Hashing A hash function is an algorithm that takes variablelength string as the input and produces a fixed-length value (hash) as the output. The challenge for a hashing algorithm is to make this process irreversible; that is,finding
a string that produces a given hash value should be very difficult. It should also be difficult to find two arbitrary strings that produce the same hash value. Also called a message digest or fingerprint, several one-way hash functions are in common use today.
Among these are Secure Hashing Algorithm-1 (SHA-1) and Message Digest-5 (MD-5). The latter was invented by Ron Rivest for RSA Security, Inc. and produces a 128-bit hash value. for an example of output generated by MD5.
SHA-1 was developed by the U.S. National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) and produces 160-bit hash values.
SHA-1 is generally considered more secure than MD5 due to its longer hash value.
Microsoft Windows NT uses one-way hash functions to store password information in the Security Account Manager (SAM). There are no Windows32 Applications Programming Interface (API) function calls to retrieve user passwords because the system does not store them. It stores only hash values. However, even a hash-encrypted password in a database is not entirely secure. A cracking tool can compile a list of, say, the one million most commonly used passwords and compute hash functions from all of them.
Then the tool can obtain the system account database and compare the hashed passwords in the database with its own list to see what matches. This is called a “dictionary attack”
To make dictionary attacks more difficult, often a salt is used. A salt is a random string that is concatenated with a password before it is operated on by the hashing function.
The salt value is then stored in the user database, together with the result of the hash function. Using a salt makes dictionary attacks more difficult, as a cracker would have to compute the hashes for all possible salt values.
A simple example of a salt would be to add the time of day; for example, if a user logs in at noon using the password “pass,” the string that would be encrypted might be “1p2a0s0s.” By adding this randomness to the password,
the hash will actually be different every time the user logs in (unless it is at noon every day). Whether a salt is used and what the salt actually is depends upon the operating system and the encryption algorithm being used. On a FreeBSD system, for example, there is a function called crypt that uses the DES, MD5, or Blowfish algorithms to hash passwords and can also use three forms of salts.
According to Cambridge University professor of computing Roger Needham, the Cambridge Multiple Access
System (CMAS), which was an integrated online–offline terminal or regular input-driven system, may have been among the earliest to implement such one-way functions. It first went online in 1967 and incorporated password protection. According to Needham: “In 1966,
we conceived the use of one-way functions to protect the password file, and this was an implemented feature from day one” (R. Needham, personal communication, April 11, 2002).
One-way hashing is still being used today, although it does not address another weakness—in a networked environment, it is difficult to transmit the password securely to the server for verification without its being captured and reused, perhaps in a replay attack. To avoid revealing passwords directly over an untrusted network, computer scientists have developed challenge–response systems. At their simplest, the server sends the user some sort of challenge, which would typically be a random string of characters called a nonce. The user then computes a response,
usually some function based on both the challenge and the password. This way, even if the intruder captured a valid challenge–response pair, it would not help him or her gain access to the system, because future challenges would be different and require different responses.
These challenge-and-response systems are referred to as one-time password (OTP) systems. Bellcore’s S/KEY is one such system in which a one-time password is calculated by combining a seed with a secret password known only to the user and then applying a secure hashing algorithm a number of times equal to the sequence number.
Each time the user is authenticated, the sequence number expected by the system is decremented, thus eliminating the possibility of an attacker trying a replay attack using the same password again. One-time passwords were more prevalent before secure shell (SSH) and secure sockets layer (SSL) systems came into widespread use.
Site Title 