Reversible One-Way HashID: 328 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
The product uses a hashing algorithm that produces a hash value
that can be used to determine the original input, or to find an input that can
produce the same hash, more efficiently than brute force
techniques.
Extended DescriptionThis weakness is especially dangerous when the hash is used in security
algorithms that require the one-way property to hold. For example, if an
authentication system takes an incoming password and generates a hash, then
compares the hash to another hash that it has stored in its authentication
database, then the ability to create a collision could allow an attacker to
provide an alternate password that produces the same target hash, bypassing
authentication.
Applicable PlatformsLanguage Class: All
Time Of Introduction
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Bypass protection
mechanism | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | | Use a cryptographic hash function that can be configured to change
the amount of computational effort needed to compute the hash, such as
the number of iterations ("stretching") or the amount of memory
required. Some hash functions perform salting automatically. These
functions can significantly increase the overhead for a brute force
attack, far more than standards such as MD5, which are intentionally
designed to be fast. For example, rainbow table attacks can become
infeasible due to the high computing overhead. Finally, since computing
power gets faster and cheaper over time, the technique can be
reconfigured to increase the workload without forcing an entire
replacement of the algorithm in use.Some hash functions that have one or more of these desired properties
include bcrypt, scrypt, and PBKDF2. While there is active debate about
which of these is the most effective, they are all stronger than using
salts with hash functions with very little computing overhead.Note that using these functions can have an impact on performance, so
they require special consideration to avoid denial-of-service attacks.
However, their configurability provides finer control over how much CPU
and memory is used, so it could be adjusted to suit the environment's
needs. | High | |
Architecture and Design | | Use a hash algorithm that is currently considered to be strong by
experts in the field. MD-4 and MD-5 have known weaknesses. SHA-1 has
also been broken. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-328 ChildOf CWE-903 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In both of these examples, a user is logged in if their given
password matches a stored password: (Demonstrative Example Id DX-101)
Observed Examples
- CVE-2006-4068 : Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Reversible One-Way Hash | |
References:
- Alexander Sotirov et al. .MD5 considered harmful today.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 2, "Common Vulnerabilities of Integrity", Page
47.'. Published on 2006.
- B. Kaliski .RFC2898 - PKCS #5: Password-Based Cryptography Specification
Version 2.0. Published on 2000.
- Coda Hale .How To Safely Store A Password. 2010-01-31.
- Colin Percival .Tarsnap - The scrypt key derivation function and encryption
utility.
- Brian Krebs .How Companies Can Beef Up Password Security (interview with
Thomas H. Ptacek). 2012-06-11.
- Solar Designer .Password security: past, present, future. Published on 2012.
- Troy Hunt .Our password hashing has no clothes. 2012-06-26.
- Joshbw .Should we really use bcrypt/scrypt?. 2012-06-08.