Solved

Sending the Password over network

Posted on 2013-11-26
10
561 Views
Last Modified: 2013-12-02
In case of no TLS/SSL available, why can't I use the hash of the password (SHA512) as the key to encrypt the password to send through the network ?

Beside the MITM attacks, can I prevent any brute force or dictionary attacks using complex and long password ?
0
Comment
Question by:rpgeegange
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 55

Expert Comment

by:McKnife
ID: 39680049
Please describe more detailed what you are using the password for. Send from where, send to whom, used for what, OS,...

About prevention: same. Please describe how an attacker could proceed in your setup.
0
 

Author Comment

by:rpgeegange
ID: 39680200
Thanks McKnife.

Client Application will send the password encrypted with SHA-512 using RC4 to the server through insecure network.

OS can be any. I'm worrying about the end-to-end communication. Not about how securely storing the password information in the server.

Attacks can be:
MITM, brute-force, dictionary, replay.
Attacker can sniff the traffic also.

TLS/SSL is not an option in my scenario.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39680461
Then you still want Diffie–Hellman http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange, which is the exchange of information in the face of the enemy.
Challenge response is another method but not a secure due to bruteforce possibilities or chosen response or downgrade attacks. IPSEC is built into windows, and other OS's, why not use that.
-rich
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 55

Expert Comment

by:McKnife
ID: 39680466
> Attacker can sniff the traffic also
He can? Has he physical access to the network switches or how does he do that?
About dictionary attacks - I have no idea how fast an attacker could try these passwords. Do you? What would he validate against and is there no anti-hammering/lockout in effect?
0
 

Author Comment

by:rpgeegange
ID: 39682562
"What would he validate against and is there no anti-hammering/lockout in effect?"
this statement is not clear to me.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39682614
How would a dictionary attack be done?
Would he have to extract some password hash? [so his attacks would have to validate against the pw hash]. Or would it be an attack against a system that might have incorporated protection against brute force attacks?

Think of someone trying to break a windows password using a script that tries to map a network share using thousands of tries like
net use x: \\server\share /user:username pw1
net use x: \\server\share /user:username pw2
...

[silly example, I know, but it should illustrate what I mean]
Here, breaking would not be possible if a lockout policy were active.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39682704
Sniff the challenge response, if any, and break that, it's done easily. Hence my hint at perfect forward secrecy, or use another protocol that has diffel hellman already like ipsec to encapsulate the traffic since SSL isn't available.
Snifing a hashed password is easy for offline guessing. having the account lockout after a few failed attempts is active guessing, and there should be a lockout for that if the author is making his/her own protocol.
-rich
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39683028
But can the attacker sniff? Are the conditions met?
0
 
LVL 3

Accepted Solution

by:
cristiantm earned 500 total points
ID: 39683350
In case of no TLS/SSL available, why can't I use the hash of the password (SHA512) as the key to encrypt the password to send through the network ?

Because an attacker would not need to know the password anymore to authenticate. It would just use the encrypted version of it in a reply attack if he manages to obtain it, with no need to decrypt it anymore.

Beside the MITM attacks, can I prevent any brute force or dictionary attacks using complex and long password ?

Prevent is a strong word in security. First, you do not prevent a brute force attack. A brute force attack is when you try everything, and well, if you have time enough it will succeed. What you can make is make it unfeasible for an attacker.

As other experts commented, you will need to consider both scenarios: offline and online attacks. For the online attack, exploring your login page, strong passwords combined with an lockout after some failed attempts should handle it well enough.

For offline attack, when the attacker manages to get the stored password on your database, a brute force will depend also on how you are protecting the data. Easy passwords stored just as a simple hash will be easily breakable using pre-computed hash tables (a.k.a. Rainbow Tables). Those tables consist on pre-computed hashes for subsets of possible passwords (e.g. alphanumeric passwords up to 15 characters sha-1 hashed). You will want to use salted hash for storing the password, that basically means to add some random data before hashing. This data is also stored on the database, so you can re-calculate the salted hash for password comparison - while the attacker will probably get the salt too, it will not have any pre-computed salted table and will need to do a full brute force attack, leaving the success depend only on the strongness of the password.

Then you still want Diffie–Hellman http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange, which is the exchange of information in the face of the enemy.

Warning: DH is not secure against MITM attacks too. An attacker could establish two DH communications with the parties and will not be detected. You nees an authenticated DH scheme for it, and well... then you are back to SSL :)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39683376
http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
I'll be adding to it this weekend to cover the ever popular Rainbow Table scenarios and how hashes are obtained in various scenarios.
-rich
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
Part Two of the two-part Q&A series with MalwareTech.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question