MD5 is still used by real CAs to sign SSL
○ MD5 has been broken since 2004
○ theoretical CA attack published in 2007
User generates private key
2. User creates a Certificate Signing Request
– user identity
– domain name
– public key
3. CA processes the CSR
– validates user identity
– validates domain ownership
– signs and returns the certificate
4. User installs private key and certificate on a
The md5crypt password scrambler was created in 1995 by yours truly and was, back then, a sufficiently strong protection for passwords.
New research has shown that it can be run at a rate close to 1 million checks per second on COTS GPU hardware, which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995: Any 8 character password can be found in a couple of days.
the following guidance to the process:
On a state of the art COTS computer, the algorithm should take at the very least 0.1 second (100 milliseconds) when implemented in software, preferably more.
Some kind of “round count” parameter should be made run-time tweakable so that the runtime/complexity can be increased over time by system administrators.
The algorithm should be based on repeated data-dependent iterations of several different complex one-way hash functions (MD5, SHA1, SHA2, BLOWFISH, you name it, use them all) in order to “soak up area” in hardware based attack implementations.
Please notice that there is _no_ advantage in everybody in the world using the exact same algorithm, quite the contrary in fact.
All major internet sites, anybody with more than 50.000 passwords, should design or configure a unique algorithm (consisting of course of standard one-way hash functions like SHA2 etc) for their site, in order to make development of highly optimized password brute-force technologies a “per-site” exercise for attackers.
The OpenSSL library provides access to SSL encrypted tunnels. Most of its functionality is accessible via the
openssl command which is shipped with the OpenSSL package.
A digest is a one-way transformation of a string (into a hash) that can be used to ensure the integrity of the string. For example, this technique is used in PGP to sign messages. Commonly used algorithms include MD5 and SHA-1.
The following command demonstrates how to generate a MD5 hash of the content of a file:
openssl -md5 -in INFILE -out OUTFILE
openssl command can be used to generate hashed password as well as strings which are insusceptible by dictionary-based attacks against passwords.
- The crypt3 hash algorithm was formerly used to hash passwords on Unix systems but has been superseded by the md5-crypt hash algorithm, at least on linux systems.
openssl passwd -salt SALT PASSWORD
- Similar to the above command, a hash password is generated from a password and a salt, though, the format of the output, the modular crypt format (MCF), is more sophisticated to allow for a variety of hash algorithms. The simple format which is discussed here begins with a
$and consists of three fields separated by
$where the first fields indicates which hash algorithm is used (md5-crypt was assigned 1), the second and third contain the salt and the password, respectively.
openssl passwd -1 -salt SALT PASSWORD
Please note, that there is a huge difference between a simple MD5 hash and a md5-crypt’ed password. Although the md5-crypt hash algorithm is based on the MD5 hash algorithm, the two can not be transformed into each other without knowledge of the plaintext password.
- Generation of N chars
opensslcan also be used to create a string of pseudo-randomly chosen characters of a custom length:
openssl rand -base64 N | head -c N
What is Base64
openssl enc -base64 -e -in INFILE -out OUTFILE
openssl enc -base64 -d -in INFILE -out OUTFILE
Often the privacy of data that is transmitted over a private network is of major concern to the participating parties. The
openssl also provides commonly used symmetrical encryption algorithms (asymmetrical encryption algorithms are covered by gnupg) which are two-way transformations of strings based on a password.
The following commands demonstrate the use of the
openssl command to encrypt the content of a file using the Advanced Encryption Standard (AES) algorithm. The user is prompted for the password on the current terminal.
openssl enc -aes256 -e -in INFILE -out OUTFILE
openssl enc -aes256 -d -in INFILE -out OUTFILE
In addition, the
openssl command can be used to open a SSL tunnel to a remote host which can be used to tunnel sensitive protocol data:
openssl s_client -connect HOST:PORT