More cookie-cutter hacker fodder, I guess.

Thomas Ptacek | November 3rd, 2005 | Filed Under: Uncategorized

From Schneier, a SANS paper on Oracle password hashing weaknesses. Long story short:

  • They use predictable usernames instead of random salts, making it feasable to precompute hash dictionaries.

  • They convert to uppercase, reducing the search space.

  • They use a fast crypto algorithm, rather than something like the OpenBSD Blowfish scheme, which scheme deliberately slows down hashing an individual password and trades an imperceptable per-user-login delay for a prohibitively large delay for dictionary attackers, unlike the Oracle hash, which does not.

I don’t think this paper surprises anyone (for instance, the OpenBSD scheme was novel and well-received when Neils and David Mazieres, both of whom are smarter than me, presented it a few years ago —- so why would we expect the Oracle scheme to be much better?)

So here’s my question:

  • Hashing weaknesses aren’t new. From experience: most proprietary hashing schemes are weak.

  • Dictionary attacks are popular among black-hats, so enabling information about them is not benign: presumably there’s incentive to attack the Oracle scheme because it’s been written about in pen-test books.

  • None of these specific vulnerabilities are new. FreeBSD had the fast-hash-construction weakness in its old MD5 scheme.

  • So, Peter Lindstrom, is this the kind of disclosure you believe should be outlawed?

Update 11/6: I just want to thank Peter Lindstrom his comment, which adds the phrase “it’s not a bug, just a weak implementation” to the lexicon.

3 Comments so far

  • Pete

    November 3rd, 2005 5:55 pm

    No. It isn’t a bug, it is simply a weak implementation and passwords are suspect to begin with. The configuration recommendations appeared reasonable to me at first glance.

  • Pete

    November 6th, 2005 6:20 pm

    Well, I was going to say “it’s not a bug, it’s a feature” but that is too cliche. I assume you get my point regardless. If you don’t, then APPARENTLY you don’t have enough experience to figure it out. ;-)

  • Chris W.

    November 6th, 2005 11:38 pm

    To Pete: So I guess design flaws are OK to out. If the vendor meant it to be that way it is fair game to say, “this is how the vendor built it” and describe its weaknesses. Well I would agree that it is a good thing to out design flaws. That is what we did at L0pht with the LANMAN hashing weaknesses and Microsoft added password strength filtering. Then years later they even let you turn off storage of the LANMAN hash. They were quicker when we pointed out that NTLM challenge response over the wire was subject to a dictionary attack. We then got NTLMv2 which is MUCH better. Just when was Microsoft going to fix these weaknesses if their customers didn’t know about it? These kind of design fixes cost millions of dollars.

    • Leave a reply