CWE

Reversible One-Way Hash

ID: 328		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: DRAFT
Abstraction Type: Base

Description

The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.

Extended Description

This weakness is especially dangerous when the hash is used in security algorithms that require the one-way property to hold. For example, if an authentication system takes an incoming password and generates a hash, then compares the hash to another hash that it has stored in its authentication database, then the ability to create a collision could allow an attacker to provide an alternate password that produces the same target hash, bypassing authentication.

Applicable Platforms
Language Class: All

Time Of Introduction

• Architecture and Design

Related Attack Patterns

• CAPEC-461
• CAPEC-68

Common Consequences

Scope	Technical Impact	Notes
Access_Control	Bypass protection mechanism

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
Architecture and Design		Use a cryptographic hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack, far more than standards such as MD5, which are intentionally designed to be fast. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. Some hash functions that have one or more of these desired properties include bcrypt, scrypt, and PBKDF2. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs.	High
Architecture and Design		Use a hash algorithm that is currently considered to be strong by experts in the field. MD-4 and MD-5 have known weaknesses. SHA-1 has also been broken.

Relationships

Related CWE	Type	View	Chain
CWE-328 ChildOf CWE-903	Category	CWE-888

Demonstrative Examples   (Details)

1. In both of these examples, a user is logged in if their given password matches a stored password: (Demonstrative Example Id DX-101)

Observed Examples

1. CVE-2006-4068 : Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
PLOVER		Reversible One-Way Hash

References:

1. Alexander Sotirov et al. .MD5 considered harmful today.
2. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 2, "Common Vulnerabilities of Integrity", Page 47.'. Published on 2006.
3. B. Kaliski .RFC2898 - PKCS #5: Password-Based Cryptography Specification Version 2.0. Published on 2000.
4. Coda Hale .How To Safely Store A Password. 2010-01-31.
5. Colin Percival .Tarsnap - The scrypt key derivation function and encryption utility.
6. Brian Krebs .How Companies Can Beef Up Password Security (interview with Thomas H. Ptacek). 2012-06-11.
7. Solar Designer .Password security: past, present, future. Published on 2012.
8. Troy Hunt .Our password hashing has no clothes. 2012-06-26.
9. Joshbw .Should we really use bcrypt/scrypt?. 2012-06-08.