The slower the stronger a story of password hash migration
2 likes589 views
The document discusses the migration of password hashes at Ocado Technology, focusing on the shift from outdated hashing algorithms like MD5 to more secure slow hashing algorithms such as bcrypt and PBKDF2. It outlines the necessary steps in the migration process, including performance comparisons of hashing speeds, reasons for the upgrade, and the implementation of the new password hashing library. The presentation also provides details on the migration plan, emphasizing the importance of gradually upgrading user passwords through various triggers like logins and password changes.
The slower the stronger a story of password hash migration
- 1. /OcadoTechnology The Slower the Stronger A Story of Password Hash Migration
- 2. Who am I? Tomasz Borowiec (tomasz@borowiec.org) Senior Software Engineer @ Ocado Technology Kraków
- 3. Agenda ● Slow hashing algorithms ○ BCrypt hash - a closer look ○ Live demo ○ Hash computing times comparison ● Migration process ○ ‘Before’ state ○ Why change? ○ AppSec’s crypto lib ○ Migration plan ○ Problems ● Summary & Links Image: http://mariafresa.net/single/2223016.html
- 5. Hashing algorithms • Fast old school and general purpose hash functions • Examples: MD5, SHA1, SHA256, SHA512, SHA-3 • Slow hashing algorithms a.k.a. BCrypt and friends • Examples: Argon2, PBKDF-2, SCrypt, BCrypt
- 6. Slow hashing algorithms • Argon2 • PBKDF-2 • SCrypt • BCrypt Providing secure hashes with salt Designed to slow attacker down Need to be reasonably configured
- 7. BCrypt hash Let’s hash “ocado” with BCrypt: $2a$08$CSBUe24az8PPuFs7Gch5GuCOdD20hJ6Qk9eOVlA9cJzZLkFkDLq66
- 8. BCrypt hash Let’s hash “ocado” with BCrypt: $2a$08$CSBUe24az8PPuFs7Gch5GuCOdD20hJ6Qk9eOVlA9cJzZLkFkDLq66
- 9. BCrypt hash Let’s hash “ocado” with BCrypt: $2a$08$CSBUe24az8PPuFs7Gch5GuCOdD20hJ6Qk9eOVlA9cJzZLkFkDLq66
- 10. BCrypt hash Let’s hash “ocado” with BCrypt: $2a$08$CSBUe24az8PPuFs7Gch5GuCOdD20hJ6Qk9eOVlA9cJzZLkFkDLq66
- 11. BCrypt hash Let’s hash “ocado” with BCrypt: $2a$08$CSBUe24az8PPuFs7Gch5GuCOdD20hJ6Qk9eOVlA9cJzZLkFkDLq66
- 12. Hashing speed comparison - live demo Source code: https://github.com/tborowiec/password-hash-migration
- 13. How long does it take to compute a hash? Source: http://www.netmux.com/blog/how-to-build-a-password-cracking-rig • Date of article: January 6, 2018 • $5000 “budget” cracking rig (4 GPUs) • Benchmark: Hashcat v3.20 • Results: • MD5: 76526.9 MH/s -> 19_000_000_000 hashes / second / GPU • SHA1: 25963.3 MH/s -> 6_500_000_000 hashes / second / GPU • BCrypt^5: 43551 H/s -> 10_887 hashes / second / GPU
- 15. What Ocado Technology does (1) Cloud and AI (2) Automation and robotics (3) Big Data (4) Web and app development (5) IoT
- 16. ‘Before’ state ● Our application used BCrypt^8 ● Some old customers still had MD5 ○ For them, it was bcrypt(md5(password)) Customer Number Password Hash Password Hash Type 12345678 $2a$08$JIIFVb3YQsNztayuUJNY8.HSCRZfHfrNjFi BfBV2G4gzFHhfjrf8O MD5 23456789 $2a$08$w4rhprdz/.hblW0ayNrQlOr3TD17eMqMRxe oEPyAcfcBdeoajCUaq BCRYPT
- 17. ‘Before’ state ● Our application used BCrypt^8 ● Some old customers still had MD5 ○ For them, it was bcrypt(md5(password)) Customer Number Password Hash Password Hash Type 12345678 $2a$08$JIIFVb3YQsNztayuUJNY8.HSCRZfHfrNjFi BfBV2G4gzFHhfjrf8O MD5 23456789 $2a$08$w4rhprdz/.hblW0ayNrQlOr3TD17eMqMRxe oEPyAcfcBdeoajCUaq BCRYPT
- 18. ‘Before’ state ● Our application used BCrypt^8 ● Some old customers still had MD5 ○ For them, it was bcrypt(md5(password)) Customer Number Password Hash Password Hash Type 12345678 $2a$08$JIIFVb3YQsNztayuUJNY8.HSCRZfHfrNjFi BfBV2G4gzFHhfjrf8O MD5 23456789 $2a$08$w4rhprdz/.hblW0ayNrQlOr3TD17eMqMRxe oEPyAcfcBdeoajCUaq BCRYPT
- 19. Why change?
- 20. Why change? • Our Information Security team suggested that a change is needed • BCrypt^8 on our machines took around 80ms to compute Number of iterations (N -> 2^N) Average (ms) Median (ms) Throughput (no. of samples / minute) 8 83 78 705 9 103 99 573 10 147 144 402 11 237 232 251 12 416 410 143 13 782 768 76
- 21. AppSec’s crypto lib Image: https://www.bankinfosecurity.com/application-security-four-key-steps-a-7778
- 22. AppSec’s crypto lib • PasswordHasher provided by AppSec takes care of password hashing • Uses well-known and safe crypto implementations (e.g. Bouncy Castle) • Produces a hashVector that acts as a password hash • Once migrated - controlled by AppSec since • … PROFIT!
- 40. PasswordHasher API public interface PasswordHasher { String hash(String password); VerificationResult verify(String password, String hashVector); String migrate(String hashVector); }
- 41. PasswordHasher API public interface PasswordHasher { String hash(String password); VerificationResult verify(String password, String hashVector); String migrate(String hashVector); } String hashVector = passwordHasher.hash( “ocado”); // PBKDF2Hasher$SHA_256$250000$4cc...707;65d...8b9
- 42. PasswordHasher API public interface PasswordHasher { String hash(String password); VerificationResult verify(String password, String hashVector); String migrate(String hashVector); } public interface VerificationResult { boolean isSuccess(); String getHashVector(); }
- 43. PasswordHasher API public interface PasswordHasher { String hash(String password); VerificationResult verify(String password, String hashVector); String migrate(String hashVector); } String newHashVector = passwordHasher.migrate( “MD5Hasher...BCryptHasher...;...” ); // MD5Hasher...;BCryptHasher...;PBKDF2Hasher...;...
- 44. Migration plan
- 45. Migration plan 1. Migrate passwords when: a. Customer logs in b. Customer creates/changes password 2. Asynchronous background jobs: a. Translating existing hashes to hashVector b. Upgrading hashVectors to newest algorithm 3. Cleanup
- 46. Migrate passwords when customers provide them
- 47. Migrate passwords when customers provide them
- 48. Migrate passwords when customers provide them
- 49. Migrate passwords when customers provide them
- 50. Migrate passwords when customers provide them
- 51. Migrate passwords when customers provide them
- 52. Migrate passwords when customers provide them
- 53. Translate current passwords to hashVectors Password Hash Password Hash Type Hash Vector Migration Status $2a$08$...4029hfvih220nj0 BCRYPT (null) NONE $2a$08$...gth54y3Hhfjrf8O MD5 MD5Hasher...BCryptHasher...;... TRANSLATED $2a$08$...vcb56tweoajCUaq BCRYPT BCryptHasher...;... TRANSLATED
- 54. Translate current passwords to hashVectors Password Hash Password Hash Type Hash Vector Migration Status $2a$08$...4029hfvih220nj0 BCRYPT (null) NONE $2a$08$...gth54y3Hhfjrf8O MD5 MD5Hasher...BCryptHasher...;... TRANSLATED $2a$08$...vcb56tweoajCUaq BCRYPT BCryptHasher...;... TRANSLATED
- 55. Translate current passwords to hashVectors Password Hash Password Hash Type Hash Vector Migration Status $2a$08$...4029hfvih220nj0 BCRYPT (null) NONE $2a$08$...gth54y3Hhfjrf8O MD5 MD5Hasher...BCryptHasher...;... TRANSLATED $2a$08$...vcb56tweoajCUaq BCRYPT BCryptHasher...;... TRANSLATED
- 56. Translate current passwords to hashVectors Password Hash Password Hash Type Hash Vector Migration Status $2a$08$...4029hfvih220nj0 BCRYPT (null) NONE $2a$08$...gth54y3Hhfjrf8O MD5 MD5Hasher...BCryptHasher...;... TRANSLATED $2a$08$...vcb56tweoajCUaq BCRYPT BCryptHasher...;... TRANSLATED
- 57. Upgrade translated passwords to PBKDF-2 hashVector Password Hash Password Hash Type Hash Vector Migration Status $2a$08$...gth54y3Hhfjrf8O MD5 MD5Hasher...;BCryptHasher...;PBKDF2Hasher...;... MIGRATED $2a$08$...vcb56tweoajCUaq BCRYPT BCryptHasher...;PBKDF2Hasher...;... MIGRATED
- 58. Upgrade translated passwords to PBKDF-2 hashVector Password Hash Password Hash Type Hash Vector Migration Status $2a$08$...gth54y3Hhfjrf8O MD5 MD5Hasher...;BCryptHasher...;PBKDF2Hasher...;... MIGRATED $2a$08$...vcb56tweoajCUaq BCRYPT BCryptHasher...;PBKDF2Hasher...;... MIGRATED
- 59. Upgrade translated passwords to PBKDF-2 hashVector Password Hash Password Hash Type Hash Vector Migration Status $2a$08$...gth54y3Hhfjrf8O MD5 MD5Hasher...;BCryptHasher...;PBKDF2Hasher...;... MIGRATED $2a$08$...vcb56tweoajCUaq BCRYPT BCryptHasher...;PBKDF2Hasher...;... MIGRATED
- 60. After full migration is done Password Hash Password Hash Type Hash Vector Migration Status $2a$08$...gth54y3Hhfjrf8O MD5 MD5Hasher...BCryptHasher...;PBKDF2Hasher...;... MIGRATED $2a$08$...vcb56tweoajCUaq BCRYPT BCryptHasher...;PBKDF2Hasher...;... MIGRATED Password Hash Password Hash Type Hash Vector Migration Status $2a$08$...gth54y3Hhfjrf8O MD5 MD5Hasher...BCryptHasher...;PBKDF2Hasher...;... MIGRATED $2a$08$...vcb56tweoajCUaq BCRYPT BCryptHasher...;PBKDF2Hasher...;... MIGRATED
- 61. Migration report
- 62. Problems
- 63. Problem: time taken to migrate • Translating password hashes… + • Upgrading password hashes … = • ~ 30 days
- 64. Problem: orphan password entries CUSTOMER_PASSWORD Customer number Password hash 12345678 abcdefghijklasdfdasfds 87654321 zxcvbbnmuefsdfaewte CUSTOMER Customer number Login Name 12345678 gary.muvaut@ocado.com Gary Muvaut 23456789 nobody.cares@ocado.com Nobody CaresX
- 65. Problem: entire process took over a year
- 66. Summary
- 67. Summary • Use slow hashing algorithms for passwords • Monitor time taken to compute hash (reconfigure if needed) • Hash migration - complicated, but not impossible • Good preparation is key • Cleanup (remove old hashes!) • Monitor the process
- 68. Links • OWASP’s Password Storage Cheat Sheet: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • Password Hashing Competition: https://password-hashing.net/ • Bouncy Castle Crypto APIs: https://www.bouncycastle.org/java.html • How To Build A Password Cracking Rig: http://www.netmux.com/blog/how-to-build-a-password-cracking-rig • hashcat - advanced password recovery: https://hashcat.net/hashcat/ • Check if your email or password has been compromised in a data breach: https://haveibeenpwned.com/