Use of a One-Way Hash with a Predictable Salt| ID: 760 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Class |
Description
The software uses a one-way cryptographic hash against an input
that should not be reversible, such as a password, but the software uses a
predictable salt as part of the input.
Extended DescriptionThis makes it easier for attackers to pre-compute the hash value using
dictionary attack techniques such as rainbow tables, effectively disabling
the protection that an unpredictable salt would provide.
Applicable PlatformsNone
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Bypass protection
mechanism | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | Use a cryptographic hash function that can be configured to change
the amount of computational effort needed to compute the hash, such as
the number of iterations ("stretching") or the amount of memory
required. Some hash functions perform salting automatically. These
functions can significantly increase the overhead for a brute force
attack, far more than standards such as MD5, which are intentionally
designed to be fast. For example, rainbow table attacks can become
infeasible due to the high computing overhead. Finally, since computing
power gets faster and cheaper over time, the technique can be
reconfigured to increase the workload without forcing an entire
replacement of the algorithm in use.Some hash functions that have one or more of these desired properties
include bcrypt, scrypt, and PBKDF2. While there is active debate about
which of these is the most effective, they are all stronger than using
salts with hash functions with very little computing overhead.Note that using these functions can have an impact on performance, so
they require special consideration to avoid denial-of-service attacks.
However, their configurability provides finer control over how much CPU
and memory is used, so it could be adjusted to suit the environment's
needs. | High | |
| Implementation | | Generate new salts using a strong random number generator with
unpredictable seeds. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-760 ChildOf CWE-903 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2008-4905 : Blogging software uses a hard-coded salt when calculating a password hash.
- CVE-2002-1657 : Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks.
- CVE-2001-0967 : Server uses a constant salt when encrypting passwords, simplifying brute force attacks.
- CVE-2005-0408 : chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:
- Robert Graham .The Importance of Being Canonical. 2009-02-02.
- Thomas Ptacek .Enough With The Rainbow Tables: What You Need To Know About
Secure Password Schemes. 2007-09-10.
- James McGlinn .Password Hashing.
- Jeff Atwood .Rainbow Hash Cracking. 2007-09-08.
- .Rainbow table. Wikipedia. 2009-03-03.
- M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 9, "Creating a Salted Hash" Page
302'. Published on 2002.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 2, "Salt Values", Page 46.'. Published on 2006.
- B. Kaliski .RFC2898 - PKCS #5: Password-Based Cryptography Specification
Version 2.0. Published on 2000.
- Coda Hale .How To Safely Store A Password. 2010-01-31.
- Colin Percival .Tarsnap - The scrypt key derivation function and encryption
utility.
- Brian Krebs .How Companies Can Beef Up Password Security (interview with
Thomas H. Ptacek). 2012-06-11.
- Solar Designer .Password security: past, present, future. Published on 2012.
- Troy Hunt .Our password hashing has no clothes. 2012-06-26.
- Joshbw .Should we really use bcrypt/scrypt?. 2012-06-08.
