmony.com   ì  6th  June  2012   ì  More  than  1.5  million   passwords   ì  last.fm   ì  7th  June  2012   ì  ?  Million  passwords   ì  yahoo.com   ì  12th  June  2012   ì  443K  passwords   ì  Sql  injec*on   ì  Passwords  in  plain  text…  
  • 7. ì   I  can  has  ur  data?     Hot  news!  
  • 8. ì   2010  -­‐  2013   World’s  biggest  data  breaches  
  • 9. ì   2010  –  2013  (Web  only)   World’s  biggest  data  breaches  
  • 10. I  can  has  ur  data?     ì  Public  web  applica*ons  expose  an  authen,cated   and  authorized  connec,on  to  DBMS  servers   ì  DBMS  have  their  own  authen*ca*on  and   authoriza*on  systems   ì  Applica*ons  that  use  such  DBMS  need  creden*als  to   connect  to  DB  servers   ì  This  type  of  apps  can  have  their  own  auth   procedures   ì  They  can  be  vulnerable  
  • 11. I  can  has  ur  data?     ì  It  does  not  maeer  if  your  DBMS  is  behind  a  firewall   and/or  private  network   User   Public  network   Web  server   Private  network   DBMS  Server  
  • 12. ì   SQL  Injection   How  I  got  your  data  
  • 13. SQL  Injection   ì  Golden  rule:   ì  Filter/Validate  inputs,  escape  outputs   ì  …many  ‘developers’  do  not  follow  this  rule…  
  • 14. SQL  Injection   ì  Our  database  schema       ì  Sample  resultset   WTF?  
  • 15. SQL  Injection   ì  Live  demonstra*on  
  • 16. ì  Protecting  your  data  –  Password   Hashing  
  • 17. Protecting  your  data  –  Password  Hashing   ì  Hash   ì  Algorithm  that  maps    data  of  variable  length  to  data   of  fixed  length   ì  One  way  func*on   ì  Output  cannot  be  reversed  using  an  efficient   algorithm   ì  Also  called  ‘pseudo-­‐random  func*on’   ì  Output  indis*nguishable  from  true  random  data   ì  Popular  hashing  algorithms   ì  md5   ì  sha1  
  • 18. Protecting  your  data  –  Password  Hashing   ì  Hash  proper*es   ì  Output  yields  a  fixed  length  result   ì  md5(‘1’)  =    ‘c4ca4238a0b923820dcc509a6f75849’   ì  md5(‘Hello  world’)  =   ‘3e25960a79dbc69b674cd4ec67a72c62’   ì  The  slightest  change,  totally  different  results   ì  md5(‘Hello  World’)  =   ‘b10a8db164e0754105b7a99be72e3fe5’  
  • 19. Protecting  your  data  –  Password  Hashing   Message  space   Result  space  
  • 20. Protecting  your  data  –  Password  Hashing     Hashing              encryp*ng  
  • 21. Protecting  your  data  –  Password  Hashing   ì  Our  new  schema   ì  Sample  resultset  
  • 22. Protecting  your  data  –  Password  Hashing   ì  Again,  cannot  revert  a  hash  using  an  efficient   algorithm   ì  …  but  can  be  cracked…   ì  Crack  <>  Hack   Hash   Algorithm   Data  
  • 23. Protecting  your  data  –  Password  Hashing   ì  Brute  force  aeack   ì  Generate  hashes  from  a  dic*onary   ì  Common  words   ì  Generate  character  combina*ons   ì  Exhaus*ve  search   ì  Generated  hash  =  target  hash?   ì  Bingo   ì  Inneficient,  but…   ì  CPU  power  is  growing  (mul*ple  cores)   ì  GPU  can  be  used  too  (thousands  of  cores)   ì  Cloud  systems  
  • 24. ì   ATI  HD  5970     String  consis*ng  of  a-­‐z|A-­‐Z|0-­‐9   Algorithm   Speed   8  chars   9  chars   10  chars   md5   5600   million  h/s   10  hours   27  days   4.5  years   sha1   2300   million  h/s   26  hours   68  days   11.5  years  
  • 25. Protecting  your  data  –  Password  Hashing   ì  Hash  database  aeack   ì  Query  a  database  with  pregenerated  hashes   ì  Several  sites  offer  this  service,  free   ì  Google.com   ì  hep://bit.ly/15O4SLN  
  • 26. Protecting  your  data  –  Password  Hashing   ì  Gesng  a  hash  through  sql  injec*on   ì  Live  demonstra*on  
  • 28. Password  salting   ì  Salt   ì  Random  character  string   ì  f(password,  salt)  =  hash(password  +  salt)  
  • 29. Password  salting   Result   Salt   Password  
  • 30. Password  salting   ì  Our  new  schema   ì  Sample  resultset  
  • 31. Password  salting   ì  Salt  has  to  be  stored  in  clear  text  as  to  authen*cate   a  user   ì  if(  hash(<provided  password>  +  <salt  field>)  ==   <password  field>  )  then   ì  User  creden*als  are  valid  
  • 32. Password  salting   ì  Hash  database  aeack  becomes  improbable   ì  If  hash  remains  unknown,  brute  force  aeack   becomes  improbable   ì  Total  characters:  42   ì  Calcula*ons  per  second:  4  billion   ì  Possible  combina*ons:  522  duovigin*llion   ì  Total  *me  to  crack:  4  septendecillion  years*   ì  According  to  heps://howsecureismypassword.net/  
  • 33. Password  salting   ì  But  the  aeacker  could  modify  the  aeack  to  obtain   the  salt  field…   ì  DEMO   ì  The  aeacker  would  only  need  to  launch  a  brute   force  aeack   ì  Generate  some  character  combina*on  string   ì  Concatenate  salt  and  hash   ì  Compare  hashes  
  • 35. Password  stretching   ì  To  mi,gate  men*oned  aeack,  use  password   stretching  technique   ì  Create  a  recursive  /  itera*ve  algorithm  that   calculates  a  hash  value  over  itself  thousand  (or   more)  *mes  
  • 36. Salt  Password  Hash   Salt  Password  Hash   Salt  Password   Hash  Algorithm   Hash  Algorithm   Thousands  of  *mes  
  • 37. Password  stretching   ì  This  algorithm  should  iterate  enough  to  delay  each   calcula*on  by  1  second   ì  In  order  to  crack  with  a  brute  force  aeack,  the   aeacker…   ì  Should  know  the  exact  itera*on  count   ì  +/-­‐  1  itera*on  will  result  in  totally  different  hash  value   ì  Should  wait  1  second  between  each  aeemp   ì  This  makes  the  aeack  highly  improbable  
  • 38. Password  stretching   ì  Several  standard  algorithms  for  password   stretching   ì  PBKDF2   ì  Bcrypt   ì  Scrypt   ì  …  
  • 39. ì   I  can  still  has  ur  data…  
  • 40. I  can  still  has  ur  data…   ì  We  give  it  away  freely…   ì  Facebook   ì  Twieer   ì  Foursquare   ì  If  it  is  free,  you  are  the  product  
  • 41. I  can  still  has  ur  data…   ì  We  uninten*onally  give  it  away…   ì  Phishing  scams   ì  Social  engineering   ì  Adware  /  Spyware  /  Browser  bars  /  Apps   ì  Weak  passwords   ì  Names   ì  Birthdays   ì  Phone  numbers   ì  Common  passwords  
  • 42. I  can  still  has  ur  data…   ì  It  is  forcibly/unlawfully  taken  from  us…   ì  Extor*ons  /  black  mail   ì  Unethical  prac*ces   ì  banks   ì  Government  spy  programs   ì  NSA’s  PRISM   ì  Communica*ons  Intercept  System  Mexico   ì  Requested  by  USDoS  to  Mexican  Federal  Government  in   2007   ì  Request  cancelled  in  2012…   ì  Unknown  sponsored  spy  programs   ì  Rumored  FinFisher  program  probably  running  in   networks  belonging  to  Uninet,  Iusacell  and  Televisa  
  • 44. Cryptography  101   ì  Krypto   ì  Hidden   ì  Graphos   ì  Script   ì  Tecnique  to  modify  a  linguis*cal  or  caligrafical   presenta*on  of  a  message   ì  Ruled  by  an  algorithm   ì  Must  allow  forward  and  backward  process  
  • 45. Cryptography  101   ì  700BC  -­‐  Scytale  
  • 46. Cryptography  101   ì  <40BC  –  Caesar  Cipher    
  • 47. Cryptography  101   ì  1467  –  Alber*  Cipher  
  • 48. Cryptography  101   ì  1797  –  Jefferson  Wheel  
  • 49. Cryptography  101   ì  1943  –  Enigma  machine  
  • 50. Cryptography  101   ì  Today,  cryptography  is  performed  by  an  automated   algorithm:  Cipher   ì  Short  name  for  pseudo-­‐random  permuta*on   ì  Takes  an  input   ì  Applies  a  reversible  algorithm   ì  Outputs  data  indis*nguishable  from    a  truly  random   data  stream   ì  Result  space  is  equal  to  message  space   ì  No  collisions  
  • 52. Cryptography  101   ì  Modern  algorithms  use  a  ‘key’   ì  They  key  is  used  to  transform  a  message  into  a   pseudo-­‐random  string   ì  This  is  called  ‘cipher’   ì  This  pseudo-­‐random  string  can  be  transformed   back  to  the  original  message  only  with  this  key   ì  ‘decipher’  
  • 53. Cryptography  101   ì  2  key  types   ì  Symetric   ì  Asymetric  
  • 55. Symetric  ciphers   ì  The  same  key  is  used  to  cipher  and  decipher   ì  The  2  endpoints  must  agree  on  this  key   ì  Security  relies  mainly  in  this  key   ì  Key  must  be  improbably  guessed   ì  Key  space  has  to  be  large…  
  • 56. Symetric  ciphers   ì  Simple  and  safest  symetric  key  chipher  algorithm   ì  XOR   ì  1  ⊕  0  =  1   ì  1  ⊕  1  =  0   ì  0  ⊕  0  =  0   ì  ‘a’  =  ascii(97)   ì  9710  =  110000012   ì  Random  key  =  01010000  
  • 57. 1   1   0   0   0   0   0   1   0   1   0   1   0   0   0   0   1   0   0   1   0   0   0   1   1   0   0   1   0   0   0   1   0   1   0   1   0   0   0   0   Data  to  cipher   Random  key   Ciphered  data   Data  to  decipher   Random  key   Original  data  
  • 58. Symetric  ciphers   ì  Ciphered  data  is  impossible  to  decipher  without  the   key  by  an  efficient  algorithm   ì  This  is,  no  exhaus*ve  search  for  the  key   ì  Is  very  simple   ì  Key  length  must  be  the  same  as  message  length   ì  Security  measures  applied  while  securily  sharing   the  key  might  as  well  we  applied  to  the  unciphered   message  
  • 59. Symetric  ciphers   ì  In  fact,  every  symetrical  cipher  weakest  link  is  the   key   ì  An  aeacker,  instead  of  brute  forcing  the  key,  might   as  well  focus  on  incercep*ng  the  key   ì  Popular  cipher  algorithms   ì  DES   ì  3DES   ì  AES  
  • 61. Asymetric  ciphers   ì  Has  a  key  pair   ì  Private  key:  only  the  owner  can  know  it   ì  Public  key:  owner  can  share  it  freely   ì  Message  ciphered  with  the  public  key  can  only  be   deciphered  with  the  private  key   ì  Message  ciphered  with  the  private  key  can  be   deciphered  with  the  public  key   ì  This  adds  a  message  authen*ca*on  mechanism  
  • 62. Asymetric  ciphers   ì  Algorithms  are  based  on  prime  number  and  one   way  func*ons   ì  Way  too  easy  to  mul*ply  to  prime  numbers   ì  Factorizing  a  number  into  its  prime  factors  is  very   difficult   ì  Usually  involves  very  large  prime  numbers   ì  Hundreds  of  digits  
  • 63. Asymetric  ciphers   ì  Asymetric  ciphers  require  more  processing  *me   ì  Keys  are  required  to  be  large   ì  As  today’s  standards,  2048  bits   ì  Ciphered  message  is  bigger  than  the  original  message   ì  Popular  algorithms   ì  RSA   ì  Hybrid  symetric/asymetric  algorithms   ì  HTTPS/TLS  
  • 64. ì   Just  encrypt  it  and  you  are  safe   …are  you?  
  • 65. Just  encrypt  it  and  you  are  safe…  are  you?   ì  Weakest  links  in  cryptography   ì  Again,  the  key…   ì  …  and  how  it  is  implemented   ì  Aircrack  anyone?   ì  WEP  algor*hm:  example  of  bad  crypto   implementa*on  
  • 66. Just  encrypt  it  and  you  are  safe…  are  you?   ì  Common  cryptography  implementa*on   misconcep*on   C   Message   Key   Cipher  Message  
  • 67. Just  encrypt  it  and  you  are  safe…  are  you?   ì  Do  not…   ì  Use  a  short  key   ì  Use  weak  random  data  to   generate  a  key   ì  Use  directly  the  generated   key   ì  Try  to  derive  the  key  first   ì  PBKDF2   ì  Pseudo-­‐random   func*on   ì  Use  the  same  key  to  cipher   iden*cal  messages   ì  Informa*on  leak   ì  Use  the  same  key  to  cipher   mul*ple  messages   ì  WEP’s  Achilles’  heel   ì  If  you  need  to,  use  nonces   ì  Nonce  ≃  salt   ì  Nonce  is  included  with   the  message   ì  Cipher  and  send…   ì  Always  add  signature   verifica*on  mechanism   ì  Hash-­‐mac   ì  Hash  with  a  key   ì  Hash-­‐mac  signature   included  in  message  
  • 68. ì   Do  not  use  weak  random  data   Random  data,  PHP  4’s  rand()  func*on  output  on  Windows  converted  to  bitmap  
  • 69. ì   Encryption  in  databases  
  • 70. Encryption  in  databases   ì  We  have  the  following  schema  
  • 71. Encryption  in  databases   ì  The  aeacker,  unable  to  get  login  details,  could   modify  the  aeack  to  get  personal  informa*on:  
  • 72. Encryption  in  databases   ì  MySQL  supports  AES  cipher  algorithm,  then  we   could  modify  our  schema  
  • 73. Encryption  in  databases   ì  If  the  aeacker  executes  the  injec*on  
  • 74. Encryption  in  databases   ì  S*ll  informa*on  can  be  leaked   ì  Suppose  the  2  users  share  the  same  phone  number,   the  aeacker  could  no*ce  this  since  data  was   ciphered  with  the  same  key  
  • 76. Tweakable  encryption   ì  Remember,  do  not  use  the  same  key  to  cipher   mul*ple  messages…   ì  Do  we  need  to  generate  a  new  key  for  each  record?   ì  Say,  we  have  thousands  of  records,  do  we  need   thousand  keys?   ì  NO   ì  Use  a  tweak  
  • 77. Tweakable  encryption   ì  Every  table  should  have  a  primary  key   ì  So  the  values  inside  the  primary  key  must  be  unique   to  every  record   ì  Use  the  master  key  +  primary  key  value,  then  hash   ì  f(key,  pk  value)  =  hash(key  +  pk  value)   ì  You’ll  have  an  unique  cipher  key  for  each  record   ì  Now,  fields  with  the  same  plain  text  value  will   appear  to  be  completely  different  when  ciphered  
  • 78. Last  Words   ì  Last  words…   ì  Informa*on  privacy  is  YOUR  RIGHT   ì  Do  you  consider  it  to  be  a  paranoid  idea…   ì  …or  a  daily  life  concern?   ì  First  informa*on  privacy  law  from  1890  US   ì  Laws  cannot  keep  up  with  technology  
  • 79. QA   ì  QA   ì  Thank  y’all!