7. The Bedrock of Cybersecurity: Cryptography 173 Hashes are also useful for committing to a secret value without revealing the value. This is why hashes are used in password-based authentication systems. It is a bad practice to store users’ passwords, but this creates a dilemma because in order for a computer to authenticate a user with a password, the computer has to verify that the user knows the password. But how can a computer verify that a user knows his password if the computer itself does not know the password? This can be accomplished with hashes. Instead of storing passwords, computers store the hashes of passwords. Because hashes are oneway, they do not reveal the passwords they represent. When a user is authenticated, he inputs his password and the computer hashes the password and compares this hash to the hash stored on file. If the hashes match, then due to the collision resistance property of hash functions, the computer verifies that the user knows the password. When the computer stores a user’s password hash, this commits the user to a specific secret value—no other value has the same hash. Only the user’s password will produce this hash. Committing to secret values has many other uses as well, including in auctions and negotiations where no party wants to reveal their offer first, fearing they will be one-upped by the other parties. In this environment, the hashes of offers can be revealed with no danger of exposing the actual offers, yet the hashes still commit the parties to their offers. Hashes cannot be reversed due to the one-way property. This means that there is no way to determine what data produced a hash just given a hash. However, hashes are vulnerable to forward search attacks. In a forward search attack, hashes are calculated for putative strings to find the string that produced the hash—in other words, instead of working backwards from the hash to the string (which is not possible), the attack works forward from putative strings to the hash. This is how password cracking attacks work. If a user’s password hash is known, and it is suspected the person used a word from the dictionary as his password, then an adversary can hash every word in the dictionary and compare the hashes to the password hash. If he finds a match, then he knows the user’s password. To thwart forward search attacks, when hashes are used to commit to a secret value, the secret value should be mixed with random data. Linux operating systems do this by adding salt to a user’s password before hashing it. Salt is a short random string that is combined with a user’s password before it is hashed. Unlike the shared secret used in HMACs, salt values are stored in plaintext. They are generated when users create their passwords. When a user inputs a password to be authenticated (more on this in Chapter 8), the user’s salt value is retrieved and mixed with the inputted string before it is hashed. This does not prevent forward search attacks on Linux password hashes, but it forces attackers to commit to a unique salt for every cracking attempt. This means all of the putative passwords an attacker hashes are only valid for one password, and all their work would need to be redone for every subsequent hash the attacker wants to crack. Windows operating systems do not use salt, so a single forward search attack is valid for every Windows password hash—this is a huge reward for the effort. Needless to say, massive files
RkJQdWJsaXNoZXIy MTM4ODY=