CRV2 HashingandSaltingdotNet

2013-06-05T14:28:58Z

John Kwang-Hyun Baek:

=Introduction=
Cryptographic hashing functions are used to create digital signatures, message authentication codes (MACs) and other forms of authentication. They are also used to store user passwords in databases instead of storing the password in clear text and help prevent data leakage in session management for web applications. The actual algorithm used to create a cryptology function varies per implementation (MD5, SHA-512, etc.) but the main function is to take arbitrary block of data and return a fixed-size bit string.

The code reviewer needs to be aware of three main things when reviewing code that uses cryptographic hashing functions.

* ''Legality of the cryptographic hashing functions if the source code is being exported to another country.

* ''The life cycle of the cryptographic hashing function being used.

* ''Basic programming of cryptographic hashing functions.

==Legal==
In the United States in 2000, the department of Commerce Bureau of Export revised encryption export regulations. The results of the new export regulations it that the regulations have been greatly relaxed. However if the code is to be exported outside of the source country current export laws for the export and import counties should be reviewed for compliance.

Case in point is if the entire message is hashed instead of a digital signature of the of message the National Security Agency (NSA) considers this a quasi-encryption and State controls would apply.

It is always a valid choice to seek legal advice within the organization that the code review is being done to ensure legal compliance.

==Lifecycle==
With security nothing is secure forever. This is especially true with cryptographic hashing functions. Some hashing algorithms such as Windows LanMan hashes are considered completely broken. Others like MD5, while currently considered safe for password hash usage, have known issues like collision attacks (note that collision attacks do not affect password hashes). The code reviewer needs to understand the weaknesses of obsolete hashing functions as well as the current best practices for the choice of cryptographic algorithms.

==Programming/Vulnerabilities==
The most common programmatic issue with hashing is not using a salt value or if using a salt the salt value is too short and or the same salt value is used in multiple hashes. The purpose of a salt is to make it harder for an attacker to perform pre-computed hashing attack (e.g., using rainbow tables) but other benefits of a salt can include making it difficult for an attacker to perform even password guessing attacks by obsfucating the hashed value.

==Salt==
One way to generate a secure salt value is using a pseudo-random number generator. Note that a salt value does not need to possess the quality of a cryptographically secure randomness.

* ''Java – java.security.SecureRandom
* ''Net (C#,VB) - System.Security.Cryptography.RNGCryptoServiceProvider
* ''PHP - ???
* ''Ruby - ???
* ''Perl - ???
* ''C++ none managed code on CLR or none windows ????
* ''Javascript ?????

The salt value does not need to be secret and can be stored along with the hash value. Some may use a combination of account details (username, user full name, ID, creation date, etc.) as the salt for hash to further obsfucate the hash computation: for example salt = (username|lastname|firstname|ID|generated_salt_value).

Lastly, never accept in a code review an algorithm created by the programmer for hashing or copy a hashing function taken from the Internet. Always use cryptographic functions that are provided by the language framework the code is written in. These functions are well vetted and well tested by experience cryptographers.

=References:=
* '' http://valerieaurora.org/hash.html (Lifetimes of cryptographic hash functions)
* '' http://docs.oracle.com/javase/6/docs/api/java/security/SecureRandom.html
* '' http://msdn.microsoft.com/en-us/library/system.security.cryptography.rngcryptoserviceprovider.aspx

User:John Kwang-Hyun Baek

2013-06-05T13:35:06Z

John Kwang-Hyun Baek:

John Kwang-Hyun Baek

Email: john.kh.baek@gmail.com

EDUCATION

* B.A. with Honors, Computer Science, Dartmouth College, Hanover, NH(Sept 1998–June 2002)

PROFESSIONAL CERTIFICATIONS

* Offensive Security Certified Professional (OSCP)
* Certified Information Systems Security Professional (CISSP) # 340161
* Certified Information Systems Auditor (CISA) # 1189945
* GIAC Certified Penetration Tester (GIAC GPEN): GIAC Analyst# 1903
* PCI ASV

EXPERIENCE

Dec 2011-Present, Manager & Sr Manager (promoted in Jan 2013), Protiviti, Inc.
Philadelphia, PA

* Managed Protiviti’s national security lab, located in Philadelphia, PA, overseeing professional services conducted through the lab, including PCI ASV scans, external vulnerability assessment, external penetration test, social engineering test, web application assessment, and web application penetration tests.
* Reviewed Protiviti’s consulting services’ deliverables in order for the assessment reports to meet consistently high standards in terms of accuracy, clarity, grammar, punctuation, style, and document format.
* Improved Protiviti’s report templates so that the process of drafting assessment reports is more efficient and streamlined.
* Improved and maintained Protiviti’s external consulting service methodologies, including vulnerability assessment, penetration test, and web application assessment.
* Mentored Consultants and Senior Consultants to improve their consulting skills, teach project methodologies, and train their penetration test techniques.
* Managed Protiviti’s Philadelphia security lab’s network and system infrastructure, hardware, and software.
* Maintained and improved Protiviti’s toolset that consisted of commercial tools, open-source tools, custom-developed tools, and freeware tools.

Dec 2007–Dec 2011
, Senior Information Security Consultant, Core BTS, Inc.,
Exton, PA

* Performed physical and technical penetration tests for clients across various industries—including health, finance, gaming, and manufacturing—helping clients identify their key weaknesses and evaluate security controls in their information security practices.
* Conducted holistic vulnerability assessments evaluating the clients’ security posture by performing interviews, utilizing vulnerability security scanners to identify security issues, analyzing the information security governance program, and reviewing the network and system configurations.
* Performed web application security assessments, utilizing interviews, code review, configuration review, and web application vulnerability scanners.
* Developed and conducted security awareness training for clients, educating the clients’ employees about the security policies and procedures, as well as practical ways to identify threats and defend against them.
* Developed security policies and procedures for clients by evaluating the existing information security governance materials and recommending best practices.
* Architected public key infrastructure (PKI) for clients, based on best practices and the clients’ business requirements.
* Enhanced the Core BTS’ penetration test practice by developing a custom Windows Trojan bot, improving Unix and Linux penetration methodologies, and developing a number of custom tools. The custom Trojan bot is written in C++ using gloox library is designed to evade most, if not all, of the signature- and behavior- based detection of leading Antivirus vendors.
* Increased CoreBTS Security Team’s productivity and utilization by implementing report automation tools with a custom web application that can automate the generation of the security service reports—including various statistics, chart, and tables—by parsing automated network vulnerability scan results from Qualys, nikto, nipper, and Windows local security policy.
* Developed consulting service methodologies, including WLAN (802.11) security assessment, Citrix security assessment, and PKI architecture assessment.
* Improved CoreBTS Security Team’s IT infrastructure by implementing two-factor authentication for remote access, deploying host-based IDS to monitor to prevent password guessing attacks, implementing a subversion repository for custom developed tools and patches, and deploying a wiki and bug tracking software for knowledge sharing among the consultants.
* Implemented test systems and networks for CoreBTS Security Team, using VMware ESXi for testing various security configurations and exploits that are used for the penetration test service.
* Trained other CoreBTS consultants, teaching them penetration test methodologies and techniques.

June 2006–Dec 2007, Project Leader/Lead Programmer,
Dartmouth College / Sun Microsystems,
Hanover, NH

* Developed kernel drivers and modules, user-level library and tools for secure hardware in OpenSolaris, including Solaris Cryptographic Module (PKCS-11) provider for the secure hardware.
* Designed and architected a new framework for Trusted Computing on OpenSolaris using the latest technologies, including Solaris Zones (OS container), ZFS, DTrace, and RBAC.
* Represented Dartmouth College in the Trusted Computing Group (TCG) in TCG members’ meetings.

Sept 2006–Sept 2007
, Network Security Consultant, Dartmouth College,
Hanover, NH

* Demonstrated man-in-the-middle and credential mining attacks on Dartmouth campus network.
* Advised the planning and architecture of the secure wireless network (802.11) deployment that combined secured WPA2 network that requires mutual certificate-based authentication (TLS) and segregated open guest network.
* Identified and fixed serious vulnerabilities in the configurations of the network embedded devices that the college deployed across the campus network (see the WESS’07 publication).
* Scanned and evaluated over 8000 network nodes over 200 subnets with a team of students and staff members using tools like Nessus, compiling the scan results on custom built wiki for collaboration.

Sept 2005–Sept 2007
, Linux/Solaris System Administrator,
Dartmouth College PKI Lab, Hanover, NH

* Installed and maintained Linux workstations and servers, performing updates to the system, patching the Linux kernel, configuring systems for Security Enhanced Linux (SELinux), including restricted policy.
* Configured and maintained bridged firewalls using Linux iptables for all the systems in the lab.
* Installed and administered Solaris 10 based systems on both SPARC and Intel servers and workstations, using the latest technologies, such as DTrace, ZFS and Solaris RBAC, to monitor the system activity, backup the data, and manage user privileges.

Sept 2002–Feb 2006, Teaching Assistant/Course Instructor,
Dartmouth College Computer Science Department, Hanover, NH

* Taught lectures in the following courses: Programming Data Structures and Programming, Artificial Intelligence, Sensor Network, Algorithms.
* Contributed questions to the course’s midterms and final exams.
* Taught out-of-lecture TA sessions once a week.
* Graded students’ programs, written assignments, and exams.

Mar 2000–Oct 2001, Programmer/Research Assistant, Tuck School of Business,
Hanover, NH

* Designed and implemented financial data processing programs using Perl and C.

PUBLICATIONS

* Kwang-Hyun Baek, Sergey Bratus, Sara Sinclair, Sean Smith. "Attacking and Defending Networked Embedded Devices". 2nd Workshop on Embedded Systems Security (WESS 07), October 2007.
* Chris Masone, Kwang-Hyun Baek, and Sean Smith. "WSKE: Web Server Key Enabled Cookies". Usable Security (USEC 07), February 2007.
* Kwang-Hyun Baek and Sean Smith. "Preventing Theft of Quality of Service on Open Platforms". IEEE/CREATE-NET SecQos, September 2005.
* Kwang-Hyun Baek, Sean Smith, and David Kotz. "A Survey of WPA and 802.11i RSN Authentication Protocols". Dartmouth College Computer Science Technical Report TR2004-524, November 2004.

TECHNICAL SKILLS

* Programming/Scripting Languages: C, C++, PHP, Java, Ruby (including Rails), Perl, Visual Basic, C#, Javascript, bash, awk, sed, Windows Commandline, XML, SQL, HTML, CSS, ML, Lisp, etc.
* OS/Driver Development: Linux 2.6.x, OpenSolaris, TinyOS (mote)
* Administration: Linux (various distros), Solaris (10, Nevada, OpenSolaris), Windows 2000, Windows 2003, Windows 2008, Windows XP, Windows Vista, Windows 7, Cisco ASA, Cisco VPN, Check Point Firewall. etc.
* Development Tools: gcc, make, vi, emacs, Sun Studio 10/11, mingw (for cross-compiling), etc.
* Security Tools: Qualys Vulnerability Scanner, Qualys Policy Compliance Scanner, Qualys PCI Scanner, Nessus, Nexpose, Immunity Canvas, Web Inspect, Acunetix, NTOSpider, Metasploit, Core Impact nmap, nikto, tcpdump, wireshark, ettercap, netcat, socat, fgdump/cachedump/gsecdump, lsadump, Cain and Abel, John the Ripper, rainbow crack, revdnet/revnet, Burp Suite, Paros proxy, pstools, ike-scan, dsniff, netfilter, iptables, enum, aircrack-ng suite, kismet, madwifi tools, wikto, pass-the-hash, samba-tools, etc.
* Servers: SSH/SFTP (GlobalScape, OpenSSH), Samba, FTP/TFTP (various vendors), Active Directory (Windows 2008, 2003), DNS (Microsoft, Bind), CA (Microsoft, OpenCA), NFS, MySQL, XMPP/Jabber (ejabberd, openfire), VMware ESXi, VirtualBox, etc.
* Others: Microsoft Word, Excel, PowerPoint, Visio, Microsoft SQL Enterprise, PGP/GPG, Truecrypt, OpenSSL, etc.

Other

* Fluent in Korean (Korean is my first language)

OWASP - User contributions [en]

CRV2 HashingandSaltingdotNet

User:John Kwang-Hyun Baek