'hash'에 해당되는 글 6건

  1. 2015.04.09 암호화 해시 함수 알고리즘
  2. 2012.06.11 6.5 Million LinkedIn Hacked Passwords
  3. 2010.12.01 Windows Credentials Editor v1.0
2015.04.09 19:43

암호화 해시 함수 알고리즘

위키백과, 우리 모두의 백과사전.

암호화 해시 함수(cryptographic hash function)은 해시 함수의 일종으로, 해시 값으로부터 원래의 입력값과의 관계를 찾기 어려운 성질을 가지는 경우를 의미한다. 암호화 해시 함수가 가져야 하는 성질은 다음과 같다.[1]

  • 역상 저항성(preimage resistance): 주어진 해시 값에 대해, 그 해시 값을 생성하는 입력값을 찾는 것이 계산상 어렵다. 즉, 제 1 역상 공격에 대해 안전해야 한다. 이 성질은 일방향함수와 연관되어 있다.
  • 제 2 역상 저항성(second preimage resistance): 입력 값에 대해, 그 입력의 해시 값을 바꾸지 않으면서 입력을 변경하는 것이 계산상 어렵다.제 2 역상 공격에 대해 안전해야 한다.
  • 충돌 저항성(collision resistance): 해시 충돌에 대해 안전해야 한다. 같은 해시 값을 생성하는 두 개의 입력값을 찾는 것이 계산상 어려워야 한다.

즉, 입력값과 해시 값에 대해서, 해시 값을 망가뜨리지 않으면서 입력값을 수정하는 공격에 대해 안전해야 한다. 이러한 성질을 가지는 해시 값은 원래 입력값을 의도적으로 손상시키지 않았는지에 대한 검증 장치로 사용할 수 있다.

순환 중복 검사(CRC)와 같은 몇몇 해시 함수는 암호 안전성에 필요한 저항성을 가지지 않으며, 우연적인 손상을 검출할 수는 있지만 의도적인 손상의 경우 검출되지 않도록 하는 것이 가능하기도 하다. 가령, 유선 동등 프라이버시(WEP)의 경우 암호화 해시 함수로 CRC를 사용하나, CRC의 암호학적 취약점을 이용한 암호공격이 가능하다는 것이 밝혀져 있다.

암호화 해시 함수의 비교

가장 널리 사용되는 해시 함수에는 MD5와 SHA-1이 있으나, 이들은 안전하지 않다는 것이 알려져 있다. 미국 US-CERT에서는 2008년 MD5를 사용하지 말아야 한다고 발표했다.[2] NIST에서는 2008년 SHA-1의 사용을 중지하며 SHA-2를 사용할 것이라고 발표했다.[3]

2008년 미국 국립표준기술연구소(NIST)에서는 SHA-3로 부를 새로운 안전한 암호화 해시 함수에 대한 공모전을 열었다. 2012년 8월 현재 SHA-3의 후보는 다섯 개가 있으며, 2012년 중으로 이들 중 최종 후보를 뽑을 예정이다.[4]

다음은 널리 알려진 암호화 해시 함수 알고리즘의 목록이다. 이들 중에는 안전하지 않다는 것이 밝혀진 것도 있다.

출처 : 위키백과

Trackback 0 Comment 0
2012.06.11 19:41

6.5 Million LinkedIn Hacked Passwords

LinkedIn, one of the biggest professional social networks, has suffered a major breach of its user password database. The attack was confirmed on Wednesday afternoon by Vicente Silveira, Director at LinkedIn, and was followed by an apology to the affected LinkedIn users who now have a hacked password.

A file containing nearly 6.5 million hacked passwords was published on a Russian online forum. At first, no one was 100% sure where the passwords came from, but soon it became apparent that the passwords were associated with LinkedIn accounts.

“Many of the cracked passwords that have been published to the forum have the common term ‘LinkedIn’ in them,” said security adviser, Per Thorsheim, to PCWorld. Sophos, computer security software developers, also came to this conclusion when they noticed some of their employees passwords on the hacked password list.

Imperva, a leading data security organisation, suspects that the breach may have exposed more than the reported 6.5 million accounts because the published hacked password list does not include common, easy to guess passwords such as “123456” and it also only lists each password once, not revealing if that same password was used for more than one account. 

No other user information or data, such as email addresses, was included in the hacked password list, but it is likely that the hackers also have that information.

LinkedIn has already taken action – owners of the compromised passwords or with passwords that are considered to be at great risk of being decoded will be required to reset their password. LinkedIn will be sending emails to such users with instructions on how to reset their password, as well as an explanation of the security incident.

Poor Passwords

Many people tend to use simple passwords, such as ‘password’, ‘secret’ or ‘123456’. Some people include the name of the website they are signing up to in their password itself, for example ‘1234LinkedIn’. Since such passwords tend to be common, it makes them very easy to guess when using a hash algorithm.

What is a Hashed Password?

Hashed passwords are hacked using the SHA-1 hash algorithm. SHA-1 converts a password into a unique long value, made of numbers and letters. For instance, the output of SHA-1 algorithm using the text ‘AcunetixWVS’ will always be ‘e77a2fe8046bb6566c8a7adf782f0bbafa6e04c7’.

If LinkedIn had ‘salted’ users’ passwords, it would have been almost impossible to crack them. ‘Salting’ is the process of adding a value in the hash operation and to the calculation of the hashed value. This makes guessing the password much more difficult as the ‘salt’ value must be discovered as well as the actual password.

Mary Landesman, senior security researcher at Cloudmark, a messaging security company, said that not salting passwords is considered to be poor practice. Since the attack, LinkedIn has put new security measures in place, including salting techniques, though it comes too late for those with exposed passwords.

It is strongly recommended that LinkedIn users promptly change their passwords. Users should make sure they use strong web passwords, which are unique and not used on other websites or for other accounts they may have.

This security breach is a timely reminder that every company, no matter how big, can be vulnerable to an online attack that can severely damage their reputation. Ensure your website is secure by using Acunetix Web Vulnerability Scanner – download your free trial here.

Stay up to date with the latest security news by liking the Acunetix Facebook Page, reading the Acunetix Blog and following us on Twitter.

출처 : http://www.acunetix.com/blog/web-security-zone/

Trackback 1 Comment 0
2010.12.01 19:59

Windows Credentials Editor v1.0

Supports Windows XP, 2003, Vista, 7 and 2008 (Vista was not actually
tested yet, but it should work).
Windows Credentials Editor (WCE) allows to list logon sessions and add,
change, list and delete associated credentials (ex.: LM/NT hashes). This
can be used, for example, to perform pass-the-hash on Windows and also
obtain NT/LM hashes from memory (from interactive logons, services,
remote desktop connections, etc.) which can be used in further attacks.

출처 : www.ampliasecurity.com

Trackback 0 Comment 0