ArbiterPay Security Flaw

[Camron Rust]

Quote:

Originally Posted by LRZ

What is a "1-way hash"?

It is a transformation of the data from one form to another cryptic form such that you can never reverse the operation. I could give you my password in the transformed format and, even if you had a powerful computer working on it for years, you'd never be able to figure out the original password....even if you knew the exact algorithm I used to transform it.

The only thing you can do with it is use it to confirm that newly supplied information is the same as previously supplied information.

It goes like this:

1. You set a new password.....abc123
2. That password gets converted to dlkVj08.9Auf3@uQl839&dRsa
3. That converted value is stored in the database with your username
4. Later, you log in and provide abc123 as your password
5. The system converts that in to the same as above (the conversion is repeatable).
6. Since you provided the same password as you set up in step 1, the converted values will match and you are allowed in.

A similar technique is used to sign documents or files for downloads. The publisher of the file provides and MD5 checksum (and it is only 32 ascii characters long). If you get the file from an alternate source and check the MD5 of the file you recieved and it matches the one provided by the original publisher, you can be assured that the entire file is the exactly the same. Change even one character anywhere in the file and the MD5 checksum changes dramatically.

[johnny d]

Quote:

Originally Posted by Camron Rust

I could give you my password in the transformed format and, even if you had a powerful computer working on it for years, you'd never be able to figure out the original password....even if you knew the exact algorithm I used to transform it.

I find the bolded, underlined part very hard to believe, especially if the process is repeatable such that each time you enter the same sequence of letters, numbers, and symbols, they get converted into the exact same sequence of new letters, numbers, and symbols over and over again. It would not take a human cryptographer years to break that system, let alone a computer. Even without the algorithm, if you have access to multiple passwords and what they are converted to, it would not take that long to determine the algorithm.

[Camron Rust]

Quote:

Originally Posted by johnny d

I find the bolded, underlined part very hard to believe, especially if the process is repeatable such that each time you enter the same sequence of letters, numbers, and symbols, they get converted into the exact same sequence of new letters, numbers, and symbols over and over again. It would not take a human cryptographer years to break that system, let alone a computer. Even without the algorithm, if you have access to multiple passwords and what they are converted to, it would not take that long to determine the algorithm.

Well, it can possibly be done but you will not be alive to see it done.

The algorithms are published. Even having them and knowing which one was used (as long it is a decent one) really doesn't help much. The math to go backwards from the hashed output to the original input is just too hard for even the best computers to execute in any amount of time that matters.

The typical way cracking works is to use social engineering to guess at what the person might use as a password and try different things until you get it right. They might also just try all combinations of letter, numbers, symbols, etc. until they get the match.

The problem with that is that any decent system will detect repeat failed attempts and just lock the account. So, to have any chance, the hacker needs to obtain a copy of the database so they can run the tests outside of the system. Once the figure it out, they can then use it to break into the account(s).

The hashing algorithms are, however, sufficiently complicated that it just takes too long for it to work well, if at all, as long as you don't use abc123 as your password.

Some older hashing systems have been partially broken but it takes a lot of time with some really powerful computers (ones too expensive for all but big businesses or the government to afford) to get there.

Here is an article that talks about a common encryption technique and how long it would take to crack it:
http://www.eetimes.com/document.asp?doc_id=1279619

Here is a quote from the article:

Quote:

As shown above, even with a supercomputer, it would take 1 billion billion years to crack the 128-bit AES key using brute force attack. This is more than the age of the universe (13.75 billion years). If one were to assume that a computing system existed that could recover a DES key in a second, it would still take that same machine approximately 149 trillion years to crack a 128-bit AES key.

Most breaches in passwords are due to them either being stored in plain text or simply encrypted but the thief finds the encryption key and is able to decrypt them. Hashes, on the other hand, don't have such a key. They are just not practically reversible to get the original password.

[RefCT]

Quote:

Originally Posted by Camron Rust

Well, it can possibly be done but you will not be alive to see it done.

The algorithms are published. Even having them and knowing which one was used (as long it is a decent one) really doesn't help much. The math to go backwards from the hashed output to the original input is just too hard for even the best computers to execute in any amount of time that matters.

The typical way cracking works is to use social engineering to guess at what the person might use as a password and try different things until you get it right. They might also just try all combinations of letter, numbers, symbols, etc. until they get the match.

The problem with that is that any decent system will detect repeat failed attempts and just lock the account. So, to have any chance, the hacker needs to obtain a copy of the database so they can run the tests outside of the system. Once the figure it out, they can then use it to break into the account(s).

The hashing algorithms are, however, sufficiently complicated that it just takes too long for it to work well, if at all, as long as you don't use abc123 as your password.

Some older hashing systems have been partially broken but it takes a lot of time with some really powerful computers (ones too expensive for all but big businesses or the government to afford) to get there.

Here is an article that talks about a common encryption technique and how long it would take to crack it:
http://www.eetimes.com/document.asp?doc_id=1279619

Here is a quote from the article:



Most breaches in passwords are due to them either being stored in plain text or simply encrypted but the thief finds the encryption key and is able to decrypt them. Hashes, on the other hand, don't have such a key. They are just not practically reversible to get the original password.

Unless you're salting the hash as well, you are suceptible to rainbow tables to figure out the hashed values.

[Camron Rust]

Quote:

Originally Posted by RefCT

Unless you're salting the hash as well, you are suceptible to rainbow tables to figure out the hashed values.

Indeed...salts dramatically improve it....but how deep do we want to go on this topic on a referee board. Probably too deep already.

[RefCT]

Quote:

Originally Posted by Camron Rust

Indeed...salts dramatically improve it....but how deep do we want to go on this topic on a referee board. Probably too deep already.

Absolutely correct. I am hoping someone from Arbiter reads this since they don't seem to know what they are doing over there. Password encryption is the least of the basic technical issues I have seen. A classic case off growing too big too quickly.

[Mark T. DeNucci, Sr.]

I am getting goose bumps reading all these posts about mathematics, algorithms, and encryption codes.

MTD, Sr.

[Camron Rust]

Quote:

Originally Posted by RefCT

Absolutely correct. I am hoping someone from Arbiter reads this since they don't seem to know what they are doing over there. Password encryption is the least of the basic technical issues I have seen. A classic case off growing too big too quickly.

I'm hoping they don't read it...and people move to my product as a result!

[MD Longhorn]

Quote:

Originally Posted by johnny d

I find the bolded, underlined part very hard to believe, especially if the process is repeatable such that each time you enter the same sequence of letters, numbers, and symbols, they get converted into the exact same sequence of new letters, numbers, and symbols over and over again. It would not take a human cryptographer years to break that system, let alone a computer. Even without the algorithm, if you have access to multiple passwords and what they are converted to, it would not take that long to determine the algorithm.

Let me simplify greatly (it's not THIS easy, but it illustrates the issue)...

What is 6x6? 36
What is 4x9? 36
What is 2x18? 36

If I told you that the question (algorithm) was AxB, and told you the answer (encryption) was 36 ... can you tell me, for sure, what A and B is? No.

[HawkeyeCubP]

Quote:

Originally Posted by MD Longhorn

Let me simplify greatly (it's not THIS easy, but it illustrates the issue)...

What is 6x6? 36
What is 4x9? 36
What is 2x18? 36

If I told you that the question (algorithm) was AxB, and told you the answer (encryption) was 36 ... can you tell me, for sure, what A and B is? No.

I was told there wouldn't be any math.

[rsl]

Quote:

Originally Posted by HawkeyeCubP

I was told there wouldn't be any math.

Come on, this the first post in my many years reading the forum that I may know as much about the topic as Bob. But I will still listen to him- always listen to Bob!