tag:blogger.com,1999:blog-72665281876807282292024-03-14T01:33:21.745-07:00The Bug CharmerStevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.comBlogger40125tag:blogger.com,1999:blog-7266528187680728229.post-53091066258775404332019-01-11T21:37:00.001-08:002019-01-11T21:37:52.645-08:00Understanding Scope in GoAs per my New Year's resolution, I've been learning to program in Go and reading <a href="https://www.amazon.com/Programming-Language-Addison-Wesley-Professional-Computing/dp/0134190440" target="_blank">The Go Programming Language</a>. On page 141 of the book, there are a couple of code examples to explain scoping rules and how variables are bound to anonymous functions. This short post is just me making sure I grok what's in the book and sharing in case its helpful to anyone else.<br />
<br />
<a name='more'></a>Consider this snippet:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnHJ53yIAqMk7KZig4hS0Qpx1BbkDGrtAyY02GYCybPflUHklyfbfl-G5vrSPKk1_g7iuviMN5Gh-qjTPhrTKoPfrDBRoKyOqcNTGNuIXYznM9qhsUsM-QQ2m6i9P1nTaX3LUYo4dchKk/s1600/Screen+Shot+2019-01-11+at+9.19.18+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="235" data-original-width="389" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnHJ53yIAqMk7KZig4hS0Qpx1BbkDGrtAyY02GYCybPflUHklyfbfl-G5vrSPKk1_g7iuviMN5Gh-qjTPhrTKoPfrDBRoKyOqcNTGNuIXYznM9qhsUsM-QQ2m6i9P1nTaX3LUYo4dchKk/s320/Screen+Shot+2019-01-11+at+9.19.18+PM.png" width="320" /></a></div>
<br />
<i>mynums</i> is an array of functions. The initialization clause of the for loop creates an implicit lexical block that encloses the variable <i>i</i>. This variable <i>i</i> is in scope through every iteration of the loop. That means that the same <i>i</i> is updated in each iteration and bound to the anonymous function that is appended to <i>mynums</i> by <i>append(mynums, func () { fmt.Println(i) })</i>. When the first entry is appended to <i>mynums, </i>the value of <i>i</i> is 1, but the value is NOT what is bound to the function. The variable itself (the location) is bound. So every iteration appends a function referencing the same variable. At the end, we have ten functions in the array and all of them are bound to the same variable which has one value: 11. If we compile and run the program, it prints out "11", ten times.<br />
<br />
This is analogous to the second example on page 141 of the book. Now, consider this code sample:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYtm1KqXzix13jYj5bwFlzLUWZgA44KqKBTIfYHsH9iX2HsFHrc7xkpCOx2CDrkptLlqXzYhR2DMGqBMmzZcHzC0l73WD1hyphenhyphenfz36o5EqZOsaX9mMvQf9Gizo-axNarH2YiKvNPoJZfc8k/s1600/Screen+Shot+2019-01-11+at+9.28.53+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="254" data-original-width="377" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYtm1KqXzix13jYj5bwFlzLUWZgA44KqKBTIfYHsH9iX2HsFHrc7xkpCOx2CDrkptLlqXzYhR2DMGqBMmzZcHzC0l73WD1hyphenhyphenfz36o5EqZOsaX9mMvQf9Gizo-axNarH2YiKvNPoJZfc8k/s320/Screen+Shot+2019-01-11+at+9.28.53+PM.png" width="320" /></a></div>
<br />
Here, we add the line <i>j := i</i> and use <i>j</i> for the anonymous function <i>func () { fmt.Println(j)})</i>. <i>j</i> is declared inside the body of the for loop. The scope of <i>j</i> is a particular instance of the for loop. Over ten iteration of the loop, we will declare ten separate instances of <i>j</i>. That means that the first <i>j</i> bound to the anonymous function appended to <i>mynums</i> will have the value 1 and that value will not change. The second iteration will bind a different <i>j</i> that has the value 2. When we execute the various <i>f()</i> at the end, we will get the output we expect, the numbers 1 to 10.<br />
<br />
If you're reading the book, which I highly recommend, you may also want to check out the discussion of scope on pages 46-47.Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-86993530818470457642018-12-19T23:20:00.002-08:002018-12-28T00:59:43.298-08:00MD5 should not be used in forensics (or anywhere else)A few days ago, I drafted (but had not yet published) a post about using MD5 for validating or authenticating evidence in digital forensics. MD5 has had security problems for twenty years, but it's still been used in forensics, although the trend has been toward SHA-1 (which has some problems of its own) and SHA-2.<br />
<br />
After drafting the post, I discovered that the Scientific Working Group on Digital Evidence has released a <a href="https://www.swgde.org/documents/Released%20For%20Public%20Comment/SWGDE%20Position%20on%20the%20Use%20of%20MD5%20and%20SHA1%20Hash%20Algorithms%20in%20Digital%20and%20Multimedia%20Forensics" target="_blank">draft</a> endorsing the use of MD5 and SHA-1. I wrote in to share my concerns, but I also reached out to some cryptographers via Twitter. Dr. Marc Stevens, a cryptographer known for his expertise in attacking MD5 and other hash functions, released a series of tweets that was even more critical of MD5 than I anticipated and that was incredibly damning for any forensic expert who continues to rely on MD5.<br />
<a name='more'></a><br />
First, I'll share my original thoughts in abbreviated form. Then I'll share some highlights from Dr. Stevens' tweets. If you're interested in Dr. Stevens' views, consider reading all of what he had to say on Twitter and in his scientific work. If I have misrepresented or misunderstood his views in any way, I apologize.<br />
<br />
When we image and process digital evidence, we use a hash function to fingerprint that data so that we can compare it to other known files and so that, later on, we can verify that the evidence hasn't changed. SHA-1 is probably the most common hash function used in forensics and there is some support for SHA-256, which is what we should be moving toward.<br />
<div>
<br /></div>
<div>
In order to be considered secure, a hash function should be strong against two attacks: collisions and preimages. A collision occurs when we find two "messages" (files, strings, whatever) that have the same hash value. To be secure, it should be hard to find two files that have the same hash. Note that in this scenario we are allowed to to pick both messages. If we can find any two that match, we have a collision. A preimage is a little different because one of messages has already been picked. To find a preimage, we have to find a second message that has the same hash value. The distinction is like the difference between trying to find two people in a room with the same birthday (anybody can match anybody) versus trying to find somebody in a room with your birthday.<br />
<br />
Note: I'm glossing over the difference between preimages and second preimages because I don't think its important for this discussion.</div>
<div>
<br /></div>
<div>
MD5 is considered a weak hash function because there are practical attacks for finding <a href="https://natmchugh.blogspot.com/2014/10/how-i-created-two-images-with-same-md5.html" target="_blank">collisions</a>. There aren't any practical attacks for finding preimages for MD5.</div>
<div>
<br /></div>
<div>
If we need to verify that a file hasn't changed, MD5 is plenty good enough to detect accidental modification. If the file was corrupted or inadvertently modified by a careless examiner, there is an infinitesimally small chance that the hash will come out the same. If we're worried that someone has intentionally altered the data, they would have to be able to execute an attack (find a preimage) that is beyond what anyone is currently able to do using publicly-known attacks. Hell, even if the file wasn't hashed, a court would probably not allow someone to assert that the evidence had been altered without some evidence suggesting it had.</div>
<div>
<br /></div>
<div>
So, we can use MD5, right?</div>
<div>
<br /></div>
<div>
I think you do so at your own peril.</div>
<div>
<br /></div>
<div>
The problem is that cryptographers, the people who are experts in making hashes and ciphers, have been saying not to use MD5 for 20 years and the attacks against MD5 have gotten much, much better since then. When a forensic examiner goes into court, he or she serves the court as an "expert". I feel like I could offer a reasonable defense/explanation for using MD5. I've read books on cryptography and took a grad-level class in it. I'm knowledgeable (enough to be dangerous). I think I understand it well enough to say that despite the warnings it's okay to use it in certain circumstances. But I'm not an expert in cryptography so why would I try to weigh in as one? [Note: Dr. Stevens' tweets indicate that he disagrees with my contention that MD5 would be acceptable in some circumstances. But, that's my point. Any situation where I think it might be okay to use MD5 is based on my amateur understanding of cryptography, not the expert-level understanding that he or his colleagues would have.]</div>
<div>
<br /></div>
<div>
There's an added complication. Even if MD5 is okay to use in these scenarios, trying to justify it without a good understanding of why could lead you into some murky waters. Simply not being careful about how you answer questions could get you trapped by a well-prepared attorney.</div>
<div>
<br /></div>
<div>
Imagine this: You go into court and explain how you verified the images in your case using MD5. The defense attorney asks you some very innocent questions about it: "What's MD5?", "can two files have the same hash?".<br />
<br />
You give the best explanation that you remember from your training: "the odds of two files having the same hash are like 1 in 80 bajillion."<br />
<br />
"So", he says "I couldn't just change the file and tweak it so the hash would be the same?"<br />
<br />
"No way", you say. "It's like winning the lottery five times in a row."<br />
<br />
The defense attorney smiles back at you and grabs a stack of papers off of his table. He has an article about how some researchers <a href="https://www.zdnet.com/article/ssl-broken-hackers-create-rogue-ca-certificate-using-md5-collisions/" target="_blank">forged digital certificates</a> that used MD5. He'd like you to read the highlighted portion. He has another about how the Flame malware <a href="https://arstechnica.com/information-technology/2012/06/flame-crypto-breakthrough/" target="_blank">hijacked Windows Update</a> because of MD5. Would you please read the paragraph he highlighted there as well? He picks up a USB drive and tell you he has pictures of Jack Black, James Brown, and Barry White and they all have the <a href="https://natmchugh.blogspot.com/2014/11/three-way-md5-collision.html" target="_blank">same hash</a>. He has a picture of a <a href="https://natmchugh.blogspot.com/2015/02/create-your-own-md5-collisions.html" target="_blank">ship and a plane</a> and those two have the same hash. He'd like you to hash these files to demonstrate.</div>
<div>
<br /></div>
<div>
"So", he says again. "What you told us a few minutes ago about the hashes. It wasn't true, was it?"<br />
<br />
That's about all I had in my original draft. Here's what Dr. Stevens had to say; the tweets are not necessarily in order:</div>
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
I disagree: cryptography is notoriously hard to get right. You should rely on expert cryptographic advice. And the prevailing expert opinion is: do not use MD5 for security.</div>
— Marc Stevens (@realhashbreaker) <a href="https://twitter.com/realhashbreaker/status/1074367431894843392?ref_src=twsrc%5Etfw">December 16, 2018</a></blockquote>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
<br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
And nowhere MD5 actually helps you in court, and can only hurt, since any cryptographic expert would say it should not be used for that. While SHA2 would help you in court. So what would be the best advice?</div>
— Marc Stevens (@realhashbreaker) <a href="https://twitter.com/realhashbreaker/status/1074421008025706498?ref_src=twsrc%5Etfw">December 16, 2018</a></blockquote>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
<br />
I think these tweets are key because they argue (from his expert perspective) that we should not use MD5 but also point out that this is the prevailing opinion among cryptographers. This is really key because the methods that we use in a legal case are supposed to meet a standard, namely the <a href="https://www.theexpertinstitute.com/daubert-versus-frye-a-national-look-at-expert-evidentiary-standards/" target="_blank">Daubert standard</a> which considers five factors:<br />
<br />
1. Whether a theory or technique can be and has been tested<br />
2. Whether the theory or technique has been subject to both peer review and publication<br />
3. The known or potential error rate of the method<br />
4. The existence and maintenance of standards controlling its operations; and<br />
5. Whether it has attracted widespread acceptance within the relevant scientific community<br />
<br />
Looking at #5, I don't know whether a court would consider forensic experts or cryptographers to be the relevant scientific community, but cryptographers (who are responsible for almost every publication on the analysis of MD5) have widely rejected it. They have tested it (#1), subjected it to peer review (#2), found errors (#3) and they have declared in academic papers and in public that it should not be used. Many forensic examiners, however, find it acceptable.<br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
The problem of course is that your defence for MD5 is based on the entire situation and not on any properties of MD5 itself. SWDGE's document claims that MD5 provides integrity guarantees when it actually can't (for data from untrusted sources).</div>
— Marc Stevens (@realhashbreaker) <a href="https://twitter.com/realhashbreaker/status/1074423463752941568?ref_src=twsrc%5Etfw">December 16, 2018</a></blockquote>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script> <br />
Responding to an argument that MD5 is still acceptable for use in forensics, Dr. Stevens countered that the defense was based on the other circumstances (e.g. chain of custody) that make the evidence trustworthy, not on the assurance provided by MD5.<br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
(1) The document clearly relies on MD5 against tampering. (2) There is ample scientific evidence that MD5 is insecure to use against tampering. (3) The document says MD5 is still 'acceptable' for forensic use, does not show any scientific support.</div>
— Marc Stevens (@realhashbreaker) <a href="https://twitter.com/realhashbreaker/status/1074431028469645312?ref_src=twsrc%5Etfw">December 16, 2018</a></blockquote>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script> <br />
While Dr. Stevens might not have been thinking about Daubert, that certainly sounds like an argument that MD5 would not meet the Daubert standard.<br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
I scientifically reason where MD5 is still secure, you work the other way round: MD5 is still usable. Oops no, lets exclude that case. Oops, no lets also exclude that case. etc. etc. Its the wrong approach in security.</div>
— Marc Stevens (@realhashbreaker) <a href="https://twitter.com/realhashbreaker/status/1074465442650091521?ref_src=twsrc%5Etfw">December 17, 2018</a></blockquote>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
<br />
I included this tweet because it relates to what I said previously about the fact that we (forensic examiners) are not experts in cryptography. Understanding which specific use cases might be okay for MD5 requires a good understanding of the attacks against MD5 and how they can be used. We don't have that expertise so we should trust in cryptographers and not use MD5.<br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
And all I'm saying is that MD5 does not protect against active evidence tampering.</div>
— Marc Stevens (@realhashbreaker) <a href="https://twitter.com/realhashbreaker/status/1074388722613960705?ref_src=twsrc%5Etfw">December 16, 2018</a></blockquote>
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
I agreed MD5 is ok for file discovery of bad files if you still actually check content, I disagree for whitelisting. I also disagree that you can make any claims that images/files have been changed by any middleman just based on their MD5 hash.</div>
— Marc Stevens (@realhashbreaker) <a href="https://twitter.com/realhashbreaker/status/1074373660687941632?ref_src=twsrc%5Etfw">December 16, 2018</a></blockquote>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
<br />
<div>
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
In light of SHA2 and SHA3, the only value of MD5 for forensics is due to a legacy of old hashsets that cannot be recreated. It has only downsides & no merits by itself. Saying MD5 is suitable that is like saying salt is still suitable as money.</div>
— Marc Stevens (@realhashbreaker) <a href="https://twitter.com/realhashbreaker/status/1074455178328375297?ref_src=twsrc%5Etfw">December 17, 2018</a></blockquote>
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
Doesn't matter at all: using the MD5 hash you simply have no scientific cryptographic basis to claim that any file in transit has not been changed by any middleman.</div>
— Marc Stevens (@realhashbreaker) <a href="https://twitter.com/realhashbreaker/status/1074365639022862338?ref_src=twsrc%5Etfw">December 16, 2018</a></blockquote>
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
MD5 provides no additional security over CRC32. So you can claim it was not accidentally changed, but you cannot claim no middleman changed it.</div>
— Marc Stevens (@realhashbreaker) <a href="https://twitter.com/realhashbreaker/status/1074362797281210368?ref_src=twsrc%5Etfw">December 16, 2018</a></blockquote>
Most of the time, the authenticity of an image or other files is assured by having good procedures and a proper chain of custody. Any cryptographic hash or CRC function can detect accidental modification. We don't use cryptographic hashes in case something is accidentally modified. We use them either to prevent intentional modification or to provide a scientific air of respectability. It's pretty clear that Stevens does not think that MD5, or even SHA-1, should be used to provide any sort of higher guarantee about the authenticity of digital evidence.<br />
<br />
At this point, I think anyone trying to rely on MD5 in court is committing a grave error. And any forensic examiner trying to defend MD5 is out over his skis.</div>
Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com2tag:blogger.com,1999:blog-7266528187680728229.post-936084197341129522018-11-30T11:02:00.003-08:002018-12-04T23:32:31.867-08:00Analyzing infected documentsOccasionally, users ask me to take a look at a document (usually .docx or .pdf) that they are unsure of. It might be that the sender is someone known to them but they weren't expecting a report or an invoice, or perhaps they don't know the sender but the message seems legitimate. As a part of our security awareness campaigns, I have repeatedly encouraged them to ask. I'm glad they do.<br />
<br />
Other times, it comes to my attention that a user has, or might have, opened a malicious attachment. In these cases also I need to find out what I'm dealing with. Is the document malicious? What does it do if you open it (and Enable Content)? Does it actually execute code or just link to a phishing site?<br />
<br />
My favorite tool for analyzing these documents is <a href="https://www.hybrid-analysis.com/">https://www.hybrid-analysis.com</a>. This site makes it very easy to figure out if a document is malicious, analyze its behavior, and identify potential indicators of compromise. The following is a quick walk-though the highlights some of the information that is provided when you analyze a document on the site.<br />
<br />
<a name='more'></a><br /><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnOqnPOjy6JO02jinKAPxww49e9vUcQOs5o5f8_1knG9xdWqnOpI7yztVwumZPegXxxdZfiQ2ReCPo1Y3X0VaCYOVVAXHTuqD-rmTIpH6-D11iwIdFKlG-NBm2kZoDC7ej-IyygD6ONyI/s1600/Start+Page.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="701" data-original-width="697" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnOqnPOjy6JO02jinKAPxww49e9vUcQOs5o5f8_1knG9xdWqnOpI7yztVwumZPegXxxdZfiQ2ReCPo1Y3X0VaCYOVVAXHTuqD-rmTIpH6-D11iwIdFKlG-NBm2kZoDC7ej-IyygD6ONyI/s640/Start+Page.PNG" width="635" /></a></div>
<br />
To start with, simply drag and drop the file into the box or provide a URL, and click Analyze.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl06oVKaXEehCOZo38UmbvFgus6iz9erQH-cFQUxz5AXBA8iR9d7RDj0WIGxNpv_GhvihI9AiV6KV-Yh0ixuEdiI6QdtNpT1ARfO-3ZVVT8Jp-RAbovK2Y4o9WWJqu4gMHSV7uCqT-9yo/s1600/Step+2+-+basic+info.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="861" data-original-width="597" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl06oVKaXEehCOZo38UmbvFgus6iz9erQH-cFQUxz5AXBA8iR9d7RDj0WIGxNpv_GhvihI9AiV6KV-Yh0ixuEdiI6QdtNpT1ARfO-3ZVVT8Jp-RAbovK2Y4o9WWJqu4gMHSV7uCqT-9yo/s640/Step+2+-+basic+info.PNG" width="443" /></a></div>
<br />
You can provide an email for optional notification, or just proceed. You do have to agree to their terms. Be very careful if there is any possibility that your document contains PII. Most of the documents I deal with are (if they turn out to be legitimate) things like invoices that are not confidential (I work in the public sector).<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8F2Lt60k5GsxkuDIWk0xUjbt4r1PrY3684q4Nm1Zj0tAcVgyRIYkWFI9QrpncwvHwCJL2N1XAcUDOkre7Sx71sYg6dJYOaBzTnHxTuAxWanKQeTla4jCT1ppAHhTrBfZe7_1d0lJqots/s1600/Step+3+-+pick+a+VM.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="498" data-original-width="599" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8F2Lt60k5GsxkuDIWk0xUjbt4r1PrY3684q4Nm1Zj0tAcVgyRIYkWFI9QrpncwvHwCJL2N1XAcUDOkre7Sx71sYg6dJYOaBzTnHxTuAxWanKQeTla4jCT1ppAHhTrBfZe7_1d0lJqots/s1600/Step+3+-+pick+a+VM.PNG" /></a></div>
<br />
Pick a VM and you're ready to go.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlm6cwTVH-8TSYsz7kHvTzY8bxmaVU3EqSnJqGy0SBMh3WswhP8EwoBLp9ZoMXXqZtNsvrKW00Pz-i_QU_GyLf3mYPHsoHZgX38gOZuLggejB7-pPOIjBITvO8RDA8s8UXAMQ8fsKibkA/s1600/Overview.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="260" data-original-width="1272" height="130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlm6cwTVH-8TSYsz7kHvTzY8bxmaVU3EqSnJqGy0SBMh3WswhP8EwoBLp9ZoMXXqZtNsvrKW00Pz-i_QU_GyLf3mYPHsoHZgX38gOZuLggejB7-pPOIjBITvO8RDA8s8UXAMQ8fsKibkA/s640/Overview.PNG" width="640" /></a></div>
As you can see, the overview will tell you whether this file has been seen before ("Last Sandbox Report" and what percentage of AV programs detect it as malicious. The AV results were less certain when I ran this document through a couple of days ago (I think it was at about a 10-15% detection rate). But, what if it's not detected as malicious or only a few programs think so. We should dig in.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp3lAUc1xmB549k5wmvdJH453zt6m3EVJejjhwIC4KwLMLD8vrLnLzykFcCBD6nnnIMc-RbJuU7oIXdBLaD6udLBLtPs8g0CmCFQ47NQHOJ-wwnrv-EJ9FtwgPaBFwo4CK1WY9ID_gCj0/s1600/Sandbox+Reports.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="506" data-original-width="998" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp3lAUc1xmB549k5wmvdJH453zt6m3EVJejjhwIC4KwLMLD8vrLnLzykFcCBD6nnnIMc-RbJuU7oIXdBLaD6udLBLtPs8g0CmCFQ47NQHOJ-wwnrv-EJ9FtwgPaBFwo4CK1WY9ID_gCj0/s640/Sandbox+Reports.PNG" width="640" /></a></div>
Further down, is the sandbox report. It usually takes 15-20 minutes to get a report back but I've run this file through before so I have a report available now. Let's click the report on the right and see what we get.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-ypXv_KXszGObqQP7MkTuxuamUxYm4mO1meiRxFyxjfMOPplW6vGrY2q9Q3GPSYz4kU9x1oOOA9TwIG85z_H0dnH4bodOO0ahUlfR09Qu9yqlYDKUeDF9O7Y2dWklMlrcl5cVbWkwFbc/s1600/Results+-+Incident+Response.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="557" data-original-width="1579" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-ypXv_KXszGObqQP7MkTuxuamUxYm4mO1meiRxFyxjfMOPplW6vGrY2q9Q3GPSYz4kU9x1oOOA9TwIG85z_H0dnH4bodOO0ahUlfR09Qu9yqlYDKUeDF9O7Y2dWklMlrcl5cVbWkwFbc/s640/Results+-+Incident+Response.PNG" width="640" /></a></div>
<br />
This already looks bad. My Word document is spawning new processes and making network connections. Not what I'd normally expect (or want).<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqCZi4h-XlBO1DwCRL1meKhXJZGJiiyOA9ywtXt0dWaf8otBeuKcIxloTTcYn9gQeQt5RZl8rmP3p1jBO_H7qbTB6QM-UMyuY-2kk-e8PhubMslyZx28AzM51rvkZhCfcU4Xf-mpVtgjc/s1600/Results+-+Malicious+Indicators+-+Part+1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="743" data-original-width="917" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqCZi4h-XlBO1DwCRL1meKhXJZGJiiyOA9ywtXt0dWaf8otBeuKcIxloTTcYn9gQeQt5RZl8rmP3p1jBO_H7qbTB6QM-UMyuY-2kk-e8PhubMslyZx28AzM51rvkZhCfcU4Xf-mpVtgjc/s1600/Results+-+Malicious+Indicators+-+Part+1.PNG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
This document appears to run a series of PowerShell commands, drops an executable jDY.exe, and creates nirmalahistory.exe. I don't know what the ultimate purpose is, but I've seen more than enough to know that I don't want anyone to open this.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmFZNkQTq2CiAb11TUXFl7Yd-aLYRLYCCc4r2Y9tjdIPeXGNpWXjTG3sHJvzQ9yI7bTsLo0xIsJpxHcxJqTwJPBjXJD4yPsFbXGaiTFu8Q4WpJB3wQP4UVKGa1hlTt4_j1tzUofgXc0tM/s1600/Results+-+Network+Related.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="530" data-original-width="1032" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmFZNkQTq2CiAb11TUXFl7Yd-aLYRLYCCc4r2Y9tjdIPeXGNpWXjTG3sHJvzQ9yI7bTsLo0xIsJpxHcxJqTwJPBjXJD4yPsFbXGaiTFu8Q4WpJB3wQP4UVKGa1hlTt4_j1tzUofgXc0tM/s1600/Results+-+Network+Related.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Further down, I can see that this opening this document resulted in contacting several sites with phishy-looking names. On the right, I can see that all of them are tagged as malicious by at least some AV engines.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgdGWtrmrFTwfh7mjFWsx_tgU_z3S9yDA2w7NNKxMpafUc4tfAn0FvxBb5MCgIGUj5gQKEMCeqj-aG3tpvCrSl5mHYrjvhcXyButvKsWxEufd5Lla0lf5ZlRguXP5wg4J8ZsFrF53Far4/s1600/Results+-+Unusual+Characteristics.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="552" data-original-width="936" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgdGWtrmrFTwfh7mjFWsx_tgU_z3S9yDA2w7NNKxMpafUc4tfAn0FvxBb5MCgIGUj5gQKEMCeqj-aG3tpvCrSl5mHYrjvhcXyButvKsWxEufd5Lla0lf5ZlRguXP5wg4J8ZsFrF53Far4/s1600/Results+-+Unusual+Characteristics.PNG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Further down, we can see the actual command lines that are executed by this document. They appear obfuscated, but we can see what we already knew: it executes a bunch of PowerShell commands.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYOCWZBvKbdGC7HBAGN9BQc82VehtV0NzfXXxMM4KGPMGCNjn4ByxNyU5v8HUDt_fJMZmRnd2Ytdj4NbZV9yJTLJGl1dBMDXwkIQ4O_qJniZuodSz0wiLUOjFgromJ19PDs3UFmaqZR8A/s1600/Suspicious+-+Persistence.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="760" data-original-width="938" height="517" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYOCWZBvKbdGC7HBAGN9BQc82VehtV0NzfXXxMM4KGPMGCNjn4ByxNyU5v8HUDt_fJMZmRnd2Ytdj4NbZV9yJTLJGl1dBMDXwkIQ4O_qJniZuodSz0wiLUOjFgromJ19PDs3UFmaqZR8A/s640/Suspicious+-+Persistence.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Under Suspicious Indicators, we can see that the processes accesses the Service Control Manager and appear to be starting a new service.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGIpRwuqr3JCnxJpjebp1XMEoAzwKD1A4TBo-4Q-ACSsOdYMOghQgkSDdVZu-yKgbnoIIpP4lP8goJ2s0N1Lug8ciaOt4kyjL0gYdy1BcGcMfkmWlYs3SeB6oVbWqGK3SDeTbdEQSAJTw/s1600/Suspicious+-+Network+Related.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="737" data-original-width="898" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGIpRwuqr3JCnxJpjebp1XMEoAzwKD1A4TBo-4Q-ACSsOdYMOghQgkSDdVZu-yKgbnoIIpP4lP8goJ2s0N1Lug8ciaOt4kyjL0gYdy1BcGcMfkmWlYs3SeB6oVbWqGK3SDeTbdEQSAJTw/s1600/Suspicious+-+Network+Related.PNG" /></a></div>
<br />
A little further down we have a handy list of IP addresses that these processes connect to.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJ4c93HSvyrCAc66r1FtBG0PgeZ2iWXB5BKoHm1dNCHh9GoXEAS9FkphC2AK1XMPaGYq0YY6xPldbBzQUnlo3mShLGPGibRndxDRDk553h4UbNwsaap_QzcQo2FJXzhDCYFDsqwbjk4rI/s1600/Suspicious+-+Obfuscated.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="281" data-original-width="1071" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJ4c93HSvyrCAc66r1FtBG0PgeZ2iWXB5BKoHm1dNCHh9GoXEAS9FkphC2AK1XMPaGYq0YY6xPldbBzQUnlo3mShLGPGibRndxDRDk553h4UbNwsaap_QzcQo2FJXzhDCYFDsqwbjk4rI/s1600/Suspicious+-+Obfuscated.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRiugByCuqRN-HG9jG_WsCRF224frSGo1ECEi0ag2lb4kRmjm37l7xz_zEy4ccYgqnfWsJTXMEIS9_PFKzryE7L1VgGS7h3JlA1BIQxkuKZr4A8SLy5HT75jGR71lpAriQlPjvtGmeoWc/s1600/Informative+-+Domain+Names.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="254" data-original-width="872" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRiugByCuqRN-HG9jG_WsCRF224frSGo1ECEi0ag2lb4kRmjm37l7xz_zEy4ccYgqnfWsJTXMEIS9_PFKzryE7L1VgGS7h3JlA1BIQxkuKZr4A8SLy5HT75jGR71lpAriQlPjvtGmeoWc/s1600/Informative+-+Domain+Names.PNG" /></a></div>
<br />
<br />
And domain names and URLs too.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-iIRkhX7lO_UVXRw5I03oKoZOzngMvgVPF2HivrseVVWgHA6k3Q9SvtICNWOkmh1otS9Gii8w-j96v1YT3qfQ6_zjzpAWFdr2cnLPHKor3T1RHN2ce00NOHqSK1WUeB74S8h8Zzu97Tk/s1600/Screenshots+-+1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="335" data-original-width="1121" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-iIRkhX7lO_UVXRw5I03oKoZOzngMvgVPF2HivrseVVWgHA6k3Q9SvtICNWOkmh1otS9Gii8w-j96v1YT3qfQ6_zjzpAWFdr2cnLPHKor3T1RHN2ce00NOHqSK1WUeB74S8h8Zzu97Tk/s640/Screenshots+-+1.PNG" width="640" /></a></div>
<br />
Near the bottom, we get to see screenshots from the VM that was used to open and analyze the document. This is very helpful for cases where the document either not malicious or where it links to a phishing site rather than trying to execute code. If the document is legit, I would expect to see a real invoice, letter, etc. I can show this to my users and ask them if its something they were expecting. In the case that it's used for phishing and doesn't execute any code, I might see that the document contains a fake link to Dropbox or Google Drive.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpJy5oyzqxdGROFarbckg3AQgF5-JbihzP6PgIg0coTAI6dP8T4-01PyoinHnCDmiBlTgbiMhRzRmJzy3Y94biKYBisVkA4mPD2s6JcYx940UFtn639LPTR_JwwUAuWFoxoDV1abJU6co/s1600/Screenshots+-+2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="327" data-original-width="1118" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpJy5oyzqxdGROFarbckg3AQgF5-JbihzP6PgIg0coTAI6dP8T4-01PyoinHnCDmiBlTgbiMhRzRmJzy3Y94biKYBisVkA4mPD2s6JcYx940UFtn639LPTR_JwwUAuWFoxoDV1abJU6co/s640/Screenshots+-+2.PNG" width="640" /></a></div>
Hover over the right-hand side of the series to scroll right and see additional images. Click on one to open it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfBgCcRECcVaheVx4AWDeCOsffGVR9wrxRjtnNfzaTGlFzXJ9YqDzV98rBJaM7HSQFI6Ym_8-1Uy13Fi1DYP53cYlDYLB83Ldfd7gA3P0PbQXBD8BylRZyGH-xqG_zi6fTfgs6MO7Vpik/s1600/screenshots+-+3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="1038" height="382" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfBgCcRECcVaheVx4AWDeCOsffGVR9wrxRjtnNfzaTGlFzXJ9YqDzV98rBJaM7HSQFI6Ym_8-1Uy13Fi1DYP53cYlDYLB83Ldfd7gA3P0PbQXBD8BylRZyGH-xqG_zi6fTfgs6MO7Vpik/s640/screenshots+-+3.PNG" width="640" /></a></div>
<br />
<br />
Here, we see that this document offers the user a pretext for clicking "Enable Content".<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM63Wuni-K1Qcdm7ySgdpau11r92uvVIoIJ6FhfmBuaYNodex6BpJu2eMDx3v3_sf0YVxgBrP4MV5tUTe3XItbEw0zy5XGeHeU4UOaatJD-C_rfX3_6ptDpXDlYt5D07z5x6awqSK57vQ/s1600/Extracted+Files+-+Malicious.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="420" data-original-width="780" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM63Wuni-K1Qcdm7ySgdpau11r92uvVIoIJ6FhfmBuaYNodex6BpJu2eMDx3v3_sf0YVxgBrP4MV5tUTe3XItbEw0zy5XGeHeU4UOaatJD-C_rfX3_6ptDpXDlYt5D07z5x6awqSK57vQ/s1600/Extracted+Files+-+Malicious.PNG" /></a></div>
<br />
Near the bottom we can see all of the files that were dropped as well as the AV scan results for those files. In this case, the jDY.exe file is identified as Emotet.<br />
<br />
<a href="https://blog.malwarebytes.com/detections/trojan-emotet/" target="_blank">MalwareBytes</a> describes Emotet as "a banking Trojan that can steal data, such as user credentials stored on the browser, by eavesdropping on network traffic." The "banking trojan" part is clear enough. In the next part, I think they mean to say that it steals credentials from the browser AND grabs network traffic. They also say "[o]nce Trojan.Emotet has infected a networked machine, it will propagate using the Eternal Blue vulnerability." Gnarly. <a href="https://www.us-cert.gov/ncas/alerts/TA18-201A" target="_blank">CERT</a> says that "Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans." They indicate that it can spread over SMB but do not mention using EternalBlue or other exploits. <a href="https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor" target="_blank">Symantec</a> reports that Emotet has been used to spread Qakbot which uses Mimikatz.<br />
<br />
If you wanted to do some additional reverse engineering, this is probably the point at which you'd want to load this into another tool and start analyzing the executables yourself. For my purposes, I've got more than enough information.<br />
<br />
One important thing that I haven't discuss so far is that this tool provides lots of indicators of compromise (IOCs):<br />
<br />
<br />
<ul>
<li>A process named "nirmalahistory.exe"</li>
<li>An executable named "jDY.exe"</li>
<li>Several IP addresses and domain names</li>
</ul>
<div>
I could follow up by checking to see if any of my users have reached out to the addresses given here. If so, they are compromised. I could also search my EDR tool for the executables named. I might also check logs for evidence of any new service installations, but there's a lot more noise there.</div>
Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-25802024300897541652018-09-02T19:21:00.003-07:002018-09-02T19:21:53.784-07:00What is a server?<br />
I have a new post up on my company webpage. I've been meaning to post this for a while. After the DNC was hacked in 2016, there were questions (mostly by people chasing one conspiracy theory or another) that the FBI made a mistake by not taking the DNC's server. Not only is taking the server not a typical practice (especially where the owner is a victim and not a perpetrator), it would be extraordinarily difficult. This post breaks down what a server actually is. For readers who are working in IT, there's probably nothing new to see here. For readers coming from a non-technical background, I hope this will prove interesting and informative.<br />
<br />
The gist of my post is that, at one time, many servers were basically souped-up desktop computers. This is generally not the case anymore. The resources that ultimately make up a server may span several physical devices and each of those devices may support dozens of servers. It's a many-to-many relationship. Check out the post:<br />
<br />
<a href="https://www.tracedf.com/single-post/2018/09/02/What-is-a-server" target="_blank">What is a server?</a><br />
<br />
If you need a computer or mobile forensics consultant, I'm available: <a href="http://www.tracedf.com/" target="_blank">Trace Digital Forensics, LLC</a>.Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com1tag:blogger.com,1999:blog-7266528187680728229.post-72549477457756224862018-01-08T23:42:00.002-08:002018-01-08T23:42:42.498-08:00Consulting: Trace Digital Forensics, LLCI haven't blogged here much recently. A couple of years back I started a digital forensics consulting firm, <a href="https://www.tracedf.com/" target="_blank">Trace Digital Forensics</a>, and have been doing most of my <a href="https://www.tracedf.com/blog" target="_blank">blogging</a> over there. I'm going to try to get back to posting some security, crypto and IT related content here and will cross-post some of the forensics content.<br />
<br />
If you need a digital forensics consultant, <a href="mailto:steven@tracedf.com" target="_blank">email me</a>. I can handle most cases involving Windows, Mac, Android and iOS. I'm also working on an arrangement to subcontract for audio and video specialty work. I am open to working either side of a case and am happy to evaluate reports from opposing experts and/or recommend lines of questioning. Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-32719040596040419342018-01-04T17:30:00.000-08:002018-01-04T17:39:32.027-08:00Safari Plugin Forensics - com.apple.Safari.plist<div style="box-sizing: border-box; color: #333333; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; margin-bottom: 16px; text-size-adjust: auto;">
I'm posting this later than promised but this is a slightly revised version of what I submitted for Guidance Software's forensic bug bounty on BugCrowd.<br />
<br />
In OS X 10.9, Apple started tracking which sites were configured to play Flash video in the file /Users/[user]/Libary/Safari/PlugInOrigins.plist. I originally discovered this while working on a case where a user had been browsing adult websites at work. The user's browser history (if I'm remembering this correctly) did not have any entries showing his visits to these sites but there was an entry in PlugInOrigins.plist showing that he had enabled Flash for one of them. I eventually found a lot of other material to support the accusation and the user admitted what he had been up to.</div>
<div style="box-sizing: border-box; color: #333333; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; margin-bottom: 16px; text-size-adjust: auto;">
As of OS X 10.10, the PluginOrigins.plist file is no longer used. The setting is now saved in /Users/[user]/Library/Preferences/com.apple.Safari.plist.<span class="Apple-converted-space"> </span></div>
<div style="box-sizing: border-box; color: #333333; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; margin-bottom: 16px; text-size-adjust: auto;">
The file is stored in binary xml format and can be converted with the cmd "plutil -convert xml1 com.apple.Safari.plist". A sample portion of this file is below. There is an entry for each configured site showing whether Flash should play, not play, or ask the user. It also tracks the last visited date and time. This artifact can be used to show whether a computer/account was used to visit a particular site. For example, the artifact in the file below would demonstrate that the computer was used to visit the HBO Now service on August 1st at 5:57 AM GMT.</div>
<pre class="highlight plaintext" style="background-color: whitesmoke; border-radius: 3px; border: 1px solid rgb(235, 235, 235); box-sizing: border-box; color: #333333; font-family: Menlo, Consolas, "Liberation Mono", Courier, "Bitstream Vera Sans Mono", monospace; font-size: 11.9px; line-height: 1.45; margin-bottom: 16px; overflow: auto; padding: 16px; text-size-adjust: auto; word-break: break-word; word-wrap: normal;"><code style="background-color: transparent; border-radius: 2px; border: 0px; box-sizing: border-box; display: inline; font-family: Menlo, Consolas, "Liberation Mono", Courier, "Bitstream Vera Sans Mono", monospace; line-height: inherit; margin: 0px; max-width: none; padding: 0px; word-break: normal; word-wrap: normal;"> <key>com.macromedia.Flash Player.plugin</key>
<dict>
<key>PlugInDisallowPromptBeforeUseDialog</key>
<true/>
<key>PlugInFirstVisitPolicy</key>
<string>PlugInPolicyBlock</string>
<key>PlugInHostnamePolicies</key>
<array>
<dict>
<key>PlugInHostname</key>
<string>play.hbonow.com</string>
<key>PlugInLastVisitedDate</key>
<date>2017-08-01T05:57:45Z</date>
<key>PlugInPageURL</key>
<string>https://play.hbonow.com/</string>
<key>PlugInPolicy</key>
<string>PlugInPolicyAllowWithSecurityRestrictions</string>
<key>PlugInRunUnsandboxed</key>
<false/>
</dict></code></pre>
<div style="box-sizing: border-box; color: #333333; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; margin-bottom: 16px; text-size-adjust: auto;">
This file also contains artifacts for other plugins such as SilverLight, e.g.:</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<pre class="highlight plaintext" style="background-color: whitesmoke; border-radius: 3px; border: 1px solid rgb(235, 235, 235); box-sizing: border-box; line-height: 1.45; margin-bottom: 16px; overflow: auto; padding: 16px; text-size-adjust: auto; word-break: break-word; word-wrap: normal;"><span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><key>com.microsoft.SilverlightPlugin</key>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><dict>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><key>PlugInDisallowPromptBeforeUseDialog</key>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><true/>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><key>PlugInFirstVisitPolicy</key>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><string>PlugInPolicyBlock</string>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><key>PlugInHostnamePolicies</key>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><array>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><dict>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><key>PlugInHostname</key>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><string>amazon.com</string>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><key>PlugInLastVisitedDate</key>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><date>2017-07-17T03:20:55Z</date>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><key>PlugInPageURL</key>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><string>https://www.amazon.com/Dawn-Planet-Apes-Andy-Serkis/</string>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><key>PlugInPolicy</key>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><string>PlugInPolicyAllowWithSecurityRestrictions</string>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><key>PlugInRunUnsandboxed</key>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"><false/>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"></dict>
</span></span> <span style="color: #333333; font-family: "menlo" , "consolas" , "liberation mono" , "courier" , "bitstream vera sans mono" , monospace;"><span style="font-size: 11.9px;"></array></span></span></pre>
</div>
<div style="box-sizing: border-box; color: #333333; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; margin-bottom: 16px; text-size-adjust: auto;">
<span style="font-family: , "blinkmacsystemfont" , "segoe ui" , "roboto" , "oxygen" , "ubuntu" , "cantarell" , "fira sans" , "droid sans" , "helvetica neue" , sans-serif;">Notice in this example that it shows the specific URL that was visited.</span><br />
<span style="font-family: , "blinkmacsystemfont" , "segoe ui" , "roboto" , "oxygen" , "ubuntu" , "cantarell" , "fira sans" , "droid sans" , "helvetica neue" , sans-serif;"><br /></span>
<span style="font-family: , "blinkmacsystemfont" , "segoe ui" , "roboto" , "oxygen" , "ubuntu" , "cantarell" , "fira sans" , "droid sans" , "helvetica neue" , sans-serif;"><br /></span></div>
Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-28468195250824432662015-02-10T16:08:00.000-08:002015-02-10T16:24:26.442-08:00Exporting text messages from an iPhoneLast week, I was asked to acquire the text messages from an iPhone and to pull out only the messages that were to/from a particular party in a particular date range. This took a little research to pull off so I'm posting this to share the steps we took. I hope that this will be useful to others doing forensic investigations or e-discovery.<br />
<br />
The first phone we needed to pull messages from was an iPhone. To start with, we <a href="http://www.wired.com/2013/11/backup-sms-iphone/">backed</a> up the phone to the user's computer via iTunes. On Mac OS X, the backups are <a href="http://support.apple.com/en-us/HT204269">stored</a> in <i>~/Library/Application Suppport/MobileSync/Backup/{UDID}</i>. The individual backup files have no extension and the names of the files are the SHA-1 hashes of the original file path and name from the phone. In this particular instance, the name of the database containing the SMS messages was 3d0d7e5fb2ce288813306e4d4636395e047a3d28, the same name cited in <a href="https://theiphonewiki.com/wiki/ITunes_Backup">other</a> <a href="http://www.wired.com/2013/11/backup-sms-iphone/">articles</a>. Be careful, however, as this name can change. If your backup does not contain this file name, a quick grep for 'chat_handle_join' (or any other tell-tale sign) should show you the correct sms.db file.<br />
<br />
<a name='more'></a>After locating the correct file, I made a copy, renamed it with a .db extension and opened it in <a href="http://sqlitebrowser.org/">DB Browser</a> for SQLite. There are several tables in the database, the most pertinent are <i>handle</i> and <i>message</i>. The <i>handle</i> table contains a list of phone numbers and other IDs. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUdEDhL2rjEswaQs-5t-8z_cppWMaeYGZ6USpsBFYv_SxsXQQ5fbpSnhLeRG6597BhOPR5sjr_Fu1ZzA_J9tkfHjqRyhyEYmCyuxQck9mY_edQeQBtLzaBkFOpje2AxXM_0LYs33GYvAE/s1600/Handle+Table.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUdEDhL2rjEswaQs-5t-8z_cppWMaeYGZ6USpsBFYv_SxsXQQ5fbpSnhLeRG6597BhOPR5sjr_Fu1ZzA_J9tkfHjqRyhyEYmCyuxQck9mY_edQeQBtLzaBkFOpje2AxXM_0LYs33GYvAE/s1600/Handle+Table.PNG" height="242" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
In order to match individual messages with their senders or recipients, you'll need to find the numbers that you're interested in under the <i>id</i> field and note the corresponding <i>ROWID</i>. For example, phone number (916) 555-1111 has <i>ROWID</i> 2.<br />
<br />
In the <i>message</i> table, the most pertinent fields are:<br />
<br />
<ul>
<li><i>text</i>: the content of the message</li>
<li><i>handle_id</i>: the <i>ROWID</i> in the <i>handle</i> table of the number or ID associated with this message.</li>
<li><i>date: </i>when the message was sent</li>
<li><i>date_read: </i>when the message was read</li>
<li><i>date_delivered</i>: when the message was delivered</li>
<li><i>is_from_me: </i>1 if true. 0 if false. In other words, 1 means this phone sent it and 0 means it was sent by someone else to this phone.</li>
</ul>
<div>
In the example below, we can see that <i>handle_id</i> 1, which was <i>+19165556789</i> in the <i>handle</i> table, sent or received a message suggesting "Let's get lunch." In order to tell if our phone sent or received this message, we would have to scroll to the right to check the <i>is_from_me</i> field.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN8p1uT_H4t87xWAKpQjG9ObeUrw-qsSw7tBrfnTPdUM2fazY4ukeYjzgRYLt3QhKt3vglt31jkmCUc48Qzh_IFRVltd-dY8jxNoxooilLjuh8mLrrjMzozHxDOErpjMB9C24HHl3cnV4/s1600/messages+table+-+handle+ID.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN8p1uT_H4t87xWAKpQjG9ObeUrw-qsSw7tBrfnTPdUM2fazY4ukeYjzgRYLt3QhKt3vglt31jkmCUc48Qzh_IFRVltd-dY8jxNoxooilLjuh8mLrrjMzozHxDOErpjMB9C24HHl3cnV4/s1600/messages+table+-+handle+ID.PNG" height="204" width="640" /></a></div>
<div>
<br /></div>
<br />
<br />
In order to search either the <i>handle</i> or <i>message</i> tables, we can type in the "Filter" box at the top of any column. By default, the filtering looks for an exact match. So, if we type 1 in the <i>handle_id </i>filter box, we'll see only those messages to/from <i>handle_id</i> 1.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1Z5Ah0gaFt1hGumpBnEaUgOmUM2aiJN5TzbxikrSrvQzO8HAETrJpmirJDxgNiM6k9lVVaaP32PmCFjgWRb8k40CIM3Kgps-EVpQ69OaTD8uPXuEH2s1l4LTQhuPnxpQcWrx03sqK_LM/s1600/filter+-+handle.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1Z5Ah0gaFt1hGumpBnEaUgOmUM2aiJN5TzbxikrSrvQzO8HAETrJpmirJDxgNiM6k9lVVaaP32PmCFjgWRb8k40CIM3Kgps-EVpQ69OaTD8uPXuEH2s1l4LTQhuPnxpQcWrx03sqK_LM/s1600/filter+-+handle.PNG" height="312" width="640" /></a></div>
<br />
For a wildcard search, we can use '%'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidTr2mllJV9285iz0XUqXtW5zFNe_QLnpWXKyhvsuiQqyXXUXIdBCLt9_RCH95fzyQ1KQ_xocxVc6VhZGt1hxo-a_EpqIZ8tW_KpUv6LlpvDbYcdm2v4wwYXQKnu4l2V0V3X8NfQaquwI/s1600/filter+-+message.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidTr2mllJV9285iz0XUqXtW5zFNe_QLnpWXKyhvsuiQqyXXUXIdBCLt9_RCH95fzyQ1KQ_xocxVc6VhZGt1hxo-a_EpqIZ8tW_KpUv6LlpvDbYcdm2v4wwYXQKnu4l2V0V3X8NfQaquwI/s1600/filter+-+message.PNG" height="182" width="640" /></a></div>
<br />
The filtering in DB Browser is good for a quick peek, but I did not see an option to export only select records. So, I exported everything: File->Export->Table(s) as CSV file...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihGWztPRhMM6YZH-NhKE4vBiLtdLPZIMS78HYUIVprZwryFrOZ1nHnQ2kmGlIKvCYoOLwrb56WVaRqfuP0k-7vVVLv3nfTytojAsw7MhOHjoArE24zarIi5XeLcxifrNLR1B0h2il-3U0/s1600/export.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihGWztPRhMM6YZH-NhKE4vBiLtdLPZIMS78HYUIVprZwryFrOZ1nHnQ2kmGlIKvCYoOLwrb56WVaRqfuP0k-7vVVLv3nfTytojAsw7MhOHjoArE24zarIi5XeLcxifrNLR1B0h2il-3U0/s1600/export.png" height="224" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Then, I opened the resulting CSV file in Excel, filtered by <i>handle_id</i>, and took out several columns. I also wanted to narrow the results to a particular date range but Excel did not recognize the data from the various columns as a date. The sms.db file stores each <a href="http://stackoverflow.com/questions/10746562/parsing-date-field-of-iphone-sms-file-from-backup">date</a> as the number of seconds since 1/1/2001 according to Greenwich Mean Time. To convert this to a readable date format, I added a new column called <i>Converted Date</i> and used the formula </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<i>=(L2-28800)/(60*60*24)+DATE(2001,1,1)</i></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
L2 is the date field I wanted to convert, substitute as necessary. The <i>-28800</i> is necessary to convert the date to my local time (Pacific). 28800 = 3600 * 8. Simply using </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
=L2/<i>(60*60*24)+DATE(2001,1,1) </i></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
will convert to GMT<i>.</i></div>
Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com1tag:blogger.com,1999:blog-7266528187680728229.post-87700605094732329032014-05-06T12:13:00.000-07:002014-05-06T12:13:22.802-07:00Dual EC SRP (in SageMath)<span style="font-family: inherit;">I've been using SageMath to work some example numbers for proposal to adapt Secure Remote Passwords to elliptic curves. For anyone who might want to play around with it, you can read the code below or find the pastebin copy <a href="http://pastebin.com/bcby5b4z">here</a>.</span><br />
<span style="font-family: inherit;"><br />
I'm very new to Sage so I apologize if the code stinks. </span><br />
<span style="font-family: inherit;"><br />
Note 1: In order to distinguish between Alice and Bob's variables, Alice variable's all begin with "A_" and Bob's with "B_". Shared parameters (such as the curve E) do not have a prefix.</span><br />
<span style="font-family: inherit;"><br />
Note 2: I'm using static values for everything. In reality, a, b and r should be random. Feel free to change the values. Alice and Bob should still agree on their shared key S.</span><br />
<span style="font-family: inherit;"><br />
Note 3: I don't use a salt value. It's important in real life, but not necessary here.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># NIST Parameters</span><br />
<span style="font-family: Courier New, Courier, monospace;">NIST_p = 115792089210356248762697446949407573530086143415290314195533631308867097853951</span><br />
<span style="font-family: Courier New, Courier, monospace;">NIST_r = 115792089210356248762697446949407573529996955224135760342422259061068512044369</span><br />
<span style="font-family: Courier New, Courier, monospace;">NIST_b = Integer(0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b)</span><br />
<span style="font-family: Courier New, Courier, monospace;">NIST_Px = Integer(0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296)</span><br />
<span style="font-family: Courier New, Courier, monospace;">NIST_Py = Integer(0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5)</span><br />
<span style="font-family: Courier New, Courier, monospace;">NIST_Qx = Integer(0xc97445f45cdef9f0d3e05e1e585fc297235b82b5be8ff3efca67c59852018192)</span><br />
<span style="font-family: Courier New, Courier, monospace;">NIST_Qy = Integer(0xb28ef557ba31dfcbdd21ac46e2a91e3c304f44cb87058ada2cb815151e610046)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># Construct E and Q using NIST parameters</span><br />
<span style="font-family: Courier New, Courier, monospace;">F = GF(NIST_p)</span><br />
<span style="font-family: Courier New, Courier, monospace;">E = EllipticCurve(F, [0, 0, 0, -3, NIST_b])</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "E: " + str(E)</span><br />
<span style="font-family: Courier New, Courier, monospace;">print</span><br />
<span style="font-family: Courier New, Courier, monospace;">Q = E(NIST_Qx, NIST_Qy)</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "Q: " + str(Q) + "\n"</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># Use Alice's password hash to determine P</span><br />
<span style="font-family: Courier New, Courier, monospace;">x = Integer(0x4efa264f5ef3e1a5c95736e07544ebf0)</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "MD5 Hash of \"curve\", x = " + str(x)</span><br />
<span style="font-family: Courier New, Courier, monospace;">P = x*Q</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "P = x*Q = " + str(P) + "\n"</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">#Create Alice's public key</span><br />
<span style="font-family: Courier New, Courier, monospace;">A_a = Integer(0xd103fb3406c351a03578097503d26fa5)</span><br />
<span style="font-family: Courier New, Courier, monospace;">A_A = A_a*Q</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "Alice's secret key a = " + str(A_a)</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "Alice's public key A = a*Q = " + str(A_A) + "\n"</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">#Give Alice's key to Bob</span><br />
<span style="font-family: Courier New, Courier, monospace;">B_A = A_A</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># Create Bob's public key, Bprime</span><br />
<span style="font-family: Courier New, Courier, monospace;">B_b = Integer(0x6abd98d8b311a26ab2cab394e1ecb8af)</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "Bob's secret key b = " + str(B_b)</span><br />
<span style="font-family: Courier New, Courier, monospace;">B_Bprime = B_b*Q</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "Bob's value of Bprime = " + str(B_Bprime) + "\n"</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># Generate Tp and Tq</span><br />
<span style="font-family: Courier New, Courier, monospace;">B_r = Integer(0xdfd98dc638b36d4f86712de2e3bd37de)</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "Bob's random value r = " + str(B_r)</span><br />
<span style="font-family: Courier New, Courier, monospace;">B_Tq = B_r*Q</span><br />
<span style="font-family: Courier New, Courier, monospace;">B_Tp = B_r*P</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "Bob's Tq = r*Q = " + str(B_Tq)</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "Bob's Tp = r*P = " + str(B_Tp)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># Mask Bob's public key using Tp</span><br />
<span style="font-family: Courier New, Courier, monospace;">B_B = B_Bprime+B_Tp</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "Bob's value of B = " + str(B_B) + "\n"</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># Give B and Tq to Alice</span><br />
<span style="font-family: Courier New, Courier, monospace;">A_Tq = B_Tq</span><br />
<span style="font-family: Courier New, Courier, monospace;">A_B = B_B</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># Calculate Alice's Tp</span><br />
<span style="font-family: Courier New, Courier, monospace;">A_Tp = x*A_Tq</span><br />
<span style="font-family: Courier New, Courier, monospace;">A_Bprime = A_B - A_Tp</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "Alice's Tp = " + str(A_Tp)</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "Alice's Bprime = " + str(A_Bprime) + "\n"</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># Alice's calculation of the shared key</span><br />
<span style="font-family: Courier New, Courier, monospace;">A_S = A_a*A_Bprime</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "Alice's S = " + str(A_S)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># Bob's calculation of the shared key</span><br />
<span style="font-family: Courier New, Courier, monospace;">B_S = B_b*B_A</span><br />
<span style="font-family: Courier New, Courier, monospace;">print "Bob's S = " + str(B_S)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: inherit;">Here's a screen capture of the output:</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtFcBEnbfWexnWAz8WVmS4_0NcSDE8thVGiBugnBIK-STLGD6Y0qTW9oUBCLiijjbYKfEjlDwvWQhhrE48vl3aUmMOhmwCuAyutIGrFUPv646Ri8kZYFUDk5xPh7LNXbg2UjVLcmnJ0WY/s1600/Dual+EC+SRP+Test+Values.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtFcBEnbfWexnWAz8WVmS4_0NcSDE8thVGiBugnBIK-STLGD6Y0qTW9oUBCLiijjbYKfEjlDwvWQhhrE48vl3aUmMOhmwCuAyutIGrFUPv646Ri8kZYFUDk5xPh7LNXbg2UjVLcmnJ0WY/s1600/Dual+EC+SRP+Test+Values.PNG" height="82" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for full size</td></tr>
</tbody></table>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-63272080031815351062014-05-05T12:46:00.000-07:002014-05-10T11:58:24.698-07:00Dual EC SRP (request for feedback)<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;"><br />I'm looking for feedback on a proposal for adapting Secure Remote Passwords (SRP) to Elliptic Curves. </span><br />
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;"><br /></span>
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"><b>Update: </b></span><span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">Steve Thomas provided an attack on this proposal. I've been trying to find a way to protect against it without introducing new flaws but I have not been able to do so. I will post about these efforts soon and link to the new post here.</span><br />
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;"><br /></span>
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">For readers already familiar with elliptic curves and SRP, the very short version is this: I propose a protocol based on SRP and Diffie-Hellman using a public point Q and a secret point P=xQ where x is the user's password hash. The exchange of public values A and B is modified slightly. The server will generate a value B' = bQ but will also generate a random number r and multiply both P and Q by r. the value rQ is sent to the client along with the value B = B' + rP. The client must calculate the value rP = xrQ and subtract rP from B to get B'. A wrong value of B' resulting from the client's lack of knowledge of x or the server's lack of knowledge of P (in the case of an impostor) will result in a wrong value of S where S=aB'=bA=baQ. After calculating S, the client sends a verifier M1=H(A,B,S) which the server authenticates and responds to with H(A,M1,S).</span><br />
<br />
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">
I look forward to your comments. The (very rough) version follows below.</span><br />
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-align: center;"><br /></span>
<br />
<div style="text-align: center;">
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-align: center;"><b style="font-size: 12pt; line-height: 200%;">Abstract</b></span></div>
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">Secure
Remote Passwords (SRP) is a password authentication protocol based on Diffie-Hellman
Key Exchange (DHKE). SRP resists both
passive and active attacks and does not store a password-equivalent on the
authenticating server. There has been interest in adapting SRP to work on
elliptic curves, but elliptic curves provide only an additive group whereas SRP
requires a field (with addition and multiplication of field elements).</span><br />
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">
</span>
<br />
<div style="line-height: 200%; margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;"><br /></span></div>
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">
</span>
<br />
<div align="center" class="MsoNormalCxSpFirst" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto; text-align: center;">
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;"><b><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Secure Remote Passwords<o:p></o:p></span></b></span></div>
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">
</span>
<br />
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;"><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Secure Remote Passwords (SRP) is a password
authentication and key exchange protocol based on Diffie-Hellman Key Exchange
(DHKE). All computations in SRP are done
in a finite field </span><!--[if gte msEquation 12]><m:oMath><i
style='mso-bidi-font-style:normal'><span style='font-size:12.0pt;line-height:
200%;font-family:"Cambria Math","serif";mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:"Times New Roman"'><m:r><m:rPr><m:scr m:val="double-struck"/><m:sty
m:val="i"/></m:rPr>F</m:r></span></i></m:oMath><![endif]--><!--[if !msEquation]--><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin; mso-text-raise: -5.5pt; position: relative; top: 5.5pt;"><v:shapetype coordsize="21600,21600" filled="f" id="_x0000_t75" o:preferrelative="t" o:spt="75" path="m@4@5l@4@11@9@11@9@5xe" stroked="f">
<v:stroke joinstyle="miter">
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0">
<v:f eqn="sum @0 1 0">
<v:f eqn="sum 0 0 @1">
<v:f eqn="prod @2 1 2">
<v:f eqn="prod @3 21600 pixelWidth">
<v:f eqn="prod @3 21600 pixelHeight">
<v:f eqn="sum @0 0 1">
<v:f eqn="prod @6 1 2">
<v:f eqn="prod @7 21600 pixelWidth">
<v:f eqn="sum @8 21600 0">
<v:f eqn="prod @7 21600 pixelHeight">
<v:f eqn="sum @10 21600 0">
</v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:formulas>
<v:path gradientshapeok="t" o:connecttype="rect" o:extrusionok="f">
<o:lock aspectratio="t" v:ext="edit">
</o:lock></v:path></v:stroke></v:shapetype><v:shape id="_x0000_i1025" style="height: 16.5pt; width: 7.5pt;" type="#_x0000_t75">
<v:imagedata chromakey="white" o:title="" src="file:///C:\Users\ALEXAN~1\AppData\Local\Temp\msohtmlclip1\01\clip_image001.png">
</v:imagedata></v:shape></span><!--[endif]--><sub><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">n</span></sub><sup><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">*</span></sup><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"> where
n is a large prime(Wu, 1998). The
verifier stored on the server is the value <i>g<sup>x</sup></i>
where <i>g</i> is a generator of </span><!--[if gte msEquation 12]><m:oMath><i
style='mso-bidi-font-style:normal'><span style='font-size:12.0pt;line-height:
200%;font-family:"Cambria Math","serif";mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:"Times New Roman"'><m:r><m:rPr><m:scr m:val="double-struck"/><m:sty
m:val="i"/></m:rPr>F</m:r></span></i></m:oMath><![endif]--><!--[if !msEquation]--><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin; mso-text-raise: -5.5pt; position: relative; top: 5.5pt;"><v:shape id="_x0000_i1025" style="height: 16.5pt; width: 7.5pt;" type="#_x0000_t75">
<v:imagedata chromakey="white" o:title="" src="file:///C:\Users\ALEXAN~1\AppData\Local\Temp\msohtmlclip1\01\clip_image001.png">
</v:imagedata></v:shape></span><!--[endif]--><sub><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">n</span></sub><sup><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">*</span></sup><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"> and <i>x</i> is the SHA-1 hash of the user's
password (Wu, 1998; Wu, 2000). In
addition to the verifier, the server stores a salt value <i>s</i> which is not secret and is used to compute the salted hash of the
user's password. The salt for each user
should be unique.<o:p></o:p></span></span></div>
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">
</span>
<br />
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"><br /></span>
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The
steps in the SRP protocol, illustrated in Table 1, are as follows:</span></div>
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">
</span>
<br />
<ol><span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The
client signals his intent to log in and transmits his username, </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">I</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">,</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">
</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">to the server.</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The server looks
up the user's verifier </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">v=g<sup>x</sup>
mod n</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> and the salt value </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">s</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">.</span></li>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The
server responds to the client with the salt value </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">s.</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The client uses the hash
function H to hash the salt, username and password into the digest value </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">x</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">.</span></li>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The
client generates a secret ephemeral value </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">a</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">,
computes </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">A=g<sup>a</sup></i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> and sends </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">A</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> to the server.</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The server computes </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">B = 3v + g<sup>b</sup> = 3g<sup>x</sup> + g<sup>b</sup></i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">.</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">Notice that this value of B is different than
what we would expect in a Diffie-Hellman Key Exchange.</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The addition of the value </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">3v</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> serves two purposes.</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">First, the addition of </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">v</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> integrates the verifier into the protocol so that the server can
prove knowledge of </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">v</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> and the client
can prove knowledge of </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">x</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">.</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">Second, the multiplication by three
introduces an asymmetry that prevents a novel (but not very serious) attack
where an active attacker attempting to impersonate the server can make two
guesses at the password (Wu, 2002).</span></li>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The
server sends the value </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">B</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> to the
client and both sides hash the public values </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">A</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> and </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">B</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> to compute </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">u</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">.</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">
</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The value </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">u</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> is used to ensure
that the following computations are specific to this choice of public values
(and therefore the ephemeral keys </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">a</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">
and </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">b</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">) in order to prevent attacks
where the client knows the verifier and can construct </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">A</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> to cancel out </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">v</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> in the
server’s calculation of </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">S</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">.</span></li>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">Both
sides compute the value </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">S</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> which will
be hashed to create the key in step 8.</span></li>
<ol>
<li><span style="font-family: Cambria, serif; font-size: 12pt;">The client computes </span><i><span style="font-family: Cambria, serif; font-size: 12pt;">S = (B - 3g<sup>x</sup>)<sup>a+ux</sup> = (3g<sup>x</sup> + g<sup>b</sup> - 3g<sup>x</sup>)<sup>a+ux</sup> = (g<sup>b</sup>)<sup>a+ux</sup> = g<sup>ba+bux</sup></span></i></li>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The server computes</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">S = (Av<sup>u</sup>)<sup>b</sup> = (g<sup>a</sup>(g<sup>x</sup>)<sup>u</sup>)<sup>b</sup> = (g<sup>a+ux</sup>)<sup>b</sup> = g<sup>ba+bux</sup></i></li>
</ol>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The client hashes the values </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">A</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">,</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">B</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">and</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">S</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">to create the verifier</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">M<sub>1</sub></i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">and sends it to the server which verifies</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">M<sub>1</sub></i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">using its own calculation for</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">S</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">.</span></li>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The server calculates </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">M<sub>2</sub></i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">
by hashing the values </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">A</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> and </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">M<sub>1</sub></i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> along with its own
calculated value for </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">S</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> and sends the
result to the client.</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The client
verifies </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">M<sub>2</sub></i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">.</span></li>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The client and server both hash their previously calculated
values of </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">S</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> (which should be equal)
to create the session key </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">K</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">.</span></li>
</span></ol>
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">
<br />
</span><br />
<div class="MsoNormalCxSpFirst" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;"><br /></span></div>
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr>
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Step<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Client<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Traffic<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Server<o:p></o:p></span></b></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">1<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">I
= username ----><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Lookup
the salt s <o:p></o:p></span></div>
<div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">and
verifier v=g<sup>x</sup><o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">2<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">x=H(s, H( I:P))<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><-----s<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<br /></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">3<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">A=g<sup>a</sup><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">A----><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">B
= 3v + g<sup>b</sup><o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">4<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">u = H(A,B)<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><----B<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">u
= H(A,B)<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">5<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">S = (B - 3g<sup>x</sup>)<sup>a+ux<o:p></o:p></sup></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">S
= (Av<sup>u</sup>)<sup>b</sup><o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">6<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">M<sub>1</sub> = H(A,B,S)<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">M<sub>1</sub>----><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">(verify
M<sub>1</sub>)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 2.7pt; mso-yfti-irow: 7;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">7<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">(verify M<sub>2</sub>)<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><----M<sub>2</sub><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">M<sub>2</sub>
= H(A, M<sub>1</sub>, S)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 2.7pt; mso-yfti-irow: 8; mso-yfti-lastrow: yes;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">8<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">K = H(S)<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">K=
H(S)<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
</span><br />
<div align="center" class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto; text-align: center;">
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;"><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Table 1: The SRP-6 Protocol (Wu, 2002).<o:p></o:p></span></span></div>
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">
</span>
<br />
<div align="center" class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto; text-align: center;">
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;"><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><br /></span></span></div>
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">
</span>
<br />
<div align="center" class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto; text-align: center;">
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;"><b><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">A Critical Component of SRP<o:p></o:p></span></b></span></div>
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">
</span>
<br />
<div class="MsoNormalCxSpLast" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;"><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">One of the most critical steps in SRP, and the one that
makes it difficult to adapt SRP to elliptic curves is the calculation of B in
step 3. The server adds the user's
verifier and the server's public key (<i>g<sup>b</sup>)</i>
to produce the value B; the client then
subtracts out the verifier exponentiating by <i>a+ux</i>. This critical piece
allows the client to prove knowledge of <i>x</i>
without giving away any knowledge of what he thinks x is. Suppose instead that both sides simply
calculated <i>g<sup>abx</sup>. </i>An attacker posing as the server would be
able to assemble <i>g<sup>ab</sup></i> and
mount a dictionary attack to discover <i>x</i>
since he would be able to check his guesses against the client's value for <i>g<sup>abx</sup></i> (using <i>S</i>).
The mechanism used by SRP does not allow this to happen.<o:p></o:p></span></span></div>
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">
</span>
<div class="MsoNormalCxSpLast" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;"><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><br /></span></span></div>
<span style="font-family: Cambria, serif; font-size: 12pt; font-weight: normal; line-height: 200%;">
<div align="center" style="line-height: 200%; margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-align: center;">
<b><span style="font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">The Elliptic Curve Discrete Logarithm Problem</span></b></div>
<div style="line-height: 200%; margin: 0in 0in 0.0001pt; text-align: left;">
<span style="font-family: Cambria, serif; line-height: 200%; text-indent: 0.5in;">The elliptic curve discrete
logarithm problem (ECDLP) is similar to the ordinary discrete logarithm problem
except that it involves point addition on elliptic curves instead of
exponentiation. It is also considered to
be a hard problem. Given a starting point
P and an ending point T, the ECDLP challenges us to find the value x such that
T = xP = P +...+ P (x times) (Paar and Pelzl, 2010, pg. 247). </span></div>
<div class="MsoNormal" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<br /></div>
<div align="center" style="line-height: 200%; margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-align: center;">
<b><span style="font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">Dual_EC_DRBG<o:p></o:p></span></b></div>
<div class="MsoNormalCxSpFirst" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Dual_EC_DRBG is a random number generator that uses
elliptic curve operations. (See Figure 1). In 2007, Shumow and Ferguson discovered that
it was possible to backdoor Dual EC by selecting the points P and Q such that P
= dQ for some value d. Since it is
relatively easy to reconstruct R*Q (or a handful of possibilities for R*Q) from
T, an attacker who knows the value d can calculate R*P = d*(R*Q) which allows
him to predict the next state value S.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQiRCFfD_qSoEtnMoxfr4zxKROM_3wuLLOogz4A5AEfcBwMr6jwMs0n2pZdk0uukPV3kqavW537DDbjVqbXH2IVfjx7xLLu7dJlYsms1B80BbOQRqOkHsLstm4Q7n9L6sDB0y8Y9Qep1c/s1600/Figure+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQiRCFfD_qSoEtnMoxfr4zxKROM_3wuLLOogz4A5AEfcBwMr6jwMs0n2pZdk0uukPV3kqavW537DDbjVqbXH2IVfjx7xLLu7dJlYsms1B80BbOQRqOkHsLstm4Q7n9L6sDB0y8Y9Qep1c/s1600/Figure+3.png" height="153" width="320" /></a></b></div>
<br />
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"> </span></b><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-align: center;">Figure 1</span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<br /></div>
<div align="center" class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto; text-align: center;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><b>Dual EC SRP</b><o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">The SRP protocol cannot be directly adopted for elliptic
curves because elliptic curves provide only an additive group whereas SRP
requires a field (with addition and multiplication of field elements). This paper proposes an adaptation of SRP for
elliptic curves using a mechanism inspired by the Dual EC DRBG
backdoor to establish a shared parameter. </span><br />
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><br /></span>
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Note: this isn't Dual EC DRBG. I just came about the idea while studying elliptic curve cryptography and Dual EC DRBG. The two points stored by the server in my scheme aren't necessarily any different than in a <a href="http://grouper.ieee.org/groups/1363/passwdPK/submissions/p1363ecsrp.pdf">previous scheme</a> proposed by Wang, but my proposal is simpler. </span><br />
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><br /></span>
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">In this protocol, the server stores two points
on an elliptic curve, P and Q where P = xQ and where x is the hash of the
user’s password (using a strong password hashing function). The point Q is public. The point P is the verifier which must be
kept secret. An attacker can use
knowledge of P to impersonate the server or to mount a dictionary attack on x
(by guessing values x’ and checking whether P = </span><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: Arial; mso-hansi-theme-font: major-latin;">x’Q</span><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr>
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Step<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Client<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Traffic<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Server<o:p></o:p></span></b></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">1<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">I = username<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">I ----><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Lookup
the salt s <o:p></o:p></span></div>
<div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">and
verifier P = xQ . <o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">2<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">x=H(s, I, P)<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><-----s<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<br /></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">3<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">A=aQ<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">A-----><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<br /></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">4<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><----B,
T<sub>q</sub><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Generate
random values r and b. Calculate T<sub>p</sub>
= rP and T<sub>q</sub> = rQ <o:p></o:p></span></div>
<div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<br /></div>
<div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">B
= T<sub>p</sub> + bQ<o:p></o:p></span></div>
<div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">B’
= bQ<s><o:p></o:p></s></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">5<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">T<sub>p</sub> = xT<sub>q</sub><o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">S = a(B – T<sub>p</sub>)
= aB’<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">S
= bA<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">6<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">M<sub>1</sub> = H(A,B,S)<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">M<sub>1</sub>----><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">(verify
M<sub>1</sub>)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 2.7pt; mso-yfti-irow: 7;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">7<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">(verify M<sub>2</sub>)<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><----M<sub>2</sub><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">M<sub>2</sub>
= H(A, M<sub>1</sub>, S)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 2.7pt; mso-yfti-irow: 8; mso-yfti-lastrow: yes;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 33.5pt;" valign="top" width="45"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">8<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.4pt;" valign="top" width="209"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">K = H(S)<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 1.75in;" valign="top" width="168"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 2.7pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 162.9pt;" valign="top" width="217"><div align="right" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: right;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">K=
H(S)<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
<div align="center" class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto; text-align: center;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Table 2: Dual EC SRP<o:p></o:p></span></div>
<div class="MsoNormalCxSpLast" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><br /></span></div>
<div class="MsoNormalCxSpLast" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">The steps for the proposed
Dual EC SRP protocol are as follows:<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in;">
</div>
<ol>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The client signals his intent to log in and transmits his
username, </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">I</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">, to the server.</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The server looks up the user’s verifier P=xQ
and the salt value s.</span></li>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The server responds with the salt value.</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The client uses the hash function H to hash
the salt, username and password into the digest value x.</span></li>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The client generates a secret ephemeral value </span><i style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">a</i><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">, computes A = aQ and sends A to the
server.</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span></li>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The server generates random values r and b and computes B’ =
bQ, T</span><sub style="font-family: Cambria, serif; line-height: 200%;">p</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> = rP and T</span><sub style="font-family: Cambria, serif; line-height: 200%;">q</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> = rQ.</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">
</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The server sends T</span><sub style="font-family: Cambria, serif; line-height: 200%;">q</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> and B to the client. </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><b style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">T<sub>p</sub>
is never transmitted.</b></li>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The client uses his password hash to compute T</span><sub style="font-family: Cambria, serif; line-height: 200%;">p</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> =
xT</span><sub style="font-family: Cambria, serif; line-height: 200%;">q</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> then calculates B’ = B – T</span><sub style="font-family: Cambria, serif; line-height: 200%;">p</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">.</span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> </span><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">Finally, S = aB’.</span></li>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The client calculates and sends M</span><sub style="font-family: Cambria, serif; line-height: 200%;">1</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;"> = H(A, B, S).</span></li>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">The server calculates and responds with M</span><sub style="font-family: Cambria, serif; line-height: 200%;">2 </sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">= H(A,
M</span><sub style="font-family: Cambria, serif; line-height: 200%;">1</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">, S).</span></li>
<li><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%;">Both sides compute K = H(S).</span></li>
</ol>
<br />
<div class="MsoListParagraphCxSpFirst" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto; mso-list: l1 level1 lfo2; text-indent: -.25in;">
</div>
<div align="center" class="MsoNormalCxSpFirst" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto; text-align: center;">
<b><span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Notes
and Analysis<o:p></o:p></span></b></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">The structure of this protocol is
very close to SRP, but the calculation of B and S is different and the value
u=H(A,B) is missing entirely. The value
u is not used because the verifier P is not used directly in the calculation of
S. Rather, P is used to generate T<sub>p</sub>
which is calculated indirectly by the client as xT<sub>q</sub>. An attacker with knowledge of the
verifier cannot determine T<sub>p</sub>
from T<sub>q</sub> and cannot trick the server into cancelling it out.</span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: "Cambria","serif"; font-size: 12.0pt; line-height: 200%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;">The server does not
directly use either T value in the calculation of S. Instead, the client must be able to determine
T</span><sub style="font-family: Cambria, serif; line-height: 200%; text-indent: 22.5pt;">p</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;"> in order to subtract it from B to learn B’. The server always knows B and B’.</span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;">Notice that the server does
not directly use either the verifier or T</span><sub style="font-family: Cambria, serif; line-height: 200%; text-indent: 22.5pt;">p</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;"> in order to calculate the
key. If an attacker poses as the server
without knowing P or x, the attacker will be able to generate the “correct”
key: bA = baQ. The client, however, does
use the value T</span><sub style="font-family: Cambria, serif; line-height: 200%; text-indent: 22.5pt;">p</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;"> in order to determine B’ and will arrive at a
different result. The attacker cannot
use the client’s calculation of S to mount a dictionary attack either since the
client’s calculations require both T</span><sub style="font-family: Cambria, serif; line-height: 200%; text-indent: 22.5pt;">p</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;"> and a. Put differently: the client and server must
agree on the value of T</span><sub style="font-family: Cambria, serif; line-height: 200%; text-indent: 22.5pt;">p</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;"> or the client will end up with the wrong
value for B’.</span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;">For a passive eavesdropper,
the security of Dual EC SRP reduces to Elliptic Curve Diffie-Hellman Problem and
the reduction is simpler than in SRP. The
Elliptic Curve Diffie-Hellman Problem asks us to determine the value S=baQ from
the values A=aQ and B = bQ. The best known
method for doing so is to compute the discrete logarithm of A or B, but it has
not been proven whether the Diffie-Hellman and discrete logarithm problems are
actually equivalent.</span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;">Here, the only complication
is the addition of the value T</span><sub style="font-family: Cambria, serif; line-height: 200%; text-indent: 22.5pt;">p</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;"> to the server’s transmitted value of
B. The client subtracts out T</span><sub style="font-family: Cambria, serif; line-height: 200%; text-indent: 22.5pt;">p</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;">
from B and computes aB’. Assume that the passive observer is able to
recover x or T</span><sub style="font-family: Cambria, serif; line-height: 200%; text-indent: 22.5pt;">p </sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;">and can
calculate B’. The eavesdropper then has the values A = aQ
and B’ = bQ. </span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;">The transmitted values s
and T</span><sub style="font-family: Cambria, serif; line-height: 200%; text-indent: 22.5pt;">q </sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;">do not carry any information about the values a or b. As with SRP, the verifiers M</span><sub style="font-family: Cambria, serif; line-height: 200%; text-indent: 22.5pt;">1</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;"> and
M</span><sub style="font-family: Cambria, serif; line-height: 200%; text-indent: 22.5pt;">2</sub><span style="font-family: Cambria, serif; font-size: 12pt; line-height: 200%; text-indent: 22.5pt;"> must be computed using a secure cryptographic hash function in
order to prevent pre-image attacks which might reveal information about the
computed value S.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<div style="text-align: center;">
<b><span style="font-family: Georgia, Times New Roman, serif; font-size: 12.0pt; line-height: 115%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Questions<o:p></o:p></span></b></div>
</div>
<div class="MsoNormal">
<span style="font-family: Georgia, Times New Roman, serif; font-size: 12.0pt; line-height: 115%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">What
have I overlooked?<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Georgia, Times New Roman, serif; font-size: 12.0pt; line-height: 115%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Georgia, Times New Roman, serif; font-size: 12.0pt; line-height: 115%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;">Can
an active attacker gather enough information to mount a dictionary attack on
the user’s password?</span><br />
<span style="font-family: Georgia, Times New Roman, serif; font-size: 12.0pt; line-height: 115%; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-theme-font: major-latin;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">
Update: There isn't much in the literature about adopting SRP to elliptic curves, but there have been prior proposals. The only one I have a copy of, by Yongge Wang, was <a href="http://grouper.ieee.org/groups/1363/passwdPK/submissions/p1363ecsrp.pdf">proposed</a> in 2001. I believe that my scheme is simpler, easier to analyze and has a more straightforward reduction to the EC Diffie-Hellman Problem. </span></div>
<div align="center" style="line-height: 200%; margin-left: 22.5pt; mso-add-space: auto; text-align: center;">
<span style="font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;"><br /></span>
<span style="font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">References<o:p></o:p></span></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<span style="font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">Hoffstein, J., Pipher, J., & Silverman,
J. (2008). An Introduction to Mathematical Cryptography. New York, NY: Springer.<o:p></o:p></span></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div class="MsoBodyText3CxSpFirst">
<span style="color: windowtext; font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">Paar, C., Pelzl, J.
(2010). Understanding
Cryptography: A Textbook for Students and <o:p></o:p></span></div>
<div class="MsoBodyText3CxSpMiddle">
<span style="color: windowtext; font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;"> Practitioners. New York, NY: Springer.<o:p></o:p></span></div>
<div class="MsoBodyText3CxSpLast">
<br /></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="color: windowtext; font-family: Cambria, serif;">Wu, T. (1998). The Secure Remote Password Protocol. </span><i style="color: windowtext; font-family: Cambria, serif;">In
Proceedings of the1998 Internet</i></div>
<div class="MsoBodyText3CxSpMiddle" style="margin-left: .5in; mso-add-space: auto; tab-stops: .5in;">
<i><span style="color: windowtext; font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">Society Network and Distributed System Security Symposium</span></i><span style="color: windowtext; font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">, San Diego, CA <i>. </i>Retrieved
from </span><a href="http://srp.stanford.edu/doc.html"><span style="font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">http://srp.stanford.edu/doc.html</span></a><span style="color: windowtext; font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;"><o:p></o:p></span></div>
<div class="MsoBodyText3CxSpMiddle">
<br /></div>
<div class="MsoBodyText3CxSpMiddle">
<span style="color: windowtext; font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">Wu, T. (2000). The SRP Authentication and Key Exchange
System. <i>In Network Working <o:p></o:p></i></span></div>
<div class="MsoBodyText3CxSpMiddle" style="margin-left: .5in; mso-add-space: auto; tab-stops: .5in;">
<i><span style="color: windowtext; font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">Group, Request for Comments: 2945. </span></i><span style="color: windowtext; font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;"> Retrieved from </span><a href="http://tools.ietf.org/rfc/rfc2945.txt"><span style="font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">http://tools.ietf.org/rfc/rfc2945.txt</span></a><span style="color: windowtext; font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;"><o:p></o:p></span></div>
<div class="MsoBodyText3CxSpMiddle">
<br /></div>
<div class="MsoBodyText3CxSpMiddle">
<span style="color: windowtext; font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">Wu, T. (2002). SRP-6: Improvements and Refinements to the
Secure Remote Password <o:p></o:p></span></div>
<div class="MsoBodyText3CxSpMiddle">
<span style="color: windowtext; font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;"> Protocol. Retrieved from </span><a href="http://srp.stanford.edu/srp6.ps"><span style="font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">http://srp.stanford.edu/srp6.ps</span></a><span style="color: windowtext; font-family: "Cambria","serif"; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;"><o:p></o:p></span></div>
<div class="MsoBodyText3CxSpLast">
<br /></div>
<div>
<div id="ftn1">
</div>
</div>
</span>Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-63323071463244628562014-03-24T12:17:00.003-07:002014-04-22T21:11:25.025-07:00How the Dual EC DRBG Backdoor Works<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
In December
2013, Reuters reported that the National Security Agency had <a href="http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220">paid</a> RSA ten
million dollars to use a random number generation algorithm that contained a
<a href="http://rump2007.cr.yp.to/15-shumow.pdf">backdoor</a>. The algorithm,
Dual_EC_DRBG, is the default random number generation algorithm in RSA's BSAFE
toolkit which is used by other companies to implement cryptography in their
products. These allegations have
seriously damaged the reputations of RSA and of the NSA who had established
itself as a partner in the security community. <o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
A great number
of articles were published about the RSA-NSA deal after Reuters first reported
on the matter. Many of these make
misleading or untrue technical assertions and few of them have attempted to provide any
explanation as to how this supposed backdoor works. Some commentators have <a href="http://www.computerworld.com/s/article/9245394/Ira_Winkler_The_RSA_Conference_boycott_is_nonsense">claimed</a> that this backdoor (if true) made the products that used the BSAFE
toolkit more vulnerable to attack. This is (mostly) not true. Because the <a href="http://rump2007.cr.yp.to/15-shumow.pdf">backdoor</a>, whose possibility was first speculated on by Dan Shumow and Niels Ferguson of Microsoft, relies on techniques
from public key cryptography, it is only usable by a person that knows the key
and that key cannot be discovered by another party, even if that party knows the
full details of the algorithm.<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
This post explains the
Dual_EC_DRBG algorithm and how a backdoor could be implemented. It is meant to be accessible to non-cryptographers. We’ll begin with a really brief review of
modular arithmetic and the discrete logarithm problem, discuss basic operations
on elliptic curves and introduce the discrete logarithm problem over elliptic
curves (ECDLP). Then, we’ll see how
Dual_EC_DRBG can be engineered to contain a backdoor and explain why the
backdoor is only usable to someone who knows the key. If all of this is new to you, I recommend reading an introductory text such as <a href="http://www.amazon.com/Understanding-Cryptography-Textbook-Students-Practitioners/dp/3642041000">this one</a>.<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
Note: I originally wrote this as a paper for a graduate class. In revising this for my blog, I've removed all of the in-text citations and tried to replace them with links. My original references are listed at the end. The point of this post is to explain ideas originated by others; the original ideas are not mine.<br />
<o:p></o:p></div>
<a name='more'></a><br />
<div align="center" style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-align: center;">
<b>Modular Arithmetic<o:p></o:p></b></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
Most of this
paper requires us to use modular arithmetic.
Modular arithmetic, which can be thought of us "clock
math" requires each number to be
reduced modulo a number p. In other
words, we divide each number by p and only keep the remainder. A few quick examples:<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-add-space: auto;">
17 ≡ 1 mod 4 (17 ÷ 4 = 4 remainder 1)<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-add-space: auto;">
19 ≡ 3 mod 4 (19 ÷ 4 = 3 remainder 1)<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
This is the same
type of math that we use when telling time.
Two numbers that have the same value modulo p are said to be
congruent. Thus, 1, 17, 21 and 25 are
all congruent modulo 4 (they all have the remainder 1).<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div align="center" style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-align: center;">
<b>The Discrete
Logarithm Problem<o:p></o:p></b></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
The security
behind Dual_EC_DRBG depends on a problem in number theory called the Discrete
Logarithm Problem (DLP). Over the real or complex numbers (which we
used in high school algebra), logarithms can be solved easily-- In
cryptography, a problem is "easy" to solve if there is an efficient
algorithm for doing so. It does not mean
that the method is simple. Logarithms
over the real numbers can be solved in real time using a calculator or worked
out by hand using methods from Calculus.
<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
Logarithms
are the reverse of exponentiation. So:<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
10<sup>3</sup>
= 1,000 <i>and</i><o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-add-space: auto;">
log<sub>10</sub> (1,000) = 3<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
We
can also use logarithms to find exponents that are fractional such as:<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
10<sup>3.3</sup>
= 1,995.26<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
log<sub>10
</sub>(1,995.26) <span style="font-family: "Cambria Math","serif"; mso-bidi-font-family: "Cambria Math";">≅</span> 3.3<o:p></o:p><br />
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<o:p> </o:p>Discrete
logarithms, however, require an integral solution (i.e. a whole number) and use
modular arithmetic. Unlike logarithms
taken over the real or complex numbers, discrete logarithms are not continuous
(if you graph them the points jump around, seemingly at random) and cannot be
solved using the traditional methods from calculus. </div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
In mathematical
terms, we need to find x where: a<sup>x</sup> ≡ b mod p. Consider the example:<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
2<sup>x</sup>
≡ 9 mod 19<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
Using
brute force, we can quickly find:<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
2<sup>0</sup>
≡ 1 mod 19<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
2<sup>1</sup>
≡ 2 mod 19<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
2<sup>2</sup>
≡ 4 mod 19<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
2<sup>3</sup>
≡ 8 mod 19<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
2<sup>4</sup>
≡ 16 mod 19<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
2<sup>5</sup>
≡ 13 mod 19<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
2<sup>6</sup>
≡ 7 mod 19<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
2<sup>7</sup>
≡ 14 mod 19<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
<b>2<sup>8</sup> ≡ 9 mod 19 <------</b>x is 8<b><o:p></o:p></b></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
For small
numbers, like the ones in the example above, finding x is not a problem. But, if the numbers used are very large, the
DLP is considered a hard problem. There
are algorithms such as Shanks' Baby-Step Giant-Step Method, Pollard's Rho
Method, the Pohlig-Hellman Algorithm and the Index-Calculus Method that are
faster than brute force, but none of them are practical for large numbers.<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
<br /></div>
<div align="center" style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-align: center;">
<b>Elliptic Curves<o:p></o:p></b></div>
<div align="center" style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-align: center;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<o:p> </o:p>Cryptosystems
based on the mathematics of elliptic curves, i.e. elliptic curve cryptography
(ECC), have gained in popularity since they were discovered in the 1980s
because they seem to offer comparable levels of security to other public key
algorithms (e.g.Diffie-Hellman, ElGamal and RSA) with much smaller keys which
allows them to run much more efficiently. For instance, ECC using 160-bit keys offers
comparable security to 1024-bit RSA.</div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
This section
will cover some of the key features of elliptic curves but, the depth is
limited. More background is provided in textbooks such as <a href="http://www.amazon.com/Understanding-Cryptography-Textbook-Students-Practitioners/dp/3642041000">Understanding Crypotography</a> and <a href="http://www.amazon.com/Introduction-Mathematical-Cryptography-Undergraduate-Mathematics/dp/0387779930">Introduction to Mathematical Cryptography</a>, as well as many more advanced texts.<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
Elliptic curves
are equations with the form: y<sup>2</sup> = x<sup>3</sup> + ax + b. Over the real
numbers, these equations are continuous and can be easily graphed (See figure
1). The solutions to these equations are
points (x,y) which fulfill the equation for the curve. As with logarithms, when elliptic curves are
calculated mod p, the solutions jump around, seemingly at random. <o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjLKxQWY_VWizbPwhjEqgDUt3blMYSJXkm0pvoWIipLSGoEWErPwBs9sPVs4p4ZhViitDCRiKTmwsvWxvjCTjB4132plAh-W8BDpiz-8Hcrb2d5orcIIrPm-DdRLIKo21JY7KUcTu9xlY/s1600/Figure+1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjLKxQWY_VWizbPwhjEqgDUt3blMYSJXkm0pvoWIipLSGoEWErPwBs9sPVs4p4ZhViitDCRiKTmwsvWxvjCTjB4132plAh-W8BDpiz-8Hcrb2d5orcIIrPm-DdRLIKo21JY7KUcTu9xlY/s1600/Figure+1.PNG" height="214" width="320" /></a></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<o:p><br /></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<v:shapetype coordsize="21600,21600" filled="f" id="_x0000_t75" o:preferrelative="t" o:spt="75" path="m@4@5l@4@11@9@11@9@5xe" stroked="f">
<v:stroke joinstyle="miter">
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0">
<v:f eqn="sum @0 1 0">
<v:f eqn="sum 0 0 @1">
<v:f eqn="prod @2 1 2">
<v:f eqn="prod @3 21600 pixelWidth">
<v:f eqn="prod @3 21600 pixelHeight">
<v:f eqn="sum @0 0 1">
<v:f eqn="prod @6 1 2">
<v:f eqn="prod @7 21600 pixelWidth">
<v:f eqn="sum @8 21600 0">
<v:f eqn="prod @7 21600 pixelHeight">
<v:f eqn="sum @10 21600 0">
</v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:formulas>
<v:path gradientshapeok="t" o:connecttype="rect" o:extrusionok="f">
<o:lock aspectratio="t" v:ext="edit">
</o:lock></v:path></v:stroke></v:shapetype><v:shape id="Picture_x0020_1" o:spid="_x0000_i1027" style="height: 313.5pt; mso-wrap-style: square; visibility: visible; width: 468pt;" type="#_x0000_t75">
<v:imagedata o:title="" src="file:///C:\Users\ALEXAN~1\AppData\Local\Temp\msohtmlclip1\01\clip_image001.png">
</v:imagedata></v:shape><o:p></o:p></div>
<div align="center" style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-align: center;">
Figure 1: graph<a href="file:///C:/Users/alexander_s/Desktop/Dual%20EC%20DRBG%20Backdoor.docx#_ftn1" name="_ftnref1" title=""><span class="MsoFootnoteReference"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-US;">[1]</span></span><!--[endif]--></span></a>
of the equation: y<sup>2 </sup>= x<sup>3 </sup>-8x +11<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
ECC depends on
the operations of "point addition" and "point doubling". Point addition is written as P + Q = R for
points P and Q. This is easy to understand visually, but
harder to calculate. In order to add two
points on an elliptic curve, we first draw a straight line that extends through
both points. This line will intercept the graph at a third point. We then them mirror this point across the X
axis (multiply the y value by -1) and get the new point R. <o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<v:shape id="Picture_x0020_4" o:spid="_x0000_i1026" style="height: 449.25pt; mso-wrap-style: square; visibility: visible; width: 451.5pt;" type="#_x0000_t75">
<v:imagedata o:title="" src="file:///C:\Users\ALEXAN~1\AppData\Local\Temp\msohtmlclip1\01\clip_image002.png">
</v:imagedata></v:shape><o:p></o:p></div>
<div align="center" style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY-y2AWC0qYGy_xq9iQIOrRfzlXS1EL18NMTb-kF1XI7sSgClJGmHcMqPNkkJSGzUM8bx4u-h_wtTE6rstBXgO1sdNjkvDY3xvrWNWFS3nV8e-xe3424qYW2XJpAPBGusbNYOtQDlSI2g/s1600/Figure+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY-y2AWC0qYGy_xq9iQIOrRfzlXS1EL18NMTb-kF1XI7sSgClJGmHcMqPNkkJSGzUM8bx4u-h_wtTE6rstBXgO1sdNjkvDY3xvrWNWFS3nV8e-xe3424qYW2XJpAPBGusbNYOtQDlSI2g/s1600/Figure+2.png" height="318" width="320" /></a></div>
<div align="center" style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-align: center;">
<br /></div>
<div align="center" style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-align: center;">
Figure 2: Point Addition on an Elliptic Curve<a href="file:///C:/Users/alexander_s/Desktop/Dual%20EC%20DRBG%20Backdoor.docx#_ftn2" name="_ftnref2" title=""><span class="MsoFootnoteReference"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-US;">[2]</span></span><!--[endif]--></span></a>:
(P + Q = R)<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
Point doubling
is similar to addition. To perform point
doubling (P + P = 2P = R) we draw the tangent line at the point P and find a
new point of intersection with the graph as we did with point addition. We then
mirror this point across the X axis (multiply the y value by -1) and get a new
point R.<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-indent: .5in;">
<br /></div>
<div align="center" style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-align: center;">
<b>The Elliptic Curve
Discrete Logarithm Problem<o:p></o:p></b></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
The elliptic
curve discrete logarithm problem (ECDLP) is similar to the ordinary discrete
logarithm problem except that it involves point addition on elliptic curves
instead of exponentiation. It is also
considered to be a hard problem. Given a
starting point P and an ending point T, the ECDLP challenges us to find the value
x such that T = xP = P +...+ P (x times). <o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<o:p></o:p></div>
<div align="center" style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto; text-align: center;">
<b>Dual_EC_DRBG<o:p></o:p></b></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
Dual_EC_DRBG is
a random number generator that uses elliptic curve operations. A brief description of the algorithm is as
follows:<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<b>Variables:<o:p></o:p></b></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
ϕ : The elliptic
curve equation<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
P, Q: Points on
the curve<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
S: The current
internal state of the RNG<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
R: intermediate
value (not output)<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
T: output value<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<b>Operation:<o:p></o:p></b></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
R = P + P + P +
...+ P (S times) = S*P <o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
S<sub>new</sub>
= R*P<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
T = Q + Q + Q
+...+ Q (R times) = R*Q<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
Truncate 16 bits
from T and output T<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
For accuracy, it’s
worth noting that T is actually just the X value from the point R*Q. The algorithm throws away 16 bits from the X
value and outputs that. <o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
In order to be
secure, a random number generator should not allow us to predict future outputs
based on past output. If we can query
the generator for one output number and use that to predict the next output(s),
we will have broken the algorithm.<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
The strength of
Dual_EC_DRBG depends on the fact that even if you know the value R*Q, it is
computationally hard to find the value S=R*P.
Remember: operations in Dual_EC_DRBG are conducted over an elliptic
curve ρ. R*Q does not mean R times Q in
the traditional sense, it means to perform point addition Q + ... + Q (R times)
over the elliptic curve ρ. Since the
points P and Q are public and chosen in advance, the most straightforward way to find R*P would be to use T=R*Q to find R, but this requires us to solve the elliptic curve
discrete logarithm problem. If it were
easy to solve the ECDLP or otherwise calculate R from R*Q, this generator would
be easy to break.<o:p></o:p></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSIaZssbrOx1a3qfrept11PqjK_9oe9NRbiHWOm08ZyGrB1Mygi20jLBqp4Nf_o39HVLO_HJYgtuvc8f9b5bszPhVabqHVgYWh2MIfBwq5Kfp-3ErTXVpV6XmFn4pcT-RvhOs8Jv16fMw/s1600/Figure+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSIaZssbrOx1a3qfrept11PqjK_9oe9NRbiHWOm08ZyGrB1Mygi20jLBqp4Nf_o39HVLO_HJYgtuvc8f9b5bszPhVabqHVgYWh2MIfBwq5Kfp-3ErTXVpV6XmFn4pcT-RvhOs8Jv16fMw/s1600/Figure+3.png" height="153" width="320" /></a></div>
<div style="margin-bottom: .0001pt; margin: 0in; mso-add-space: auto;">
<br /></div>
<div class="MsoNormalCxSpFirst" style="margin-bottom: 0.0001pt;">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-no-proof: yes;"><v:shape id="Picture_x0020_5" o:spid="_x0000_i1025" style="height: 224.25pt; mso-wrap-style: square; visibility: visible; width: 467.25pt;" type="#_x0000_t75">
<v:imagedata o:title="" src="file:///C:\Users\ALEXAN~1\AppData\Local\Temp\msohtmlclip1\01\clip_image003.png">
</v:imagedata></v:shape></span></b><b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></b></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">Figure 3 - Dual_EC_DRBG<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">Dual_EC_DRBG
Problems</span></b><br />
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;">The first problem with Dual_EC_DRBG
is that it only throws away 16 bits of T before it is output. This means that we only need
65,536 guesses at the most to find R*Q. This
would not be an issue if the algorithm threw away more bits (e.g. half) or if
it hashed T before outputting. It also
gives the output to the generator a <a href="http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html">small bias</a>. For a cryptographic random number generator,
even a small bias is very bad. <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;">The next, and much more serious
problem, with Dual_EC_DRBG is the selection of the values of P and Q. If P and Q are chosen randomly with no known
relation between them, then the algorithm is reasonably secure. But, if P and Q are chosen so that there is a
mathematical relationship such as Q = D*P, it would be easy for a person who
knows this relationship to also find the inverse of D so that P = E*Q and this
would allow them to completely break the algorithm (see <a href="http://rump2007.cr.yp.to/15-shumow.pdf">Shumow and Ferguson</a>). </span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Suppose that Q = D*P and that we know E, the inverse of D. Since we can determine R*Q, or at least </span>restrict ourselves to<span style="font-family: inherit;"> a small
number of guesses at R*Q, we just need to calculate:</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">(R*Q)*E = R*(P*D)*E = R*P.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;">NIST did not reveal any details
about the selection of P and Q. It's
possible that they were chosen at random and that neither the NIST or the NSA
know of any relationship between the two.
But, the discovery that it is possible to easily backdoor the algorithm
with a careful selection of P and Q, the lack of details about the selection of
P and Q, and the allegation by Reuters that the NSA paid RSA ten million
dollars to include Dual_EC_DRBG in the BSAFE toolkit and make it the default
algorithm are enough for us to assume that the NSA can break the algorithm. <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: inherit;">Conclusions about Dual_EC_DRBG</span></b></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: inherit;"><br /></span></b></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;">The assertion that Dual_EC_DRBG put
the government at risk (since the government uses BSAFE) is mostly not true. The bias in the output
mentioned earlier is concerning, but there are no known attacks against
Dual_EC_DRBG unless you have pre-existing knowledge of the relationship between
P and Q. In other words, this backdoor
(if true as alleged) allows the NSA to break Dual_EC_DRBG but does not make it much vulnerable to anyone else. This is much
different than a backdoor password which would be immediately usable by any
adversary who discovered it (e.g. by reverse engineering the code).<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<span style="font-family: inherit;"><b>Solutions</b><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;">The <a href="http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf">parameters</a> chosen for
Dual_EC_DRBG are not mandatory, they are defaults. Any implementer is free to choose his own
parameters for P and Q. Any organization worried about the NSA's
selection of P and Q can pick a new P and Q to avoid the problem entirely.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;">If
we were to redesign Dual_EC_DRBG, there are three improvements we could make that would prevent a backdoor of this type from being implemented:</span></div>
<span style="font-family: inherit;"></span><br />
<ol><span style="font-family: inherit;">
<li><span style="font-family: inherit;">Select a new P and Q and document
how they were generated. We could, for
instance, hash digits of pi or the verses of a poem to generate either
value. This would provide assurance that
we did not conceive P and Q with a known
mathematical relationship between them.</span></li>
<li><a href="http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html" style="font-family: inherit;">Throw away</a><span style="font-family: inherit;"> half of the bits of T
before we output it. This would
make it much harder to work backward to discover R*Q.</span></li>
<li><span style="font-family: inherit;">Hash the bits of T using an
algorithm such as SHA-2 or SHA-3.
This would make it infeasible to discover R*Q because we'd have to be able to invert the
hash and it would destroy any mathematical relationship between P and Q. This would also eliminate
concerns about the bias in T.</span></li>
</span></ol>
<span style="font-family: inherit;">
</span>
<br />
<ol>
</ol>
<ol>
</ol>
<ol>
</ol>
<br />
<div style="text-align: center;">
<b><span style="font-family: inherit;">References and Further Reading</span></b><br />
<b><span style="font-family: inherit;"><br /></span></b></div>
<div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="font-family: inherit;">Barker, E., and
Kelsey, J. (2012). NIST Special Publication 800-90A:
Recommendation for Random</span></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="font-family: inherit;">Number Generation Using Deterministic Random Bit
Generators.<o:p></o:p></span></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<a href="http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf"><span style="font-family: inherit;">http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf</span></a></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="font-family: inherit;"><br /></span></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="font-family: inherit;">Green, M. (2013).
The Many Flaws of Dual_EC_DRBG. </span></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="font-family: inherit;"><a href="http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html">http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html</a><o:p></o:p></span></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="font-family: inherit;"><br /></span></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="font-family: inherit;"><span style="text-indent: -22.5pt;">Menn, J.</span><span style="text-indent: -22.5pt;"> </span><span style="text-indent: -22.5pt;">(2013).</span><span style="text-indent: -22.5pt;">
</span><span style="text-indent: -22.5pt;">Exclusive: Secret Contract Tied NSA and Security Industry Pioneer.</span><span style="text-indent: -22.5pt;"> </span></span></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="font-family: inherit; text-indent: -22.5pt;"><a href="http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220" style="text-indent: -22.5pt;">http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220</a></span><br />
<span style="font-family: inherit; text-indent: -22.5pt;"><br /></span>
<span style="font-family: inherit; text-indent: -22.5pt;">Schneier, B. (2007). The Strange Story of Dual_EC_DRBG.</span></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<a href="https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html" style="font-family: inherit; text-indent: -22.5pt;">https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html</a></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="font-family: inherit;"><o:p></o:p></span></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="font-family: inherit;"><br /></span></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="font-family: inherit;">Shumow, D., and
Ferguson, N. (2007). On the Possibility of a Back Door in the</span><br />
<span style="font-family: inherit;">NIST SP800-90 Dual <span style="text-indent: -22.5pt;">EC PRNG.</span></span></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="font-family: inherit;"><a href="http://rump2007.cr.yp.to/15-shumow.pdf">http://rump2007.cr.yp.to/15-shumow.pdf</a><o:p></o:p></span></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="font-family: inherit;"><br /></span></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<span style="font-family: inherit;">Winkler, I. (2014).
The RSA Conference Boycott Is Nonsense. </span></div>
<div style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: 22.5pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; text-indent: -22.5pt;">
<a href="http://www.computerworld.com/s/article/9245394/Ira_Winkler_The_RSA_Conference_boycott_is_nonsense"><span style="font-family: inherit;">http://www.computerworld.com/s/article/9245394/Ira_Winkler_The_RSA_Conference_boycott_is_nonsense</span></a><o:p></o:p></div>
</div>
<div>
<div id="ftn2">
</div>
</div>
Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-47400625737965897532014-02-14T23:19:00.001-08:002014-03-26T14:18:02.183-07:00Understanding Rabin-Miller<div class="MsoNormalCxSpFirst" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">I'm posting this to provide some
clarification on the Rabin-Miller primality test as requested on <a href="https://twitter.com/jabjorkhaug/status/434398761855365120">Twitter</a>. My favorite reference on the test is the
notes by Diane Hoffoss located<a href="http://home.sandiego.edu/~dhoffoss/teaching/cryptography/10-Rabin-Miller.pdf"> here</a>. If you're not familiar with primality testing and/or Rabin-Miller; read the notes first then come back to this post if you need any clarification.</span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">My purpose here is to restate a few key points
from Hoffoss's notes, provide a little more exposition on the
examples and to compare her description of the algorithm with the description given in the Handbook of Applied Cryptography. This is a derivative work and
I do not claim to have originated any of the ideas here. Of course, any mistakes are my own.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">This test is discussed in many books
including <a href="http://www.amazon.com/Cryptography-Engineering-Principles-Practical-Applications/dp/0470474246/ref=sr_1_1?s=books&ie=UTF8&qid=1392448149&sr=1-1&keywords=cryptographic+engineering">Practical Cryptography</a>, <a href="http://www.amazon.com/Understanding-Cryptography-Textbook-Students-Practitioners/dp/3642041000/ref=pd_sim_b_2">Understanding Cryptography</a> and the <a href="http://cacr.uwaterloo.ca/hac/">Handbook of Applied Cryptography</a>.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">Note: For the examples below, I group digits using commas as is the convention in the U.S. All of the numbers are integers.</span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
</div>
<span style="font-family: inherit;"><br /></span>
<br />
<a name='more'></a><span style="font-family: inherit;">First, pick a candidate prime n. Since a prime n > 2 must be odd,
n-1 is even. So, we can factor n-1 = 2<sup>s</sup><b>∙</b>
m. </span><br />
<span style="font-family: inherit;"><br />
</span><br />
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">The Rabin-Miller Primality Test is based on a
few important properties regarding exponentiation modulo a prime number.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<b><span style="font-family: inherit; font-size: 12.0pt;">Fermat's Little
Theorem<o:p></o:p></span></b><br />
<b><span style="font-family: inherit; font-size: 12.0pt;"><br /></span></b></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">If n is a prime number then a<sup>n-1</sup>
must be congruent to 1. If a<sup>n-1</sup>
≠ 1 mod n, then n is not prime. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span>
<br /></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><b><span style="font-size: 12.0pt;">Square roots of 1
(Used in the Euler Test)</span></b><span style="font-size: 12.0pt;"><o:p></o:p></span></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><span style="font-size: 12.0pt;"><br /></span></span>
<span style="font-family: inherit;"><span style="font-size: 12.0pt;">If n is prime, the only square roots of 1 mod
n are ± 1. </span><span style="font-size: 12pt;">Note that</span><span style="font-size: 12pt;"> </span><span style="font-size: 12pt;">-1</span><sup>2</sup><span style="font-size: 12pt;"> mod n = 1 mod n.</span></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;">Also note that n-1 mod n and -1 mod n are the same thing.</span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">If n is prime, then a<sup>n-1</sup> = 1 mod n.</span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">If n is prime, then a<sup>(n-1)/2</sup> equals ± 1 since it is a square root of a<sup>n-1</sup>. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">If a<sup>(n-1)/2</sup> ≠ ±1
mod p, then n is not prime.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><b><span style="font-size: 12.0pt;">The Rabin-Miller Test</span></b><span style="font-size: 12.0pt;"><o:p></o:p></span></span><br />
<span style="font-family: inherit;"><b><span style="font-size: 12.0pt;"><br /></span></b></span>
<span style="font-family: inherit; font-size: 12pt;">Calculate </span><span style="font-family: inherit; font-size: 16px;">a</span><sup style="font-family: inherit;">m </sup><span style="font-family: inherit; font-size: 12pt;">mod n.</span><span style="font-family: inherit; font-size: 12pt;"> </span><span style="font-family: inherit; font-size: 12pt;">If a<sup>m</sup> = ±1 mod n, then declare n prime
since any repeated squaring will only result in 1 mod n. Note that a<sup>m</sup> is not square since
we have factored out n-1 = 2<sup>s</sup><b>∙</b> m so that m is the largest non-square
exponent.</span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">Repeatedly square a<sup>m</sup> mod n. If the result is 1, we stop and declare n
composite since this implies that there is a square root of 1 mod n that is not
± 1. If we get a result of -1, we
declare n to be prime since any repeated squaring of ± 1 will equal 1. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">We continue until we reach a<sup>m<b>∙</b> 2^(s-1)</sup>
. If the result is not ±1, we declare n
to be composite since it's either a square root of 1 other than ±1 or it's not
a square root at all and a<sup>m<b>∙</b> 2^s</sup> = a<sup>n-1</sup> ≠ 1 mod n which also
means that n is not prime.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<b><span style="font-family: inherit; font-size: 12.0pt;">First Example:<o:p></o:p></span></b><br />
<b><span style="font-family: inherit; font-size: 12.0pt;"><br /></span></b></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;">This example is the first one given for the Rabin-Miller test in Hoffoss's notes.</span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">n = 972,133,929,835,994,161<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">a = 2<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">n - 1 = 2<sup>4</sup><b> ∙ </b>60,758,370,614,749,635
mod n <b>(m =
60,758,370,614,749,635)<o:p></o:p></b></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">2<sup>60,758,370,614,749,635</sup> = 338,214,802,923,303,483
mod n <b>(result not ± 1, keep going)<o:p></o:p></b></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">2<sup>2<b>∙ </b>60,758,370,614,749,635</sup> =
332,176,174,063,516,118 mod n <b>(not ±
1)<o:p></o:p></b></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">2<sup>4<b> ∙</b> 60,758,370,614,749,635</sup> =
779,803,551,049,098,051 mod n <b>(not ± 1)<o:p></o:p></b></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">2<sup>8 <b>∙ </b>60,758,370,614,749,635</sup> = 1
mod n <b>(n is
composite)<o:p></o:p></b></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">The last result (1 mod n) means that the
next-to-last result was a square root of 1 mod n that was not ± 1. This means that n is definitely composite.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<b><span style="font-family: inherit; font-size: 12.0pt;">Second Example:</span></b><br />
<b><span style="font-family: inherit; font-size: 12.0pt;"><br /></span></b></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">This example was <a href="http://homepages.math.uic.edu/~leon/mcs425-s08/handouts/Rabin-Miller-Examples.pdf">linked</a> on Twitter; the comments are mine. It has one less squaring than the first
example, but the result is the same. n
is composite. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12pt;">n = 252,601</span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">a = 85,132<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">n-1 = 2<sup>3</sup><b>∙</b> 31,575 <b>(m =
31,575)</b><o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">a<sup>31,575</sup> = 191,102 mod n <b>(result
not ± 1, keep going)</b><o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">a<sup>2 <b>∙</b> 31,575</sup> = 184,829 mod n <b>(not ±
1)</b><o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">a<sup>4<b> ∙ </b>31,575</sup> = 1 mod n
<b>(n is composite)<o:p></o:p></b></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<b><span style="font-family: inherit; font-size: 12.0pt;">Rabin-Miller as
presented in HAC:<o:p></o:p></span></b></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">Please refer to <a href="http://cacr.uwaterloo.ca/hac/">HAC</a> to understand this
section. This is a partial line-for-line
restatement of the algorithm as presented there. One of the reasons that this statement of the
algorithm may be confusing is that it contains a loop that runs the
Rabin-Miller algorithm over multiple test values of a. Other statements of the algorithm may only
describe a single iteration.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">There are two loops in this algorithm. Step 2 (For i from 1 to t...) iterates over
multiple test values of a. Step 2.3,
third line (While j ≤ s-1 and y ≠ n-1 do...) drives the repeated squarings of
the value y.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">1. Calculate n-1 = 2<sup>s</sup><b> ∙</b> r. In the description above, we used
the variable m instead of r.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">2. Run the test <i>t </i>times.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">2.1 Chose
a random integer a.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">2.2 Compute
y = a<sup>r</sup><o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">2.3
If y ≠ ± 1 then it's not a square root of 1. If y = ± 1, then we go to step 2 and
proceed to the next iteration of the outer loop; this means that we tentatively
declare n to be prime but may need to test more random values for a.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">Repeatedly square y. If we get a result of 1, we declare n to be
composite since this implies that the previous result was a square root of 1
that was ≠ ± 1. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">If we get a result of n-1 (note that n-1 = -1
mod n), then we go back to step 2.
Again, this tentatively declares that n is prime.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit; font-size: 12.0pt;">If the final squaring, y = a<sup>r <b>∙ </b>2^(s-1)</sup>
≠ -1, then we declare n to be composite.
The reason is that if the result is not ±1, it's either a square root of
1 other than ±1 or it's not a square root at all and a<sup>r<b>∙</b> 2^s</sup> = a<sup>n-1</sup>
≠ 1 which also means that n is not prime.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12.0pt;"><span style="font-family: inherit;">3. If we reach step 3, then we've concluded
every iteration of the loop in step 2 with a tentative declaration that n is
prime. Now, we make a final declaration that n
is prime. </span><span style="font-family: Arial, sans-serif;"><o:p></o:p></span></span></div>
Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-21961443861825671902014-01-23T18:44:00.003-08:002014-01-23T18:44:55.557-08:00I'm not dead. Happy New Year!I apologize if this blog is starting to look a little abandoned. It's not (I promise) I just had to go on hiatus for a few months.<br />
<br />
I started a new job in September (Director of Technology for a school district) and it has kept me very busy. Over the new few months, I'm planning a handful of posts on technical topics plus a few about the realities of trying to run an IT department.<br />
<br />
Here are the next three posts that I have in mind:<br />
<br />
<ul>
<li>Understanding Diffie-Hellman and the Discrete Logarithm Problem</li>
<li>The Elliptic Curve Discrete Logarithm Problem</li>
<li>Understanding Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG)</li>
</ul>
Dual EC DRBG is the random number generator that the NSA supposedly put a backdoor into. The first two posts that I'm planning are just to provide background information so that readers can understand the third one. The third post will explain how Dual EC DRBG actually works and why it's susceptible to key escrow/backdoors.Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-20820377153309396362013-08-30T11:49:00.002-07:002013-08-30T14:03:24.117-07:00Career prospects: going to grad schoolI've recently been involved in several discussions about whether online schools are really helping their students. In particular, do they prepare people for the job market? I can't comment on how this works in other fields, although many are probably similar, but here are my thoughts on IT degrees: <br />
<br />
<b>The Oversell</b><br />
<br />
I think that many schools oversell the value of their degrees. A degree is useful and often required, but it's not a guaranteed ticket to your dream job. Many schools report that X% of their graduates received a raise or promotion after graduating, but these are rarely automatic. If you're considering going back to school, the burden is on you to figure out what a degree can do for you and how it fits into your career plan.<br />
<br />
<b>What is your narrative?</b><br />
<br />
I've run into a few people who either have no work experience or who are in entry level jobs and have completed graduate degrees in IT. I think education is a good thing and there's nothing inherently wrong with earning a graduate degree, but you have to think about how it fits into your personal narrative.<br />
<br />
<a name='more'></a><br />
If you're a career changer who has earned a BS in IT, you should probably find an IT job before you start working on a graduate degree. With an MS and no experience, you'll be overqualified for most entry level positions and won't have enough experience to go after anything else. If you're struggling to break into IT, a certification or two or three is going to help you more than a graduate degree. <br />
<br />
If you're already in a related field, e.g. project management, a graduate degree might make sense. In this case, your initial goal could be to transition into managing IT projects. An MS in IS or IT with a focus on project management fits this narrative. <br />
<br />
If you have a relevant BS and several years of entry-level experience, a graduate degree could hurt your chances for many IT jobs. With an MS and five or six years of experience on the help desk or as a PC support tech, other employers are going to wonder why you haven't moved up already. If you go after a PhD, it will be even worse. People will assume something is wrong with you. If you move up into a higher position then earn a graduate degree, you'll have a positive, compelling narrative.<br />
<br />
Note: there's a big difference between having a graduate degree and two years
of entry-level experience--you're ripe to move up--and having a graduate degree and eight years in an entry-level
role--you're way overdue and people will wonder why. <br />
<br />
Consider these two fictional people:<br />
<br />
<b>Bob :</b><br />
<br />
Help Desk Technician (2005-2013)<br />
BS in IT (2006)<br />
MS in IT (2008)<br />
PhD in IT(2012)<br />
<br />
<b>Alice:</b><br />
Help Desk Technician (2005-2007)<br />
BS in IT (2006)<br />
CCNA (2007) <br />
Network Technician (2007-2010)<br />
Network Administrator (2010-2013)<br />
MS in IT (2012)<br />
<br />
<br />
Assume that Bob and Alice are both either career changers or entering the workforce late in life (perhaps they spent some time raising kids). Who would you rather hire as network administrator, network manager or IT director? Alice and Bob both have eight years of work experience and Bob has a better degree, but, Alice has been promoted twice already. Alice looks ambitious and capable. Bob looks questionable. Why is he still on the help desk? Is he socially dysfunctional? Bob is over-educated for a next-level position such as network technician (which probably doesn't require a degree at all) but lacks the experience for a management or senior technical role. When Bob earned his MS in 2008, after three years on the help desk, his first priority should have been moving into a higher position. If he still had trouble moving up, a CCNA, MCSE, CEH or other technical certification could have helped. Spending five more years on the help desk while earning a PhD just hurts him.<br />
<br />
<b>Circumstances (timing, online vs on-campus)</b><br />
<br />
There is a difference between going back to school after entering the workforce versus just going to college straight out of high school. If you earn a BS at 22 and decide to go to grad school right away, that's probably okay. It may close off certain positions (nobody will want to hire you at the help desk) but you may be able to move directly into a role as a business or systems analyst. Going straight to grad school also makes more sense for certain roles (e.g. software developer) than others (e.g. network something-or-other).<br />
<br />
If you go straight to graduate school without entering the workforce, it will also help to avoid any perception that something is wrong with you. You can even work part-time in a junior position without raising any red flags. When you attend a full-time on-campus PhD program, nobody expects you to also get promoted along a non-academic career track. If you spend eight years working a help desk or doing PC support in a computer lab, employers will assume that you just needed some extra cash while you focused on school. But, if you're already in the workforce and earn a couple of graduate degrees without moving up you're selling a story that says you want to move up but are incapable of doing so.<br />
<br />
<b>Revisiting Bob</b><br />
<br />
When I look at Bob's work and school history, I see a narrative that raises too many red flags. How can Bob change my perception? The first thing he should do is to discount his work experience. With a PhD, eight years on the help desk is irrelevant. Bob needs to make his narrative more like the person who just continued on through school without working. He also needs to look for positions that make sense with a PhD and no work experience, not try to move up to network administrator. A position in consulting or system analysis may be appropriate. Here's how I might summarize this if I were Bob:<br />
<br />
"After (I left the military, my kids were school-age, whatever), I knew that I wanted to get into IT. I took a help desk position so that I could do something relevant to IT while I went back to school. Initially, I thought I'd want to move up into a network administrator role or something similar, but I became interested in (whatever) and decided to go straight on through to graduate school so that I could learn more about (whatever) and conduct research into how large organizations (do something)."<br />
<br />
This is a believable narrative if Bob researched ERP implementations and now wants to be a consultant or a system/business analyst in a large company. It falls flat if he wants to be an IT director or network engineer.<br />
<br />
<b>Should you get a graduate degree?</b><br />
<br />
A graduate degree is useful in several scenarios:<br />
<ul>
<li>You want to move up from a mid-level position into a more senior role</li>
<li>You want to move up more quickly from a junior role</li>
<li>You want to move directly into a consulting or analyst roles </li>
</ul>
<br />
A graduate degree is not helpful if:<br />
<ul>
<li>You want to get into an entry-level role that doesn't even require a degree</li>
<li>You have a lot of entry level experience and want to move to the next level (e.g. the Bob scenario).</li>
</ul>
If you have a BS in IT/IS and can't seem to break into the field, pursue certifications, not additional degrees.<br />
<br />
<b>Disclaimer</b><br />
<br />
This post is largely about perception. In the real-world, people may have very good reasons for staying too long in entry-level positions before trying to move up. There may be family and medical issues involved. My point is that you need to understand the narrative you're building and how graduate school affects your future opportunities.<br />
<br /><br />
Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com1tag:blogger.com,1999:blog-7266528187680728229.post-67253476240433394462013-08-30T10:09:00.002-07:002013-08-30T13:53:54.452-07:00Attending an online for-profit schoolA few years ago, I decided to go back to school to finish a bachelor's degree. The school I ultimately chose was Capella University, an online for-profit college. Online universities, and for-profits in particular, have a poor reputation, but I decided to attend anyway. Here's my take on for-profit universities and why I plan to return to Capella to finish a master's degree.<br />
<br />
Availability<br />
<br />
I live in a small town. When I started going back to school, there were no night-time or degree completion programs that I could take advantage of. I would have loved to go back to school full-time and attend a well-regarded university, but I support a family and can't afford to relocate and quit work in order to go to school. I needed a degree program that I could complete while working full-time.<br />
<br />
<a name='more'></a>Accreditation<br />
<br />
Capella is regionally accredited, as are all reputable schools. Not much to say here; it's just a requirement. The IT program is also ABET accredited which is a nice, but probably won't ever make a difference for me.<br />
<br />
Structure<br />
<br />
The program at Capella is well-structured and the school will pre-register you each semester so that you can proceed through your program in lock-step fashion without ever worrying about missing a requirement. There isn't much flexibility, but you know you will graduate and when as long as you keep passing your classes.<br />
<br />
Course Design<br />
<br />
I've taken good course design for granted. I took a few online classes at the community college level (mostly for scheduling reasons) and, by chance, they were all decently laid out. Capella's courses were a step above the others I'd taken, but I didn't think much of it. Recently, I enrolled in an online program at public university. I was sorely disappointed. The course layout was...crap. I had to search around to figure out what I needed to do each week and, in some cases at least, assignments were embedded in-line with each weeks' reading. This would be a minor hassle if I had nothing else to do, but I work full-time and just accepted a new job. I'm busy. I can't waste time every week figuring out what I need to do. I need to be able to just sit down and do it.<br />
<br />
At Capella, you can click on any particular unit (week) of the course and see everything associated with it; that weeks' reading, supplemental videos/materials, labs, assignments, discussions, exams. I usually logged in on Monday morning to see what I had in store for that week. If there was a lot to do, I'd print out the page so I could carry it with me and check things off throughout the week. Most weeks had required reading, graded discussions and a paper (about 10 pages on average, for me). Some classes had labs, only a few (e.g. discrete math) had exams. It was also straightforward to get to the discussions and assignments for the week. They weren't just embedded somewhere, you could click on "Assignments", scroll to week X, click, attach, submit, done. This is all pretty basic, but a lot of places screw it up. <br />
<br />
Scheduling<br />
<br />
I wanted to finish school as fast as possible. I didn't need summers off. Capella runs on a quarter system without about three weeks in between quarters. This is just enough time for me to recharge, catch-up on real life and prepare for the next class.<br />
<br />
Content<br />
<br />
I initially wanted a more technical program. I majored in IT but I really wanted to major in CS. I was working in my first management job when I started, but I was trying very hard to stay sharp technically. Now, I'm happy that I majored in IT. I enjoy management and the program helped me develop a broader perspective and to learn to manage IT functions. I spent a lot of time studying policy and procedure, wrote a ton of papers and only did a handful of labs. The program isn't designed to train anyone as a network engineer, software developer or penetration tester. Instead, it provides a broad background in IT and some additional focus in one area (I chose security). For someone who plans to stay hands-on technical, a CS degree would be a lot better. But, if you're planning to go into management or already have strong technical chops, the program is a good choice.<br />
<br />
Reputation<br />
<br />
Capella is a little less high profile than certain other schools like the University of Phoenix which was a plus for me. Some employers don't like to hire people with online degrees, especially in management roles. That may still hurt me later on. It's possible that I'll eventually go into an executive MBA program at a brick-and-mortar school. That would probably do a lot to erase any stigma attached to the online degree and to convince employers that I'm worth a look. But, it hasn't hurt me so far. I just got hired as the Director of Technology for a K-12 district. Several of the people on my interview panels (which contained four local IT directors) also went back to school online, at least one of them at the University of Phoenix. And, they probably did so for many of the same reasons that I did. The supposed stigma apparently didn't bother them enough to dissuade them either, but I don't think the bad reputation that online schools have nationally is nearly as strong outside large cities (which typically have several universities). <br />
<br />
If I lived in San Francisco or Boston, I'd probably go to school at night but since I live in Podunk... <br />
<br />Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-33971575647184028102013-08-12T14:19:00.000-07:002015-03-10T21:46:23.730-07:00Threat scenariosWhen analyzing security features, we often look at them in black and
white terms: either they can be broken or they can't. DES is crackable
but as far as we know AES is not so we recommend AES. This is useful when we're making general recommendations
because we don't know what threats everyone is going to be concerned
about so it's safer to assume that we'll always need to protect against a skilled,
well-funded attacker. In many cases, however, that assumption is not
true.<br />
<br />
At <a href="http://www.passwordscon.org/">Passwords 13</a>, Steve Thomas, a.k.a. <a href="https://twitter.com/Sc00bzT">sc00bzT</a>, gave a presentation about building a cheap hardware security module (HSM) to store and protect passwords. During the talk, someone mentioned on IRC that what he developed wasn't a true HSM since the hardware was not tamper resistant. While that is a valid concern, others correctly pointed out that it may not matter depending on your <a href="http://ishandbook.bsewall.com/risk/Assess/threat_scenario.html">threat scenario</a>.<br />
<br />
Since it has no physical protection, Thomas's HSM is vulnerable to hardware tampering. It should not be used
in situations where that is a valid concern. If you're worried about
foreign governments bribing your employees or about a rogue employee
(e.g. at a bank) being able to sell those credentials, then you should
consider laying out the cash to get a tamper-resistant HSM. But, if
you're mostly worried about outsiders using SQL injection to dump your
password hashes, this solution is perfect. It's cheap and it solves the
problem.<br />
<br />
<a name='more'></a><br />
In a similar vein, Google recently <a href="http://www.wired.com/threatlevel/2013/08/chrome-password-manager/">explained</a> why they do not use a master password to protect stored passwords in Chrome: <br />
<br />
<i>...the conclusion we always come to is that we don’t want to provide users
with a false sense of security, and encourage risky behavior. We want to
be very clear that when you grant someone access to your OS user
account, that they can get at everything. Because in effect, that’s
really what they get.</i><br />
<br />
The <a href="http://www.wired.com/threatlevel/2013/08/chrome-password-manager/">Wired article</a> points out that, in an absolute sense, this is true but that whether this offers some protection in practice depends on your threat scenario. If you're worried about professional attackers, then Google is right. But, if you're only worried about a jealous lover or nosy family member, a master password does provide meaningful protection.<br />
<br />
These anecdotes both illustrate the importance of threat scenarios. We don't defend against vulnerabilities, we defend against attacks made by threats. A SQL injection vulnerability is only significant because someone is out there ready to exploit it and because this action would be harmful to us.<br />
<br />
<b>Definition: A threat scenario is a scenario where a threat actor
exploits a vulnerability and this has an impact (consequence) that we
want to prevent.</b> <br />
<br />
Consider this: I scrap together an internal-only web application that users can use for generating reports. The application has read-only access to a database which contains no confidential information. Does it matter if the application is vulnerable to SQL injection? No. We don't care if the information is revealed because it's not confidential so there is no impact. And, if the information has no value to an attacker then there isn't a threat (because there is no motivation).<br />
<br />
What if the database contains confidential information but all of the users have legitimate access to it and the SQL injection vulnerability is only available after the user has logged in? Again, what threat scenario would be be protecting against? Any threat actor who can exploit the vulnerability already has access to the information. Our efforts are better spent somewhere else.<br />
<br />
The first step in determining your threat scenarios is to identify your threats. Who are you protecting against? What resources and skills do they have? What are their motivations? What are their goals? The answers should depend on the nature of your organization. If you're working for the Department of Energy, your threats should include state-sponsored hackers in search of information about nuclear energy. If you're working for the local high school district, you will be much more concerned with teenagers who want to show off or perhaps change their grades. These two threats require vastly different measures (and budgets) to defend against. <br />
<br />
Then, as you identify real or potential vulnerabilities, analyze them in the context of your threats. What resources (skill, money, equipment) are required to exploit this vulnerability? Do any of your potential threat actors have the required resources? Will they be motivated to use them? What is the impact if they do? If your threat actors aren't capable of exploiting the vulnerability, then you don't need to fix it. If the impact is negligible or is less than the cost of the fix, it's not worth fixing.<br />
<br />
A K-12 school district does not need to worry that their data or
network traffic is insecure because it's "only" encrypted with DES. Nation states can brute-force DES pretty easily but most teenage hackers, low-level identity thieves and disgruntled teachers (threats a school district would actually have to worry about) don't have the resources or skill to do so. For instance, a GPU-based rig that can break DES in a month would probably cost tens of thousands of dollars to build and the threat actor would need the know-how to build the rig and to write the software to use it. It's not impossible that one of these threat actors would build such a rig, but it's highly unlikely. Most (99.99+%) don't have the skills/resources and, even if they did what are they going to gain to make the investment worthwhile? <br />
<br />
On the other hand, a bank using DES to encrypt and
MAC wire transfers should worry. The bank's potential threats should include professional thieves who are able to invest in or commit resources to an attack provided that the cost/benefit analysis is favorable. These thieves may be able to purchase expensive equipment, sign-up for cloud computing services (probably using stolen credit cards) and/or purchase time on a large botnet. If these thieves think they can modify or generate wire transfers in order to steal millions of dollars, it would absolutely be worth breaking DES to do so (provided there isn't a cheaper or easier alternative).<br />
<br />
The motivations and goals of a threat actor are important. Threat actors will not be interested in everything that an organization has to offer. A university might need to worry that state-sponsored hackers will try to steal information related to its government-funded research, but not that they will steal Visa numbers from the bookstore or try to change student grades.<br />
<br />
We need to build reasonable threat scenarios that connect threat actors with attacks/vulnerabilities and then determine the impact of those attacks. When developing scenarios, consider these questions:<br />
<ol>
<li>Who is the threat?</li>
<li>What resources does the threat actor have?</li>
<li>What motivates this threat actor?</li>
<li>What is the vulnerability?</li>
<li>What resources are required to exploit this vulnerability?</li>
<li>Does the threat actor have these resources? </li>
<li>What is the benefit to the threat actor if he exploits this vulnerability?</li>
<li>Does this benefit align with his motivations/goals?</li>
<li>Does the benefit justify expending these resources?</li>
<li>What is the potential adverse impact to the organization?</li>
</ol>
For a formal approach to developing and assessing threat scenarios, see Bruce Schneier's paper on <a href="http://www.schneier.com/paper-attacktrees-ddj-ft.html">Attack Trees</a>. Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-84640555890920997242013-07-23T11:26:00.000-07:002013-07-23T11:26:15.524-07:00Passwords 13 - Next WeekI haven't posted anything lately, but I'm heading to <a href="http://passwordscon.org/">Passwords '13</a> in Las Vegas next week and hope to come back with some new thoughts and ideas worth posting about. In the mean time, here's a picture of my dog.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvl26p4cenivpLj8Kzg0KOCkukpN3oYT7tsU4qmMqO_B1ZtC1JSLl8wel5tQrZdl8qEp_7NS3Pjr02lX6MH0nDik9CawJPeZZ2DKfksKgjXOZo5kjrHlfxumEegAW-BkQAHuKPG3maHck/s1600/Bits+-+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="283" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvl26p4cenivpLj8Kzg0KOCkukpN3oYT7tsU4qmMqO_B1ZtC1JSLl8wel5tQrZdl8qEp_7NS3Pjr02lX6MH0nDik9CawJPeZZ2DKfksKgjXOZo5kjrHlfxumEegAW-BkQAHuKPG3maHck/s320/Bits+-+2.png" width="320" /></a></div>
<br />
<br />
<br />Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-10607522836951175232013-03-26T16:18:00.003-07:002013-03-26T16:59:26.398-07:00Basics: Avoiding SQL Injection<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">SQL injection is a pretty big deal. The attack is easy to carry out, the vulnerabilities are prevalent and the payoff is potentially large. Many of the password breaches reported over the last year or two are known or thought to have been carried out via SQL injection. </span><br />
<br />
<span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">SQL injection attacks allow
attackers to execute arbitrary queries or commands against a database.
Developers introduce the vulnerabilities into their code when they concatenate or
substitute user input into the elements of a SQL query. In the
following Python example, the program will accept any input as the "user_id"
variable (returned as a part of <i>login_data</i>) and tack it onto the end of a string that is subsequently executed as
a sql query: </span><br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:DoNotShowPropertyChanges/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<br />
<blockquote class="tr_bq">
<div class="MsoNormalCxSpFirst" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<i><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">login_data =
web.input()</span></i><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";"> </span><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><br />
</span><i><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">query_string = "SELECT * FROM USERS WHERE ID =
'%s'" % </span></i></div>
<div class="MsoNormalCxSpMiddle" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto; text-indent: .5in;">
<b><i><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">login_data.user_id</span></i></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"></span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto;">
<i><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">cursor.execute(query_string)</span></i></div>
</blockquote>
<a name='more'></a></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
</div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<br />
<span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">If the user enters "carlos",
this query will select the record with the ID "carlos". If the
user enters <i>' or 1=1 </i>the query will return all the rows in the USERS
table. If he adds on <i>;DROP TABLE USERS</i> it will delete the USERS
table. This attack is possible because the executable SQL statement
and the data portion of the query are both strings and developers mix them
together so that the SQL server has no way to tell them apart. </span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<br />
<br /></div>
<div align="center" class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: center;">
<b><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Preventing SQL
Injection </span></b></div>
<div align="center" class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: center;">
<br /></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">One of the primary methods for
preventing SQL injection is to use parameterized queries. With
parameterized queries, the developer creates a SQL query statement using
placeholders for the variables that contain user input. Then, the
programmer can pass the SQL query with the placeholders followed by the user data.
This allows the SQL server to distinguish between the two. Here's an
example: </span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<br /></div>
<blockquote class="tr_bq">
<div class="MsoNormalCxSpMiddle" style="line-height: normal; mso-add-space: auto; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<i><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">login_data =
web.input()</span></i><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";"></span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: normal; mso-add-space: auto; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<i><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">query_string =
"SELECT * FROM USERS WHERE ID = <b>?</b>"</span></i></div>
<div class="MsoNormalCxSpMiddle" style="line-height: normal; mso-add-space: auto; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<i><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">cursor.execute(query_string,
(<b>login_data.user_id</b>))</span></i><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";"></span></div>
</blockquote>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<br /></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Here, the "?" is a
placeholder for user input. When cursor.execute() is called, the
programmer passes the query string and the user_id parameter as two distinct
elements. </span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";"><br />
In order to avoid SQL injection and other attacks (e.g. XSS), developers should
also filter user input. Input filtering helps to prevent all attacks that
rely on malformed input, not just SQL injection. This is also an example
of defense in depth. Input filtering and parameterized queries are
complementary measures of protection with regards to SQL injection</span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";"><br />
Suppose that the username should be from 3 to 32 characters long and that it
can contain any alphanumeric character, a period or an underscore. You
could write a regular expression to check this:</span><br />
<br />
<blockquote class="tr_bq">
<i>login_data = web.input()</i><br />
<b><i>if not re.match(r'^[\w.]{3,32}+$', login_data.user_id):</i></b><br />
<b><i> some_error_thingy()</i></b><br />
<i>query_string = "SELECT * FROM USERS WHERE ID = ?"</i><br />
<i>cursor.execute(query_string, (login_data.user_id))</i></blockquote>
<br />
<span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">The '^' and '$' match the beginning and
end of the string. \w is shorthand for [0-9a-zA-z_] and {3,32} specifies
a minimum and maximum length of 3 and 32 respectively.</span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<br /></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">It's very important to use
parameterized queries AND input checking. Parameterized queries do not
prevent all SQLinjection. <a href="http://news.ycombinator.com/item?id=4250888"><span style="color: blue;">
From Thomas Ptacek:</span></a></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:DoNotShowPropertyChanges/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<br />
<blockquote class="tr_bq">
<i>Specifically, you write: "Parameterized queries are a better way
of solving the problem, because it doesn't require any escaping". This is
wrong. Most database protocols will allow you to bind data to a query,
but not keywords, or even limits and offsets. A whole generation of programmers
has been convinced that using parameterized queries shields them from SQL
Injection, while writing pagination code or sortable tables that are trivially
injectable.</i></blockquote>
</div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<br /></div>
<div align="center" class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: center;">
<b><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">For Managers </span></b></div>
<div align="center" class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: center;">
<br /></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">If you'd like to save your organization
from the embarrassment of a breach, you need to ensure that your developers
understand SQL injection and other common application security problems.
There are a lot of sites out there with SQL injection vulnerabilities and many,
if not most, developers just don't seem to know better. Establish coding
standards and educate your developers. Once you have those parts in
place, incorporate them into your code reviews and software testing.</span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";"><br />
If you don't have enough security knowledge in-house, you can task some of your
developers with <a href="http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470/ref=dp_ob_title_bk"><span style="color: blue;">doing</span></a> <a href="http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751/ref=sr_1_1?ie=UTF8&qid=1364339708&sr=8-1&keywords=howard+sins+security"><span style="color: blue;">the</span></a> <a href="https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project"><span style="color: blue;">research</span></a>. If you have money to burn, hire
consultants. They have to eat too :) </span></div>
<div class="MsoNormalCxSpMiddle" style="line-height: 100%; margin-bottom: .0001pt; margin-bottom: 0in; mso-add-space: auto; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; line-height: 100%;"><span style="mso-tab-count: 1;"><br /></span></span></div>
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:DoNotShowPropertyChanges/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-1843927931041373852012-12-04T00:00:00.002-08:002012-12-04T09:40:32.469-08:00Lessons from the S.C. breachIn October, the South Carolina Department of Revenue discovered that it had been breached and contacted <a href="http://www.mandiant.com/">Mandiant</a> to assist in the investigation and response. All told, millions of social security numbers and hundreds of thousands of bank/credit card numbers had been <a href="http://www.infosecurity-magazine.com/view/29034/36-million-social-security-numbers-and-387000-card-numbers-stolen/">stolen</a>.<br />
<br />
In November, Mandiant <a href="http://docs.ismgcorp.com/files/external/MANDIANT_Public_IR_Report_Dept_of_Revenue_11202012.pdf">published</a> their findings. This is exciting. All we usually get is a news article lacking in technical detail. This we can actually learn from.<br />
<br />
My goal in this blog post is to explore what, in hindsight, the S.C. Department of Revenue could or should have done better. Please read the Mandiant <a href="http://docs.ismgcorp.com/files/external/MANDIANT_Public_IR_Report_Dept_of_Revenue_11202012.pdf">report</a> before you move on.<br />
<br />
<a name='more'></a><div style="text-align: center;">
<br />
<u><b>What Happened?</b></u></div>
<br />
Mandiant published a summary by date. I'm going to further condense that and label the events from Day 1 to Day 66 so that it's easier to calculate the time elapsed between events. This is all from the report. It's their work, not mine. If you didn't read their report, go do it now.<br />
<br />
<b>Day 1)</b> The attack started with a phishing email targeted at multiple employees. The email contained a link to a malicious program that could steal a user's credentials.<br />
<br />
<b>Day ??) </b>One of the employees (or his/her computer) gave up the goods and the phishing attack was successful.<br />
<br />
<b>Day 15) </b>The attacker used a username and password to log in to a remote access service, connected to the user's machine and then accessed other systems and databases.<br />
<br />
<b>Day 17)</b> The attacker stole additional passwords from six computers.<br />
<br />
<b>Day 20)</b> The attacker stole passwords for "all Windows accounts" and installed a backdoor on one server.<br />
<br />
<b>Day 21 - Day 30) </b>The attacker accessed approximately 38 systems using one or more compromised accounts; the report doesn't say explicitly whether it was the same account used earlier. My impression is that it was not. The attacker performed recon on several of these days. The attacker also authenticated to a couple of web servers but didn't accomplish anything.<br />
<br />
<b>Day 31 - Day 33)</b> Copied database backup files and sent those files over the Internet.<br />
<br />
<b>Day 34) </b>Interacted with ten systems. More recon.<br />
<br />
<b>Day 35- Day 65)</b> Nothing happens.<br />
<br />
<b>Day 66)</b> Attacker(s) check on the backdoor they installed.<br />
<br />
<br />
<div style="text-align: center;">
<u><b>Analysis</b></u></div>
<br />
<b>The initial phish (Day 1 to Day ??)</b><br />
<br />
The gap between the initial phishing attack and the first time the attacker actually used a user's credentials was two weeks. Presumably the user(s) who responded did so within a few days. I'm not sure why the attacker waited to use them. The attacker could have performed additional reconnaissance from the outside or been busy on another project.<br />
<br />
So, what could the Department of Revenue have done to stop this? What wouldn't have helped?<br />
<br />
If the phishing email were reported (e.g. by a wary recipient) or otherwise detected during this window, the attack might have been stopped. The IT/security staff could have cleaned or re-imaged the affected machines and forced the affected users change their passwords. If better education/awareness would have prompted just one of the targeted users to report this, it would have been worthwhile. <br />
<br />
If this malware was custom, and I'm guessing it was, AV software would have been little to no use.<br />
<br />
If the malware stole passwords by dumping the Windows credential cache, this could have been prevented by not giving users local administrator privileges. It's also possible that the malware retrieved the username and password some other way and local admin privileges were not an issue.<br />
<br />
If they used two-factor authentication, it would have been much more difficult for the attacker to pull this off. With one time passwords, the attacker would have had to steal the one-time password and use it immediately, probably via more sophisticated malware. The attacker could also tried to deliver a malware package that could stay resident on the user's system and phone home to give the attacker access. This would have been more complicated and easier to detect but still very possible.<br />
<br />
<br />
<b>Initial Access (Day 15)</b><br />
<br />
Why are remote users allowed to login to the internal network with just a username and password? Even if two-factor authentication wasn't used internally, remote users should have been forced to connect through a VPN using separate authentication (e.g. digital certificates).<br />
<br />
<br />
<b>Password Stealing and Backdoors (Day 17-20)</b><br />
<br />
The report doesn't give a lot of details here. How did the attacker steal additional passwords? The attacker probably gained admin privileges at some point. The "all Windows passwords" reference probably means he got domain admin rights and dumped everything on Day 20.<br />
<br />
Assuming the attacker got admin rights, how did he do it? Was the first victim an admin? Did the attacker escalate using an exploit? Was a patch available? What tools did he use to steal passwords? Did the attacker use publicly available tools such as creddump or pwdump? If one or more of the internal systems were unpatched, the department could have prevented this by establishing a stronger policy and procedure for patching. If publicly available tools were used to dump passwords, why didn't the AV or endpoint security products detect them? Was the attacker able to disable the anti-virus first? Could this be detected by centralized AV management? Unfortunately, I have more questions than answers. <br />
<br />
The report indicates that this was (at least partially) a Windows network. One of the problems with Windows networks is that the network authentication and password hashing is awful. The NTLM protocols have various problems and can allow attackers to brute force credentials after observing network authentication. The hashes use MD4 which is incredibly fast and unsalted so attackers can guess <a href="https://www.cryptohaze.com/">billions</a> of <a href="http://hashcat.net/oclhashcat-plus/">passwords</a> per second. And, to top it all off, the hashes are the actual secret used for authentication (not the password). Attackers can <a href="http://en.wikipedia.org/wiki/Pass_the_hash">"pass the hash"</a> to log in without knowing the associated password.<br />
<br />
We really need better options for enterprise network authentication. It's really unfortunate that Microsoft hasn't offered anything stronger. <a href="http://srp.stanford.edu/">SRP</a> with a strong password hash like bcrypt would have helped out a lot here. The attacker wouldn't be able to pass the hash and it would be very difficult to crack the hashes/verifiers.<br />
<br />
<b></b><br />
<b>Snooping Around (Day 21 - Day 30)</b><br />
<br />
The attacker was pretty busy poking at different systems for more than a week. He accessed dozens of servers and performed "reconnaissance" several times. Did he scan and fingerprint the network with nmap? Did he just poke around at the network shares available to him? How noisy was the attacker?<br />
<br />
This is probably where a NIDS could have detected the attacker's activity. I've knocked <a href="http://bugcharmer.blogspot.com/2012/07/is-ids-effective.html">IDS</a> in the past because in many cases it's just too easy to bypass. But here, it may have been the right tool for the job. Network session or statistical data would have been awesome too, assuming someone is actually keeping watch. Perhaps Richard Bejtlich can convince them to start capturing <a href="http://taosecurity.blogspot.com/2012/11/why-collect-full-content-data.html">full content</a>.<br />
<br />
Did the Department of Revenue have IDS alerts, session data or statistical data? Was anyone looking at it? Are various data sources properly correlated?<br />
<br />
<br />
<b>Paydirt (Day 31 - Day 33)</b><br />
<br />
After 17 days on the network, the attacker made a copy of some database backup files that totaled 74.7 GB of uncompressed data. These backups came from three different systems. According to the report, some of this data was encrypted and some wasn't. Why wasn't it all encrypted? Was some of the information less sensitive? <br />
<br />
At this point, it's game over. The attacker has what he wants and is shipping it home. <br />
<br />
<br />
<b>Password Expiration?</b><br />
<br />
I've blogged before about <a href="http://bugcharmer.blogspot.com/2012/09/password-expiration.html">password expiration</a>. Many people argue that expiration is useful for limiting an attacker's access. I think this breach is a good example of why it just isn't so. The time elapsed between the first time the attacker logged in and the point at which he started copying the database backups was 17 days. With a password expiration of 60 days or longer, the attacker would probably not have been locked out of the initial account he compromised before he had accomplished his objective.<br />
<br />
With an expiration of 30 days, the odds are better than even that the password would have changed before he finished. But, within 5 days of his initial login, the attacker had stolen hashes from several servers and at least one domain. He had access to many accounts; hundreds, maybe thousands. The attacker also installed a backdoor on at least one system which implies that he had administrator rights. In order for expiration to stop him, he would have had to be dependent on the first compromised account with little or no ability to expand his access to additional accounts or systems.<br />
<br />
It's also worth noting that the attacker accessed over three dozen systems in the 15 days after his initial access which means he had the opportunity to cause a lot of damage before any potential expiration would have kicked in, even with an aggressive 30 day policy.<br />
<br />
On the other hand, two-factor authentication would have made it much more difficult for the attacker to gain access initially and to gain access to additional accounts once he had access. Stronger password hashing and network authentication would also have made it much more difficult to gain access to additional accounts.<br />
<br />
<br />
<b>Detection</b><br />
<br />
If the Department of Revenue had detected the initial phishing attempt, this whole sequence would have been disrupted (although the attacker could have tried again). If they had detected the attacker at any point during the first 15 days that he had access, the impact could have been greatly reduced. By the time they contacted Mandiant, the attacker was done.<br />
<br />
<br />
<b>Remediation Summary</b><br />
<br />
I identified several possibilities for what the Department of Revenue could have done differently (and should do in the future).<br />
<br />
There are a few recommendations that I'm (fairly) confident about:<br />
<ul>
<li>Implement two-factor authentication inside the network or for critical systems </li>
<li>Require remote users to authenticate to a VPN using digital certificates.</li>
<li>Educate users about phishing. </li>
<li>Encourage users to report phishing attempts. </li>
<ul>
<li>Make it easy for them.</li>
<li>Follow-up on the reports </li>
</ul>
<li>Implement a network intrusion detection system</li>
<ul>
<li>Or manage the existing one better. </li>
</ul>
<li>Capture and record session and statistical data </li>
<li>Correlate logs, IDS alerts and network data</li>
</ul>
<br />
There are also a few recommendations that may or may not be applicable:<br />
<ul>
<li>Implement/enforce a stronger patching policy</li>
<li>Install anti-virus or endpoint protection to detect common tools (e.g. pwdump)</li>
<li>Better logging and tracking of user activity, especially administrator activity might have alerted the department much earlier </li>
</ul>
<br />
<b>Thanks</b><br />
<br />
I'd like to express my thanks to Mandiant and/or the South Carolina Department of Revenue for publishing this report. I think there's a lot to be learned from these reports, especially for those of us who are not actively working in incident response.<br />
<br />
<br />
<b>Final Note </b><br />
<br />
I may update this post in the next few days if I think of anything else. I'll add a note here at the bottom to identify any major changes. <b> </b>Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-26438297228696521222012-11-28T17:05:00.001-08:002012-11-28T20:39:17.083-08:00Lessons from the CCSF debacleIn January 2012, some fairly sensational news stories were published about a major data breach at City College of San Francisco. According to the early reports, tens of thousands of student records may have been compromised. Even <a href="http://www.sfexaminer.com/local/education/2012/01/ccsf-president-pledges-internet-security-crackdown-after-learning-widespread">more</a> <a href="http://www.huffingtonpost.com/2012/01/14/city-college-of-san-franc_n_1206578.html">interesting</a>, the reports said that some systems may have been infected for over a decade and that there were connections to China and Russia. While the reports were interesting, they were short on details and I hoped to eventually read more after the school had some time to sort things out.<br />
<br />
In May, the CTO of CCSF was <a href="http://www.fogcityjournal.com/wordpress/4600/ccsf-chancellor-suspends-technology-adminstrator-launches-investigation/">suspended</a> at least in part for his reaction to the breach. The Guardsman, CCSF's newspaper, published a <a href="http://theguardsman.com/bug2/">series</a> of <a href="http://theguardsman.com/bug3/">articles</a> that described controversy within CCSF over the handling of the breach, the CTO's management and accusations that the breach was a false alarm.<br />
<br />
The CTO's tenure sounds like it was a disaster. It's also full of lessons for IT and security managers.<br />
<a name='more'></a><br />
I suggest reading <a href="http://theguardsman.com/bug2/">these</a> <a href="http://theguardsman.com/bug3/">two</a> articles before you continue, but if you'd rather just plow ahead you can; I'll provide enough context to understand what I'm talking about.<br />
<br />
Disclaimer: I have no inside knowledge. I'm basing my comments entirely on what was published. I'm not looking to bash the CTO or the college. I think we can learn from the situation and in this post I will offer some constructive suggestions for how IT and security managers could handle similar situations better. I won't spend much time analyzing the academic/business side. Other parties made mistakes too, but I'm interested in what we can apply to IT and/or security.<br />
<br />
<u><b>Know Your Environment</b></u><br />
<br />
The CTO came from a military background and the articles suggest that one of the problems was a clash of cultures. The CTO himself was dismissive of the idea of shared governance and according to a (disputed) accusation, he tried to bypass the college's technology steering committee on a proposed $750k purchase. Additionally, the IT staff complained that the CTO imposed a rigid hierarchy and wasn't open to opinions from employees below a certain "status".<br />
<br />
It sounds to me like the CTO failed to understand his environment. To start with, shared governance is an important part of the community college system in California and it is <a href="http://www.ccleague.org/i4a/pages/index.cfm?pageid=3359">not</a> <a href="http://www.leginfo.ca.gov/cgi-bin/displaycode?section=edc&group=70001-71000&file=70900-70902">optional</a>. Like it or not, if you want to work in a community college, you have to be willing to work within the confines of shared governance. The administration and board have to seek faculty input on most major decisions and classified employees (and their union) are generally involved as well although I'm not sure if it has the same legal backing as faculty involvement. The CTO's statement that the Academic Senate doesn't affect his career is naive. The Academic Senate and other major committees are part of the governance and politics of a community college and when you sign up to be a manager, especially at senior level, you sign up to play politics.<br />
<br />
In any organization, it's critical that you understand how IT governance works. IT governance dictates how an organization makes decisions about technology. Some operational decisions will rest solely with IT, but no successful organization leaves all of the IT decisions to the IT department. It's up to the business side of the organization to make most of the strategic and policy decisions. IT may be (and should be) involved, but a lot of these are "business decisions about IT", not "IT decisions". <br />
<br />
Community colleges are not a "do what I say and don't ask questions" environment. Classified staff generally expect to be consulted or at least to be able to approach their boss and their boss's boss. They participate in committees alongside faculty and managers. Union agreements may restrict the work that employees can do outside their job descriptions, especially if the person is being asked to do work at a higher level than the job they were hired for. This doesn't meant that the boss has no authority; he does. But, he may need a different approach than in some other environments.<br />
<br />
<u><b>Security Has to Come From the Top</b></u><br />
<br />
One
of the most disconcerting things that I saw in the articles was the
push-back against the CTO for claiming that CCSF had security problems.
After the breach, the college began preparing a response titled "The
ITS Department is on Top of Security." The breach itself was chalked up as an overreaction.<br />
<br />
The claims of security problems
didn't just come from the CTO, they also came from the report from the
forensics firm hired by the CTO, one or two previous external audits and
an internal audit. The college also suffered another breach in 2007.
My guess is that they have some security problems. Unfortunately, not everyone seems interested in hearing that.<br />
<br />
The problem here, for the CTO, is that change has to come from the top. A senior IT or security manager can make some progress on his own, but
big sweeping changes require higher and broader support. If the
chancellor and other senior managers don't recognize that there is a
problem, the CTO is going to be limited in what he can do. <br />
<br />
The CTO (or CIO, CISO) can try to make the other senior managers (and the board) more aware. In
fact, it's an important part of his job to make sure they are aware of
the risks. In the end, however, its not his decision to decide how to
deal with those risks. If the CTO doesn't like the response he gets, he can change his approach or move on.<br />
<br />
While the CTO should make the administration aware, it's important not to
over-sell security risks. Security is important. I'd even argue that
organizations have a moral obligation to protect the personal
information they collect. But the sky isn't going to fall if they
decide not to. One of the sad facts of security is that it's often not
as important (from a business perspective) as we'd like it to be. Many
of the risks are externalities. The college may have to spend some
money recovering from a breach, but they won't go <a href="http://www.csoonline.com/article/550413/from-the-cio-why-you-didn-t-get-the-ciso-job">out of business</a>. Students may have some ID theft problems, but classes won't stop. Even a six-figure payroll theft isn't going to shut down the college or cost a chancellor his job. As long as the cost to the college is low, the college doesn't have much incentive to increase spending or time spent on security.<br />
<br />
In
many ways, the college is better off not knowing if there is a data breach.
A breach requires notification in some states (including California)
but ignorance is bliss.<br />
<br />
<u><b>Get Buy-in</b></u><br />
<br />
One professor suggested that much of the conflict came from the CTO's focus on security. Community colleges generally do not place much emphasis on security. There's nothing wrong with the CTO wanting to do more in this regard, but if he tried to jump in and shake things up without getting support first, he made a mistake. If he realized that he needed to make major changes, his next step was to sell those changes.<br />
<br />
I mentioned in the previous section the importance of making senior managers aware of the risks, but once the administration is on board with the idea of doing something about security, you still need to convince them that you have the right plan. You also need to get the rest of the college on board with the plan. Speak to the key players, including the technology steering committee. Develop security awareness training and use it to help spread the message. People are generally resistant to change, but some salesmanship and patience will go a long way. Having open, not just tacit, support from the other managers is also key.<br />
<br />
Realize, however, that you may not get to implement the grand security plan that you want. Accomplish what you can. It's foolish to burn political capital with nothing to show for it, but that's exactly what you'll do if you try to drag the organization along, kicking and scream. Instead, identify the most serious <a href="http://www.amazon.com/Security-Risk-Management-Building-Information/dp/1597496154/ref=sr_1_1?ie=UTF8&qid=1354159301&sr=8-1&keywords=risk+management+and+security">risks</a> and focus on those first. Start small and phase things in. Get input from other managers; don't assume that you know what's important. Ask.<br />
<br />
I believe in over-communication. Managers should be fairly
transparent in their intentions. If you've got a big plan, sell it and
communicate it over and over. Post details publicly, hold meetings,
send emails. Don't surprise people. Get input early and incorporate it
into your plan. You don't know everything so be willing to listen.<br />
<br />
<u><b>Talk to HR</b></u><br />
<br />
One of the complaints was that the CTO didn't follow the standard process for disciplining and employee. That's a dumb mistake. Managers should talk to HR if they're considering any sort of formal discipline, especially if the manager is new to the organization. HR handles these situations on a regular basis, most managers rarely deal with it. There's a pretty good chance you'll run afoul of organizational policy, union agreements or the law if you decide to wing it.<br />
<u><b><br /></b></u>
<u><b>Establish Procedures in Advance</b></u><br />
<br />
One of the complaints was that the CTO hired an outside firm after the breach was detected. According to those complaining, he should have relied on his existing technical staff and not doing so showed a lack of trust. That's rubbish. He had an IT staff of 70 people. I don't know how many full-time security people he had, but the<a href="http://blog.thehigheredcio.com/2012/10/31/it-staffing-ratios-benchmarks/"> typical </a>number would be one or two in an IT group that size. And, the security people he had were probably not digital forensics or incident response experts. DFIR is pretty <a href="http://carnal0wnage.attackresearch.com/2012/11/the-biggest-problem-in-computer-security.html">specialized</a>, not something you just have your network security people do as needed.<br />
<br />
I think the CTO was right to hire an outside firm. The mistake he made was in not developing and communicating the college's incident response procedures ahead of time. The college should have had a written procedure that included a contact list and assigned responsibilities. The procedure should also have identified the point at which CCSF would seek outside expertise and possibly listed some acceptable vendors. The CTO could have addressed any misgivings during the planning process.<br />
<br />
It's much easier to do things right and to get others to come along, when the policies, procedures, guidelines and standards are developed ahead of time. People get to provide input, everyone has documentation and there are fewer surprises. <br />
<br />
I'm a big fan of documentation and procedures. Done properly, they help to guide people along and make processes repeatable and dependable. This is especially important with incident response. They security and incident response team need to know who to involve (i.e. HR and legal) and when to involve them. They need to know what they can and should handle and when they should call in an outside expert. If the organization hopes to seek a legal remedy or pursue criminal charges after a breach, it's important that they preserve evidence and establish a chain of custody. If the team is trying to answer these questions as they go along, they're going to make a lot of mistakes.<br />
<br />
<br />Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-27305196347209315032012-11-21T14:50:00.006-08:002012-11-21T14:51:55.634-08:00Wrapping up 2012I've been really busy lately so I haven't blogged much. Things are coming together pretty well here at the end of 2012. Here's what's happening with me.<br />
<br />
This summer, I won a free trip to Fishnet Security's iSWAT training event in Las Vegas through <a href="http://www.ethicalhacker.net/">The Ethical Hacker Network</a>. I decided to take the CISSP review course. I've been meaning to take the CISSP exam for a while, but it's been hard to find time to study since I'm working and in school full-time. There were only three of us in class, but it worked out really well. Instead of sitting in rows and listening to the instructor drone on for hours, we sat around a conference table and actually discussed things as we went over them. Many of the discussions went well past what we needed for the exam, but I enjoyed the hell out of it. It's not often that I get to spend an entire day talking about security.<br />
<br />
My only complaint is that Fishnet was supposed to reimburse me for the CISSP exam (it was part of the package). I was told a month ago that my reimbursement was being processed, but I haven't heard back and I haven't received anything. <br />
<a name='more'></a>In October, a few weeks after the class, I took the CISSP exam and passed. About a week ago I received notification that I was officially certified. Box checked.<br />
<br />
About a month ago, Mark Russinovich posted a security quiz that tied in
to a short story of his. Then, he put the names of all the people who
got perfect scores into a hat (I assume) and drew five names. I won!
So, I'll be receiving an autographed set of all of his books. I'm very
happy. I love the Inside Windows/Windows Internals series and I enjoyed
his (realistic) hacker novel <a href="http://www.amazon.com/dp/1250007305">Zero Day</a>. I was already planning to buy his new novel <a href="http://www.amazon.com/Trojan-Horse-Novel-Mark-Russinovich/dp/1250010489/ref=sr_1_4?s=books&ie=UTF8&qid=1353536523&sr=1-4">Trojan Horse</a>.<br />
<br />
In December, I'll graduate with a BS in Information Technology with a specialization in Information Assurance. It's long overdue. I started working full-time after I finished my AA degree ten years ago. I always meant to go back, but it's hard to do while working and even harder when you have kids. Box almost checked.<br />
<br />
I'm not sure what's next. I've been in my current role for six years and I'm ready for the next challenge. I'd like to stay in management and am looking for either a security management position or a general IT director type role. I work in higher ed right now, but I'm not set on that. My wife and I are willing to relocate if I find a good position, but we want to live someplace warm where we can afford to buy a house with a yard. We'd prefer to stay in California, but we're open to Texas or a few other places. <br />
<br />
Once I get settled into a new position, I'd like to write a security book. I have some material already, but that's all I'm going to say for now. <br />
<br />
After that, I might pursue a master's degree. I think it would be useful to have, but I learn a lot more on my own that I do in class. I go a hell of a lot faster too. Once I get some other things taken care of, perhaps I'll check that box too.<br />
<br />Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com3tag:blogger.com,1999:blog-7266528187680728229.post-48986847311483224942012-09-27T10:58:00.001-07:002014-02-17T21:46:14.856-08:00Password ExpirationOne common bit of advice with respect to security is to require frequent password changes. This "best practice" has persisted for decades despite some <a href="http://www.cerias.purdue.edu/site/blog/post/password-change-myths/">prominent</a> <a href="https://www.cs.columbia.edu/~smb/papers/01588836.pdf">criticism</a>. But, is password expiration actually helpful or not? <br />
<br />
<b>Are there benefits?</b><br />
<div class="MsoNormal">
<br />
Password expiration has a
negligible effect on limiting or preventing malicious behavior. The ability to steal passwords
often implies privileged access to your systems or network. If the attacker has
administrator rights, access to the password database or the ability to
sniff traffic on your network, he can install a backdoor or continuously steal
passwords in order to avoid the expiration window. That’s assuming he even
needs continued access to accomplish his goal. If the attacker only needs short-term access, which is often the case, password expiration is irrelevant.</div>
<div class="MsoNormal">
<br />
<a name='more'></a></div>
<div class="MsoNormal">
In what circumstances will expiring an account password actually stop an attacker? What threat model does
password expiration protect against? One possibility is that attacker
wants to steal credentials so that he can resell them (e.g. passwords from a banking website). With a short expiration
(e.g. 60 days), the value of the passwords would depreciate quickly and some of
the passwords might expire before the buyer is able to make use of them.
But, this assumes some disorganization on the part of the buyer or
seller. If the seller is able to pass the data on quickly and the seller
is organized and ready, the expiration will have a very minimal impact on their
operation.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Another (almost) positive case for password
expiration is to limit damage where a single password has been
compromised using some method that doesn't provide another avenue for
continued access by the attacker. For instance, a user might have shared his password with another user against company policy. Forcing password expiration would ensure some limit on the time period over which the second user could share the account. But, password expiration is a pretty poor way to combat this. There is nothing preventing the user from sharing his password a second time or preventing the second user from doing damage before the password expires. The better approach is to hold users responsible for their own accounts. Users are less likely to share passwords if they know that their account activity is logged/tracked and that they are liable.</div>
<div class="MsoNormal">
<br />
In other cases, there is even
less of a benefit. If the attacker just
wants to steal the data on your systems, the passwords are only relevant to the
extent that they help him get to the data. Once he has the data, the
passwords don’t matter. If he wants to use the passwords to break into
other sites, he doesn’t care about the expiration policy at your site. If
the attacker wants to deface your website or use your network to launch an attack
against someone else, he probably doesn’t plan on having long-term access.
If the attacker wants to maintain access to the system--and inexplicably has no other way of maintaining his access--he only needs to re-steal the
passwords about once a month with a 60-day expiration window.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Even when we have a situation where expiration is potentially helpful, it may not help. About 41% of the time, an attacker can crack a password in <a href="http://cs.unc.edu/~fabian/papers/PasswordExpire.pdf">just a few seconds</a> if he knows a user's previous password. Storing password histories could make this even weaker.</div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
So password expiration helps to limit the time frame in which an attacker can do damage after discovering a single password when the user is not one of the 41% whose passwords are easily predictable based on previous passwords and when the attacker also has no way to discover additional passwords, gain administrator rights, or otherwise secure further access to the system. That's a pretty narrow benefit.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Negative consequences</b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
It gets worse. Frequent password expiration encourages users to pick <a href="https://www.cs.columbia.edu/~smb/papers/01588836.pdf">weaker</a> <a href="http://cs.unc.edu/~fabian/papers/PasswordExpire.pdf">passwords</a> and/or <a href="http://hornbeam.cs.ucl.ac.uk/hcs/people/documents/Angela%20Publications/1999/p40-adams.pdf">write them down</a>*. That means we have to weigh any potential benefit from password expiration against the negative consequences of poorer password selection and management. If the user writes his password down and stores it in an insecure location, it is vulnerable to any local attacker (e.g. malicious insiders).</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Using the <a href="http://en.wikipedia.org/wiki/Password_strength#NIST_Special_Publication_800-63">NIST guidelines</a> for password strength, every character of a password has at least one bit of entropy. If a user picks a password that is even one character shorter than he would have with a longer-term password, the time to crack that password is, at the minimum, cut in half. The NIST guidelines are pretty conservative. If users select passwords that are more random, then the consequence of weaker password selection due to expiration is greater. Removing a random character from a password makes that password dozens of times easier to crack. Reducing the character set is similar or worse. If a user picks passwords in some predictable sequence or pattern to cope with the burden of expiration, his password selection may be thousands or millions of times weaker.<br />
<br />
Even without considering user frustration and support costs, expiration looks like a bad deal.
<br />
<br />
Note:
I'm not opposed to people writing passwords down or storing them. I
think that using a password manager or writing passwords down and
storing them in a secure location is a positive thing if it helps people
to choose better passwords and avoid reusing passwords. But, this
requires some education. Most users who are writing passwords down
because they find the expiration policy too onerous are likely to stick
them in an unlocked drawer, under their keyboard, or on a post-it near
their monitor; that's bad.
</div>
Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com6tag:blogger.com,1999:blog-7266528187680728229.post-70740217318549022922012-09-26T10:58:00.001-07:002012-12-13T10:50:05.444-08:00A note on password math<div class="MsoNormal">
The number of possible passwords with a character set of
size <i style="mso-bidi-font-style: normal;">C</i> and a password length <i style="mso-bidi-font-style: normal;">x</i> is <i style="mso-bidi-font-style: normal;">C<sup>x</sup>.
</i><span style="mso-spacerun: yes;"> </span>For instance, with mixed case
alphanumeric passwords we have a character set that has 62 possible characters:
26 lower case letters, 26 upper case letters and 10 numbers (<i style="mso-bidi-font-style: normal;">26 + 26 + 10 = 62</i>).<span style="mso-spacerun: yes;"> </span>If a password is 8 characters long, there are
<i style="mso-bidi-font-style: normal;">62<sup>8</sup> = 62 ∙ 62 ∙ 62 ∙ 62 ∙ 62 ∙
62 ∙ 62 ∙ 62</i> possible combinations.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
If there are <i style="mso-bidi-font-style: normal;">P</i>
possible passwords and we can guess <i style="mso-bidi-font-style: normal;">G</i>
passwords per second, then it will take us <i style="mso-bidi-font-style: normal;">P
÷ G</i> seconds to guess all possible passwords.<span style="mso-spacerun: yes;"> </span>Since there are 86,400 seconds in a day, the
number of days that it will take us is <i style="mso-bidi-font-style: normal;">P ÷
(G ∙ 86,400)</i> and the number of years is <i style="mso-bidi-font-style: normal;">P
÷ (G ∙ 86,400 ∙ 365).</i></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The number of guesses that an attacker can make per second
depends mostly on the password hashing algorithm.<span style="mso-spacerun: yes;"> </span>For a fast algorithm like MD5, a reasonable
cracking speed is several billion guesses per second.<span style="mso-spacerun: yes;"> </span>For bcrypt or scrypt, a reasonable speed
might be from a few hundred to a few thousand guesses per second.<span style="mso-spacerun: yes;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Example:</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Number of possible 8 character mixed-case alphanumeric passwords = 62<sup>8</sup>
= 218,340,105,584,896</div>
<div class="MsoNormal">
Seconds to guess all possible passwords (1 billion per
second) = 62<sup>8</sup> ÷ 1,000,000,000 = <i style="mso-bidi-font-style: normal;">218,340
seconds</i>.</div>
<div class="MsoNormal">
Days to guess all possible passwords = <i style="mso-bidi-font-style: normal;">218,340 ÷ <span style="mso-spacerun: yes;"> </span>86400 = 2.523 days</i>.</div>
<div class="MsoNormal">
Years to guess all possible = <i style="mso-bidi-font-style: normal;">2.523 ÷ 365 = .007 years</i></div>
Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com7tag:blogger.com,1999:blog-7266528187680728229.post-22670123864087996702012-09-14T10:31:00.001-07:002012-09-14T12:31:53.840-07:00Salted vs UnsaltedA lot of people seem to think that it's <a href="http://www.theregister.co.uk/2012/06/07/linkedin_admits_data_breach/">okay</a> to use something like salted SHA-1, without any <a href="http://en.wikipedia.org/wiki/Key_stretching">key</a> <a href="http://bugcharmer.blogspot.com/2012/09/password-basics.html">stretching</a>, as a password hash. The following graphic shows how many guesses an attacker would be able to make per user on a daily or monthly basis assuming that he can make either one thousand or one billion guesses per second. One thousand guesses per second indicates a password hash such as <a href="http://static.usenix.org/event/usenix99/provos.html">bcrypt </a>or<a href="http://en.wikipedia.org/wiki/PBKDF2"> PBKDF2</a> that includes stretching to slow down the hash. One billion guesses per second is a reasonable estimate for a single iteration of MD5 or SHA-1 (depending on your hardware) .<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1R3sGy8n4E3ibnxBrghFYt_xQK38OW1YQeo1Q15tmeBYcG-PnIy8_vswxDpJPb8VDZOVNTMUzpvXiCUTtODGbHWHeI2BY3SV2DLEVU4UrY_DHmuTDJf1jUFe0uqbaNcMp9zX6t1XTP9c/s1600/Salted+vs+Unsalted+(monthly).png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="177" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1R3sGy8n4E3ibnxBrghFYt_xQK38OW1YQeo1Q15tmeBYcG-PnIy8_vswxDpJPb8VDZOVNTMUzpvXiCUTtODGbHWHeI2BY3SV2DLEVU4UrY_DHmuTDJf1jUFe0uqbaNcMp9zX6t1XTP9c/s320/Salted+vs+Unsalted+(monthly).png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: center;">
Click for full-size</div>
<br />
It should be obvious that salting is <a href="http://gpuscience.com/cs/cracking-salted-sha1-password-hashes-on-gpu/">not enough</a>. Even with a site that has 10 million users, an attacker can make millions of guesses per user per day against salted SHA-1* or MD5. A strong password hash literally makes password cracking a million times harder. If an attacker can only guess a handful of passwords per day, per user, then any user with a password that isn't his name, username, or on one of the worst passwords lists is probably going to be okay. There is some safety in numbers.<br />
<br />
If an attacker targets a single account, he can still make millions of guesses per day, even with a strong password hash. There is no safety in numbers once the attacker is focused on you. Pick good passwords.<br />
<br />
* I used SHA-1 as an example because it's common. The SHA-2 family are stronger cryptographic hashes, but they don't provide any significant benefit beyond SHA-1 for password hashing.<br />
<br />
Edit: I'd like to point out that, for simplicity, these numbers do not factor in the number of passwords that are actually cracked along the way. <br />
<br />
Edit #2: I expanded the graphic to include user counts of 10k, 100k, and 10M. Thank you <a href="https://twitter.com/solardiz">Solar Designer</a> for the suggestion.Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0tag:blogger.com,1999:blog-7266528187680728229.post-13942477532859650812012-09-13T13:17:00.001-07:002012-09-13T15:50:32.921-07:00Password BasicsThis post is a brief introduction to passwords. All of my other posts assume some prerequisite knowledge that may make them inaccessible. If you already know about password cracking, hash functions, salting, and stretching, you can probably skip this post or perhaps just skim it. If those concepts are new to you, you're in the right place.<br />
<br />
Please post any questions you have in the comments. I will try to answer questions and/or update this post as required.<br />
<br />
Most operating systems and web applications authenticate people using passwords. In order for this to work, the server (or application) has to store some information that will allow it to validate the password. One way to accomplish this would be to just store the passwords in plain text, but this would be a big problem if the password file or database was ever stolen. The solution most systems use is to hash the passwords.<br />
<br />
<a name='more'></a><b>Hashes</b><br />
<br />
A hash is a one-way function that produces a fixed-size output. Hashes are often used in programming to sort data, but those hashes aren't useful for cryptography because it's easy to invert them or to find two inputs with the same hash value. A cryptographic hash, however, is designed so that given a hash value <i>y</i>, it's computationally difficult to find the message <i>x</i> so that <i>hash(x) = y</i>. There are some additional properties that are important for other uses in cryptography, but for passwords this is the one we care about.<br />
<br />
By storing hashes instead of password, we can minimize the impact of an attacker stealing the password database since he (usually) won't be able to log in directly using the hashes. Unfortunately, there are some problems with using an ordinary cryptographic hash for passwords. The first problem is that we can easily tell if two users have the same password. Suppose we have two users, Alice and Bob, who have these entries in the password file:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">alice:425b7f90de888a65a6fb223397a470eaefb387ad</span><br />
<span style="font-family: "Courier New",Courier,monospace;">bob:425b7f90de888a65a6fb223397a470eaefb387ad</span><br />
<br />
Even without knowing what their password is, we know they picked the same one. If an attacker cracks (guesses) Alice's password, he will also crack Bob's and vice-versa. This indicates that Alice and Bob probably didn't pick good passwords since if they picked them randomly there is almost no chance that they would pick the same password. An attacker can also try to match this hash against hashes taken from another site or against a list of hashes he has previously cracked. This is not good, but it's not the biggest problem.<br />
<br />
<b>Password Cracking</b><br />
<br />
Before we get to the other problems, we need to understand <a href="http://arstechnica.com/security/2012/08/passwords-under-assault/">password</a> <a href="http://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-sha1-and-md5-hashed-passwords">cracking</a>. Password cracking is the term we use for trying to guess other people's passwords. An attacker can try to do this<b> online</b> or <b>offline</b>. An online attack is easier but less effective: the attacker just tries to log in as a user over and over until he get locked out or guesses the right password. This is <b>very slow</b> (tens of guesses per second), but it can work if the passwords are badly chosen. It's also noisy because it can generate log entries or affect the target system so someone might notice. Another downside, for the attacker and the defender, is that the attacker may just end up locking a bunch of accounts.<br />
<br />
Instead of locking accounts after 3-5 failed login attempts, sites would do much better to just delay or rate limit login attempts so that a user or attacker has to wait a few seconds after each failed attempt. This prevents accounts from getting locked out and still makes online guessing hard for an attacker. Using CAPTCHA forms can be useful for preventing automated attacks, but they are difficult for users too. If you use CAPTCHA, only require it after a few failed login attempts. This will keep it away from legitimate users most of the time.<br />
<br />
If he is able to get access to the password hashes, however, he can try an offline attack. Offline attacks are<b> very, very fast </b>(millions or billions of guesses per second).<br />
<br />
Once the attacker has the hashes, he can launch his offline attack using programs like <a href="http://www.openwall.com/john/">John the Ripper</a>, <a href="http://www.oxid.it/cain.html">Cain and Abel</a>, <a href="https://www.cryptohaze.com/">Cryptohaze</a> or <a href="http://hashcat.net/oclhashcat-plus/">oclHashcat </a>to crack the hashes. The programs work by making password guesses, hashing each guess, and comparing the hash to the actual password hashes. Early on, most of the cracking programs were pretty simple. They'd either guess by brute-force ("aaaa", "aaab", "aaac", etc.) or iterate through a large word list. The current programs are much more complex and can apply complex rules and manipulations to word lists in order to guess a wider range of passwords. Brute force guessing can use statistical rules and patterns to decide which password to guess next.<br />
<br />
Getting access to the password hashes is more difficult, but it's definitely possible. There were several high-profile disclosures earlier this year where someone was able to steal a large number of password hashes from a website (e.g. LinkedIn). Many of these are due to an attack called <a href="http://en.wikipedia.org/wiki/SQL_injection">SQL injection</a>. Many websites depend on databases to store content and account information. To access these back end databases, they use SQL queries. Attackers can sometimes use SQL injection attacks to execute their own custom queries which allows them to access data they would not ordinarily have access to (e.g. password hashes). Websites aside, it is also possible to steal passwords from Unix/Linux or Windows, but this generally requires root or administrator access. On Linux and Unix, passwords are typically stored in /etc/shadow or /etc/passwd. On Windows networks, password hashes are stored in Active Directory or the local registry rather than a human-readable file, but there are tools available to steal them (they require Administrator rights).<br />
<br />
<b>Password Cracking Example</b><br />
<br />
Let's pretend we've just used SQL injection to steal the passwords from a fantasy football site. Among the hashes, we have our friend Alice:<br />
<i><span style="font-family: "Courier New",Courier,monospace;"><br /></span></i>
<span style="font-family: "Courier New",Courier,monospace;">alice:425b7f90de888a65a6fb223397a470eaefb387ad</span><br />
<br />
The hash is 160-bits long (40 hex characters) which means it's probably SHA-1. Since it's a fantasy football site, let's start with a list of football-related words and passwords:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">touchdown</span><br />
<span style="font-family: "Courier New",Courier,monospace;">manning</span><br />
<span style="font-family: "Courier New",Courier,monospace;">nosaints</span><br />
<span style="font-family: "Courier New",Courier,monospace;">go49ers</span><br />
<span style="font-family: "Courier New",Courier,monospace;">superbowl</span><br />
<br />
I wrote a small script to hash each of these guesses and compare it to Alice's password. Here's the output:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">Cracking: alice:425b7f90de888a65a6fb223397a470eaefb387ad<br /><br />No match: touchdown<br />No match: manning<br />No match: nosaints<br />Match: go49ers:425b7f90de888a65a6fb223397a470eaefb387ad</span><br />
<br />
We cracked Alice's password and she happens to be a 49ers fan. We also cracked Bob's password since he had the same hash. In reality, a password cracker would not be this verbose, but my example illustrates the basic concept. <br />
<br />
<b>More Problems</b><br />
<br />
I've pointed out that two users with the same password will have the same hash, but this is actually a minor part of a larger problem. Since hashing with an ordinary cryptographic hash function is deterministic (the output is always the same for a given input), an attacker can attack every user at once. Let's say a website has a million users. It would take a very long time to try to crack a million accounts individually. Even if an attacker only spent one minute on each account before giving up, it would take two years to get through the whole list. But, an attacker doesn't have to do that. He can sort the hashes and for each guess he just needs to do a quick search to see if his guess is anywhere in the list. For a small list, the overhead is miniscule. For millions of users, it might cut his speed in half, but that's a pretty small penalty compared to the time it would take to check each user individually.<br />
<br />
An attacker can also precompute hashes to save time. By doing this, the attacker can save himself time in later. This is the idea behind the now famous <a href="http://lasec.epfl.ch/pub/lasec/doc/Oech03.pdf">rainbow</a> <a href="http://bugcharmer.blogspot.com/2012/06/rainbow-tables-not-considered-harmful.html">tables</a>. With ordinary precomputation, an attacker would have to store every hash value which quickly becomes problematic. With rainbow tables, he can generate "hash chains" and only store the first and last value in the chain which reduces the storage by a factor of a thousand or more. Looking up a hash in a rainbow table takes a minute or two whereas a brute-force attack could take days or longer (depending on the strength of the password). The details are beyond the scope of this post but you can read a basic description in my ;login: <a href="http://bugcharmer.blogspot.com/2012/06/introduction-to-password-protection.html">article</a> (from 2004) or the details in the <a href="http://lasec.epfl.ch/pub/lasec/doc/Oech03.pdf">original paper</a> by Phillipe Oecschlin.<br />
<br />
The other big problem is that cryptographic hashes are designed to be fast. They need to be implemented in smart cards or used on networks without introducing any noticeable latency. For other purposes, that's fine but for passwords it's the opposite of what we want. With algorithms like MD5 and SHA-1, password crackers can make tens of millions of guesses per second using a fast CPU. More recently, GPU-based password cracking has come into fashion. GPU password crackers like oclHashcat and Cryptohaze can try billions of passwords per second for these algorithms. To withstand an attack like that, users may have to pick passwords that are <a href="http://bugcharmer.blogspot.com/2012/06/how-long-should-passwords-be.html">14-15 characters long</a>.<br />
<br />
<b>Solutions (Salting and Stretching)</b><br />
<br />
The solutions to the problems I've pointed out are <a href="http://en.wikipedia.org/wiki/Salt_%28cryptography%29">salting</a> and <a href="http://en.wikipedia.org/wiki/Key_stretching">stretching</a>. Salting means adding a random value to every password before it is hashed. The salt is<b> not </b>a secret. The salt value is randomly generated each time a new password is set and is stored with the password hash. This means that attackers can't precompute hashes, can't use rainbow tables, and can't attack every user at once. With a large (i.e. 128-bit) salt, the attacker will have to try to crack each user's hash individually. Even if an attacker only spent one minute per user before giving up, it would take about two years to try to crack the hashes for a million users.<br />
<br />
Here's what Alice and Bob's passwords look like with a salt:<br />
<span style="font-family: "Courier New",Courier,monospace;"><br /></span>
<span style="font-family: "Courier New",Courier,monospace;">alice:190db5882ce03b6d16414a3fbbf63d22.a8dd428638791fc0c5ac9f128b1e8a5cab8c3d5b<br />bob:a9c9c692e5c0cab7656e103bd64885de.245cc7b0b8b93a69244fe92df792c89075bd198832</span><br />
<br />
The new hash is much longer. The 32 characters before the period are the random 128-bit salts. The 40 characters after are the 160-bit SHA-1 hashes. You should notice that the salts and hashes are different for Alice and Bob. Now, cracking Alice's password does not give out any information about Bob.<br />
<br />
Stretching means to slow down the hashing algorithm so that password cracking becomes very slow even for a single hash. Some password hashing algorithms, such as md5crypt and <a href="http://en.wikipedia.org/wiki/PBKDF2">PBKDF2</a>, use a cryptographic algorithm and iterate it thousands of times. The Unix <a href="https://info.aiaa.org/tac/isg/SOFTC/Public%20Documents/Technical%20Working%20Groups/Cyber%20Security/Password%20Security%20A%20case%20Study.pdf">crypt</a> algorithm only used 25 iterations of a modified DES algorithm, but that's a lot on a <a href="http://en.wikipedia.org/wiki/PDP-11">PDP-11</a>. Other password hashing algorithms such as <a href="http://static.usenix.org/event/usenix99/provos/provos.pdf">bcrypt</a> and <a href="http://www.tarsnap.com/scrypt/scrypt.pdf">scrypt </a>aren't as straightforward. I talk about some of these algorithms in the ;login <a href="http://c59951.r51.cf2.rackcdn.com/4902-1103-alexander.pdf">article</a> I mentioned previously<br />
<br />
<b>Disclaimer</b>: I no longer stand by the advice I gave at the end of the ;login article. Password expiration, for instance, is worthless. Read the article for the technical bits and skip the ending.<br />
<br />
If you need to pick a password hashing algorithm, I recommend scrypt, bcrypt, or PBKDF2. I prefer them in the order I listed them, but you can safely use whatever is supported in your environment/library.<br />
<br />
If you want to learn more about passwords, please check out the rest of my blog. These are good posts to start with:<br />
<br />
<a href="http://bugcharmer.blogspot.com/2012/06/passwords-attacks-and-threats.html">Passwords: Attacks and Threats</a><br />
<a href="http://bugcharmer.blogspot.com/2012/06/how-long-should-passwords-be.html">How long should passwords be?</a><br />
<br />
I also recommend this recent ArsTechnica article:<br />
<br />
<a href="http://arstechnica.com/security/2012/08/passwords-under-assault/">Why passwords have never been weaker--and crackers have never been stronger</a><br />
<br />
Edit: I updated this post to emphasize online versus offline guessing. Thanks for the recommendation <a href="https://twitter.com/thorsheim">@thorsheim</a>.Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com2tag:blogger.com,1999:blog-7266528187680728229.post-55662973478302864872012-09-07T12:47:00.002-07:002013-02-07T19:41:13.003-08:00Password Complexity RequirementsThe issue of password complexity came up at work today so I put together a small spreadsheet detailing how long it would take to crack unsalted passwords of a given length and how many passwords per day or year an attacker could expect to recover in an offline attack. I assumed that there are 10k users and that an attacker can guess 20 billion passwords per second. The speed estimate implies that the attacker is using a GPU-based password crackers such as CryptoHaze or oclHashCat and that the underlying hash is something fast like MD4 (Windows) or MD5 (many websites). Here's what the numbers look like:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg45Wk1WkDepSTZKdDgLzBTfQ9v4LqpKDdEt41ulf-F6JydUp71D25n2OZHhYJRrY69yEvq1M3htS3QcAUBprRckscREbIXYuc7gMySnHOgdZFIGuAOtjkPTjDQAHOiej_tI5s0xmMKpe8/s1600/Password+Complexity.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg45Wk1WkDepSTZKdDgLzBTfQ9v4LqpKDdEt41ulf-F6JydUp71D25n2OZHhYJRrY69yEvq1M3htS3QcAUBprRckscREbIXYuc7gMySnHOgdZFIGuAOtjkPTjDQAHOiej_tI5s0xmMKpe8/s400/Password+Complexity.jpg" width="400" /></a></div>
<div style="text-align: center;">
Click so you can read it...</div>
<br />
<br />
<br />
I highlighted the lengths/complexities that would yield less than one password per day for an attacker. That's a pretty arbitrary requirement, but it seemed like an okay minimum. Your requirements may vary.<br />
<br />
The numbers indicate that passwords should be at least 10-12 characters long (depending on the character set), but they also assume truly random passwords. Since people do not actually pick random passwords, I'd add at least two to three characters which brings us up to 13-15 characters (again, depending on the character set). In order to avoid the increased support costs and general discontent that is likely to arise from requiring 15 character passwords, it's probably a much better idea to adopt a stronger password hash and/or two-factor authentication instead. With scrypt, bcrypt, or PBKDF2 (and reasonable cost values), seven and eight character passwords start to look pretty good again. Stevenhttp://www.blogger.com/profile/08515783026293944881noreply@blogger.com0