Weak Password-Encryption Algorithms

Passwords that regulate database access must never be passed over the network as plaintext. Instead of the password, its hash must be transmitted, encrypted by a randomly generated sequence of bytes. This is also called the check string. Briefly, network access to the database implements the classical authentication method, ensuring strong protection against information sniffing and protecting against password decoding or a brute-force attack on the password (in theory).

In practice, most database servers contain blatant design errors. For instance, consider MySQL 3. x. The hash function used for the password returns a 64-bit encoded sequence, and the length of the random string is only 40 bits. Consequently, encryption doesn't fully remove all redundant information, and analysis of a large number of captured check strings and random strings allows an attacker to restore the original hash (the password doesn't need to be restored because it is the hash, not the password, that is needed for authentication).

In a slightly simplified form, the encryption procedure appears as shown in Listing 28.1.

Listing 28.1: Encryption of the password hash by a random string
image from book
 // P1/P2 - 4 leftmost/rightmost bytes of the password hash, respectively // C1/C2 - 4 leftmost/rightmost bytes of the random string, respectively seed1 = P1 ^ C1; seed2 = P2 ^ C2 ; for(i = 1; i <= 8; i++) {         seed1 = seed1 + (3*seed2);         seed2 = seed1 + seed2 + 33;         r[i] = floor((seed1/n)*31) + 64; } seed1 = seed1 + (3*seed2); seed2 = seed1 + seed2 + 33; r[9] = floor((seed1/n)*31); checksum =(r[1]^r[9]  r[2]^r[9]  r[7]^r[9]  r[8]^r[9]); 
image from book
 

Weak authentication mechanisms were also encountered in other servers. For the moment, however, practically all of them have been eliminated.



Shellcoder's Programming Uncovered
Shellcoders Programming Uncovered (Uncovered series)
ISBN: 193176946X
EAN: 2147483647
Year: 2003
Pages: 164

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net