Open polarathene opened 3 years ago
Yeah you're right, by the time you've extracted the entire hash that way you'd have to have found a preimage for the actual hash. It's still worth plugging the information leak, because for example if you had a wordlist, leaking the first 32 bytes of the hash (which should be feasible) would let you filter down the list to a small number of candidates. Then you could try those candidates on the live system. In other words a small amount of leakage would let you perform a dictionary attack against the on-line service much quicker.
The article should be updated to fix the mistake and explain this reason instead.
Thank you!
It's still worth plugging the information leak, because for example if you had a wordlist, leaking the first 32 bytes of the hash (which should be feasible) would let you filter down the list to a small number of candidates.
32 bytes is a full SHA-256 hash right? bcrypt is less at 24 bytes. Wouldn't you have the full hash usually by this point?
I can understand how it helps with optimizing an online attack against the 1 second rate limit window:
At the same time, it doesn't make a practical difference if the entropy is high, especially with a slow hash:
6^5 = 7776
, 7776 words, one word for each permutation), 5 words from a 7776 diceware list randomly selected is 64 bits of entropy (log2(7776^5) = ~64
). This is roughly 1.8e19 (2^64
) to 2.8e19 (7776^5
), the lower bound being: 18,000,000,000,000,000,000 (18 million trillion).(1.8e19 / 1e9) / (60*60*24*365) = ~570
), on average half that time.My bad, I meant to say the first 32 bits! You're correct that if the password entropy is high, this attack won't let you extract the hash or the password.
Ah ok that is more feasible to compute. I think I've understood it? (detailed below)
Ok, so this timing attack serves the purpose of matching the initial N byte sequence of the target hash to:
In either case, the attacker is avoiding wasted effort/time thanks to the partial hash. Feasibility still seems to depend heavily on Kerckhoff's principle to attack a subset of the keyspace if practical.
(2^30 / 1e3) / (60*60*24) = ~12
) with that GPU and >35GB storage.(2^40 / 1e3) / (60*60*24*365) = ~35
), partial hash ensures that each login attempt isn't wasted; average time 17 years (or about 6 days with 1,000 RTX 3080; assuming 2 million filtered attempts is sufficient: 2^40 / ((60*60*24)*6)= ~2e6
). >35TB storage if needed.
In hashing security page, there is this description of an attack (section: Why does the hashing code on this page compare the hashes in "length-constant" time?).
Ok so, the attacker hashes inputs until they have 256 strings that have a unique byte for the target byte, as they iterate through the sequence. eg the third byte as target has 256 strings that compute to the first two bytes previously identified as part of the computed hash on the server being verified against, with each string having the third byte as unique.
This assumes that the system has a 1 second rate limit only as a precaution, but will happily allow unlimited failures.In a little over 2 hours you'd have the full hash for SHA-256, except for the fact that the time to pre-compute those 256 strings per target byte will keep rising to the point that wouldn't be practical.
How exactly does that work if you don't have the full hash? How would you know what a successful match is or perform verification as you most certainly aren't going to have success against 1 second rate limiting unless the user has a very common password that you can try matching your known sequence of bytes.
I actually read this crackstation page and that linked SSL timing attack PDF about a month ago, I don't particularly want to go over it again but IIRC, that like many other attacks was under very specific conditions/assumptions that didn't make it all that practical in the real world.
In particular with that PDF it notes that the network was between two machines on their campus network, that's quite different to attacking a server very far away from you with multiple other factors to contribute to the network latency jitter. They also perform the attack against a very dated version of OpenSSL 0.9.7 (Dec 2002). Unclear when the paper was published but seems to be around 2003?
I'm not sure how this is meant to be feasible of an attack. Originally I was going to submit a correction to the section but have since realized I had a misunderstanding when I first read it.
This issue is just asking for clarification how the final part of that attack would be carried out successfully with only a partial hash and a rate-limited API endpoint to test against.