Solved

Sending the Password over network

Posted on 2013-11-26
10
534 Views
Last Modified: 2013-12-02
In case of no TLS/SSL available, why can't I use the hash of the password (SHA512) as the key to encrypt the password to send through the network ?

Beside the MITM attacks, can I prevent any brute force or dictionary attacks using complex and long password ?
0
Comment
Question by:rpgeegange
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 39680049
Please describe more detailed what you are using the password for. Send from where, send to whom, used for what, OS,...

About prevention: same. Please describe how an attacker could proceed in your setup.
0
 

Author Comment

by:rpgeegange
ID: 39680200
Thanks McKnife.

Client Application will send the password encrypted with SHA-512 using RC4 to the server through insecure network.

OS can be any. I'm worrying about the end-to-end communication. Not about how securely storing the password information in the server.

Attacks can be:
MITM, brute-force, dictionary, replay.
Attacker can sniff the traffic also.

TLS/SSL is not an option in my scenario.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39680461
Then you still want Diffie–Hellman http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange, which is the exchange of information in the face of the enemy.
Challenge response is another method but not a secure due to bruteforce possibilities or chosen response or downgrade attacks. IPSEC is built into windows, and other OS's, why not use that.
-rich
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39680466
> Attacker can sniff the traffic also
He can? Has he physical access to the network switches or how does he do that?
About dictionary attacks - I have no idea how fast an attacker could try these passwords. Do you? What would he validate against and is there no anti-hammering/lockout in effect?
0
 

Author Comment

by:rpgeegange
ID: 39682562
"What would he validate against and is there no anti-hammering/lockout in effect?"
this statement is not clear to me.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 53

Expert Comment

by:McKnife
ID: 39682614
How would a dictionary attack be done?
Would he have to extract some password hash? [so his attacks would have to validate against the pw hash]. Or would it be an attack against a system that might have incorporated protection against brute force attacks?

Think of someone trying to break a windows password using a script that tries to map a network share using thousands of tries like
net use x: \\server\share /user:username pw1
net use x: \\server\share /user:username pw2
...

[silly example, I know, but it should illustrate what I mean]
Here, breaking would not be possible if a lockout policy were active.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39682704
Sniff the challenge response, if any, and break that, it's done easily. Hence my hint at perfect forward secrecy, or use another protocol that has diffel hellman already like ipsec to encapsulate the traffic since SSL isn't available.
Snifing a hashed password is easy for offline guessing. having the account lockout after a few failed attempts is active guessing, and there should be a lockout for that if the author is making his/her own protocol.
-rich
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39683028
But can the attacker sniff? Are the conditions met?
0
 
LVL 3

Accepted Solution

by:
cristiantm earned 500 total points
ID: 39683350
In case of no TLS/SSL available, why can't I use the hash of the password (SHA512) as the key to encrypt the password to send through the network ?

Because an attacker would not need to know the password anymore to authenticate. It would just use the encrypted version of it in a reply attack if he manages to obtain it, with no need to decrypt it anymore.

Beside the MITM attacks, can I prevent any brute force or dictionary attacks using complex and long password ?

Prevent is a strong word in security. First, you do not prevent a brute force attack. A brute force attack is when you try everything, and well, if you have time enough it will succeed. What you can make is make it unfeasible for an attacker.

As other experts commented, you will need to consider both scenarios: offline and online attacks. For the online attack, exploring your login page, strong passwords combined with an lockout after some failed attempts should handle it well enough.

For offline attack, when the attacker manages to get the stored password on your database, a brute force will depend also on how you are protecting the data. Easy passwords stored just as a simple hash will be easily breakable using pre-computed hash tables (a.k.a. Rainbow Tables). Those tables consist on pre-computed hashes for subsets of possible passwords (e.g. alphanumeric passwords up to 15 characters sha-1 hashed). You will want to use salted hash for storing the password, that basically means to add some random data before hashing. This data is also stored on the database, so you can re-calculate the salted hash for password comparison - while the attacker will probably get the salt too, it will not have any pre-computed salted table and will need to do a full brute force attack, leaving the success depend only on the strongness of the password.

Then you still want Diffie–Hellman http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange, which is the exchange of information in the face of the enemy.

Warning: DH is not secure against MITM attacks too. An attacker could establish two DH communications with the parties and will not be detected. You nees an authenticated DH scheme for it, and well... then you are back to SSL :)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39683376
http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
I'll be adding to it this weekend to cover the ever popular Rainbow Table scenarios and how hashes are obtained in various scenarios.
-rich
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now