Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Sending the Password over network

Posted on 2013-11-26
10
Medium Priority
?
578 Views
Last Modified: 2013-12-02
In case of no TLS/SSL available, why can't I use the hash of the password (SHA512) as the key to encrypt the password to send through the network ?

Beside the MITM attacks, can I prevent any brute force or dictionary attacks using complex and long password ?
0
Comment
Question by:rpgeegange
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 57

Expert Comment

by:McKnife
ID: 39680049
Please describe more detailed what you are using the password for. Send from where, send to whom, used for what, OS,...

About prevention: same. Please describe how an attacker could proceed in your setup.
0
 

Author Comment

by:rpgeegange
ID: 39680200
Thanks McKnife.

Client Application will send the password encrypted with SHA-512 using RC4 to the server through insecure network.

OS can be any. I'm worrying about the end-to-end communication. Not about how securely storing the password information in the server.

Attacks can be:
MITM, brute-force, dictionary, replay.
Attacker can sniff the traffic also.

TLS/SSL is not an option in my scenario.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39680461
Then you still want Diffie–Hellman http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange, which is the exchange of information in the face of the enemy.
Challenge response is another method but not a secure due to bruteforce possibilities or chosen response or downgrade attacks. IPSEC is built into windows, and other OS's, why not use that.
-rich
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 57

Expert Comment

by:McKnife
ID: 39680466
> Attacker can sniff the traffic also
He can? Has he physical access to the network switches or how does he do that?
About dictionary attacks - I have no idea how fast an attacker could try these passwords. Do you? What would he validate against and is there no anti-hammering/lockout in effect?
0
 

Author Comment

by:rpgeegange
ID: 39682562
"What would he validate against and is there no anti-hammering/lockout in effect?"
this statement is not clear to me.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39682614
How would a dictionary attack be done?
Would he have to extract some password hash? [so his attacks would have to validate against the pw hash]. Or would it be an attack against a system that might have incorporated protection against brute force attacks?

Think of someone trying to break a windows password using a script that tries to map a network share using thousands of tries like
net use x: \\server\share /user:username pw1
net use x: \\server\share /user:username pw2
...

[silly example, I know, but it should illustrate what I mean]
Here, breaking would not be possible if a lockout policy were active.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39682704
Sniff the challenge response, if any, and break that, it's done easily. Hence my hint at perfect forward secrecy, or use another protocol that has diffel hellman already like ipsec to encapsulate the traffic since SSL isn't available.
Snifing a hashed password is easy for offline guessing. having the account lockout after a few failed attempts is active guessing, and there should be a lockout for that if the author is making his/her own protocol.
-rich
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39683028
But can the attacker sniff? Are the conditions met?
0
 
LVL 3

Accepted Solution

by:
cristiantm earned 2000 total points
ID: 39683350
In case of no TLS/SSL available, why can't I use the hash of the password (SHA512) as the key to encrypt the password to send through the network ?

Because an attacker would not need to know the password anymore to authenticate. It would just use the encrypted version of it in a reply attack if he manages to obtain it, with no need to decrypt it anymore.

Beside the MITM attacks, can I prevent any brute force or dictionary attacks using complex and long password ?

Prevent is a strong word in security. First, you do not prevent a brute force attack. A brute force attack is when you try everything, and well, if you have time enough it will succeed. What you can make is make it unfeasible for an attacker.

As other experts commented, you will need to consider both scenarios: offline and online attacks. For the online attack, exploring your login page, strong passwords combined with an lockout after some failed attempts should handle it well enough.

For offline attack, when the attacker manages to get the stored password on your database, a brute force will depend also on how you are protecting the data. Easy passwords stored just as a simple hash will be easily breakable using pre-computed hash tables (a.k.a. Rainbow Tables). Those tables consist on pre-computed hashes for subsets of possible passwords (e.g. alphanumeric passwords up to 15 characters sha-1 hashed). You will want to use salted hash for storing the password, that basically means to add some random data before hashing. This data is also stored on the database, so you can re-calculate the salted hash for password comparison - while the attacker will probably get the salt too, it will not have any pre-computed salted table and will need to do a full brute force attack, leaving the success depend only on the strongness of the password.

Then you still want Diffie–Hellman http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange, which is the exchange of information in the face of the enemy.

Warning: DH is not secure against MITM attacks too. An attacker could establish two DH communications with the parties and will not be detected. You nees an authenticated DH scheme for it, and well... then you are back to SSL :)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39683376
http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
I'll be adding to it this weekend to cover the ever popular Rainbow Table scenarios and how hashes are obtained in various scenarios.
-rich
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question