Users' passwords

Here you can discuss ReactOS related topics.

Moderator: Moderator Team

Post Reply
irvmax
Posts: 1
Joined: Mon Jan 07, 2008 2:57 pm

Users' passwords

Post by irvmax »

I am strongly interested in REACTOS. My interest started many years ago.
At that time, I wrote to Mr. Filby, asking him some technical questions.
He answered me that the project was still in early development. So, I'm
happy to see that things go on.
However, I have a question for the developers. I refer to Win2000, which
I know fairly well.
The users' passwords are obviously encrypted. But, the encryption algorithm
will be available to everyone, since REACTOS is an open-source project.
(This is true, some months ago I downloaded V0.3.0 binaries and sources)
So, some bad guy could use this algorithm to steal data etc etc etc
The question is: is there any "protection" against this problem?


Thank you
Massimo Rossato
Thiene (Vicenza), Italy
Z98
Release Engineer
Posts: 3379
Joined: Tue May 02, 2006 8:16 pm
Contact:

Post by Z98 »

Having the algorithm doesn't really help. It's having the key used to generate the passwords that would count. However, that key can be randomly generated, at which point any hackers are back to square one.

Considering the fact that Samba and other open source projects that do password encryption don't face this problem, I doubt we will either.
cppm
Posts: 289
Joined: Wed May 02, 2007 10:03 pm

Post by cppm »

Lol! The answer is there is absolutely no problem at all, and I think a little lesson on how OS password encryption works is in order.

(Note: My information may be out of date =S this is certainly the classical system)

When you set a password, this gets put through an encrypting algorithm which produces a string of binary, that is unique to the sequence of characters that were entered as the password, right, we're on the same page so far I think.

I think your confusion stems from the way in which the password is then authenticated when it's later entered.

What the OS really does is that it shoves what you entered back through the same algortihm and then checks that the encrypted result is identical to the stored value (remember they are unique to a string of characters)

What it doesn't do is put the binary through an unencryption algorithm and compare the text values. Since this is the case the algorithm is designed so that the string of binary is (or at least should be) nigh on impossible to unencrypt, at least with your standard hardware.

In this case it isn't a problem if the algorithm is opensource, it may tell you -how- to unencrypt it, but it's going to be real bugger to do so. In fact since the real defence of the OS is the quality of the algorithm, the fact it's opensource is a real benefit since it can be publicly checked for errors such as duplicable results (outputting binary results that are identical to the results for another password string, in essence allowing one password to verify another) or plain weak encryption.

On top of this the security industry has repeatedly learnt that security by obscurity never works ultimately, people just find some way of getting the relevent information. Look it up, i bet you can find detailed information on the windows password encryption. If not, free to decompile the relevent binary!! hehe

PS: also note if, in a well designed system, the attacker can get their hands on the table full of the encrypted passwords, then the system is already well compromised some way or another!

PPS: Brute force is blasting it with random, or selective (dictionary attack) values to see which one will unlock it, this can't really be solved by technical wizardry, just good password selection.
Last edited by cppm on Tue Jan 08, 2008 8:10 pm, edited 2 times in total.
raketenfred
Posts: 95
Joined: Sun Sep 16, 2007 9:12 pm

Post by raketenfred »

I think an other problem is the brute force security and the direction of the keywords. I have searched for the brute force but I didn't find somethin to configurate this. I don't know whats about the SAM-Data like in windows ms, but there you can read the informations about the password with a special programm and this is faster than a brute force attack...

i hope you understand me with my english
cppm
Posts: 289
Joined: Wed May 02, 2007 10:03 pm

Post by cppm »

Z98 wrote:Having the algorithm doesn't really help. It's having the key used to generate the passwords that would count. However, that key can be randomly generated, at which point any hackers are back to square one.
Yeah, further explanation, in the context of OS's keys mean that you can't just compile a database of words and their encrypted results from the algorithm. Enabling you to translate the password table of a system if you got your dirty mitts on it.

By generating a random encryption key for an OS, then it means that an attacker would have to re-run their dictionary attack with the new key in order to translate the table.

Ultimately it's most important to OS with decent permissions so that some random geezer from the internet can't get their hands on the password table. >_<
rallen71366
Posts: 1
Joined: Wed Jan 02, 2008 4:13 am

Rainbow Table?

Post by rallen71366 »

Sorry, I'm coming it this from the Linux direction.

There was a big deal recently about "Rainbow Table" attacks. If they have the algorithm (usually a "trapdoor" one-way hashing) then they can simply run their entire dictionary through it, brute force style, and create a database of plaintext to encrypted passwords. If they can get hold of the encrypted passwd database, they just do a plaintext lookup.

To fight this, Linux keeps the standard password db for whatever progs need it. It just isn't used. Instead a "Shadow Password" file is used, where only root has access to even look at it.

I'm not familiar with the permission system of ReactOS. Is it set up like Linux with permissions set on files and directories, or simply login? I need to learn how React (and Windows) handle security, because I'm probably going to need to program for them.

Thanks.
oiaohm
Posts: 1322
Joined: Sun Dec 12, 2004 8:40 am

Post by oiaohm »

Common annoyance for me. I am a Linux person. Number one shadow and passwd files are completely optional under Linux. Yes they are commonly used as defaults because they are simple to setup.

http://www.kernel.org/pub/linux/libs/pam/ Pam completely changable login system. So you can make the logins harder to find. Attack to linux login system can be performed if you can get hands on hash.

Difference Linux does make it a little bit harder. There are many different hashes that can be used side by side with each other. Note each users password is only encode once but each users password can be encoded in a different hashing system.

So a single attack system alone can be basically useless to linux. Since system linux admins can randomize the hashing system used. Ie hash type can be taged onto the start of the hash in the shadow or where ever. So every time you change your password a hashing system is picked based on a random number.

This is way different to windows. Windows only depends on a limited range of hashes and methods by default.
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot] and 40 guests