Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Sending the Password over network

Posted on 2013-11-26
10
Medium Priority
?
569 Views
Last Modified: 2013-12-02
In case of no TLS/SSL available, why can't I use the hash of the password (SHA512) as the key to encrypt the password to send through the network ?

Beside the MITM attacks, can I prevent any brute force or dictionary attacks using complex and long password ?
0
Comment
Question by:rpgeegange
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 56

Expert Comment

by:McKnife
ID: 39680049
Please describe more detailed what you are using the password for. Send from where, send to whom, used for what, OS,...

About prevention: same. Please describe how an attacker could proceed in your setup.
0
 

Author Comment

by:rpgeegange
ID: 39680200
Thanks McKnife.

Client Application will send the password encrypted with SHA-512 using RC4 to the server through insecure network.

OS can be any. I'm worrying about the end-to-end communication. Not about how securely storing the password information in the server.

Attacks can be:
MITM, brute-force, dictionary, replay.
Attacker can sniff the traffic also.

TLS/SSL is not an option in my scenario.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39680461
Then you still want Diffie–Hellman http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange, which is the exchange of information in the face of the enemy.
Challenge response is another method but not a secure due to bruteforce possibilities or chosen response or downgrade attacks. IPSEC is built into windows, and other OS's, why not use that.
-rich
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 56

Expert Comment

by:McKnife
ID: 39680466
> Attacker can sniff the traffic also
He can? Has he physical access to the network switches or how does he do that?
About dictionary attacks - I have no idea how fast an attacker could try these passwords. Do you? What would he validate against and is there no anti-hammering/lockout in effect?
0
 

Author Comment

by:rpgeegange
ID: 39682562
"What would he validate against and is there no anti-hammering/lockout in effect?"
this statement is not clear to me.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39682614
How would a dictionary attack be done?
Would he have to extract some password hash? [so his attacks would have to validate against the pw hash]. Or would it be an attack against a system that might have incorporated protection against brute force attacks?

Think of someone trying to break a windows password using a script that tries to map a network share using thousands of tries like
net use x: \\server\share /user:username pw1
net use x: \\server\share /user:username pw2
...

[silly example, I know, but it should illustrate what I mean]
Here, breaking would not be possible if a lockout policy were active.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39682704
Sniff the challenge response, if any, and break that, it's done easily. Hence my hint at perfect forward secrecy, or use another protocol that has diffel hellman already like ipsec to encapsulate the traffic since SSL isn't available.
Snifing a hashed password is easy for offline guessing. having the account lockout after a few failed attempts is active guessing, and there should be a lockout for that if the author is making his/her own protocol.
-rich
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39683028
But can the attacker sniff? Are the conditions met?
0
 
LVL 3

Accepted Solution

by:
cristiantm earned 2000 total points
ID: 39683350
In case of no TLS/SSL available, why can't I use the hash of the password (SHA512) as the key to encrypt the password to send through the network ?

Because an attacker would not need to know the password anymore to authenticate. It would just use the encrypted version of it in a reply attack if he manages to obtain it, with no need to decrypt it anymore.

Beside the MITM attacks, can I prevent any brute force or dictionary attacks using complex and long password ?

Prevent is a strong word in security. First, you do not prevent a brute force attack. A brute force attack is when you try everything, and well, if you have time enough it will succeed. What you can make is make it unfeasible for an attacker.

As other experts commented, you will need to consider both scenarios: offline and online attacks. For the online attack, exploring your login page, strong passwords combined with an lockout after some failed attempts should handle it well enough.

For offline attack, when the attacker manages to get the stored password on your database, a brute force will depend also on how you are protecting the data. Easy passwords stored just as a simple hash will be easily breakable using pre-computed hash tables (a.k.a. Rainbow Tables). Those tables consist on pre-computed hashes for subsets of possible passwords (e.g. alphanumeric passwords up to 15 characters sha-1 hashed). You will want to use salted hash for storing the password, that basically means to add some random data before hashing. This data is also stored on the database, so you can re-calculate the salted hash for password comparison - while the attacker will probably get the salt too, it will not have any pre-computed salted table and will need to do a full brute force attack, leaving the success depend only on the strongness of the password.

Then you still want Diffie–Hellman http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange, which is the exchange of information in the face of the enemy.

Warning: DH is not secure against MITM attacks too. An attacker could establish two DH communications with the parties and will not be detected. You nees an authenticated DH scheme for it, and well... then you are back to SSL :)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39683376
http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
I'll be adding to it this weekend to cover the ever popular Rainbow Table scenarios and how hashes are obtained in various scenarios.
-rich
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question