Category Archives: Security

How The bcrypt/Blowfish Salt Works

Install bcrypt and Passlib

In Python 2 you can you easily use bcrypt by installing the packages python-bcrypt and python-passlib, on Ubuntu do:

sudo apt-get install python-bcrypt python-passlib

I would have preferred to use Python 3, but there isn’t a bcrypt library for Python 3 in Ubuntu’s repository. On the other hand it doesn’t really matter in this case.

Use bcrypt in the Python interpreter

Open a terminal and type the following stuff:

matachi:~$ python
Python 2.7.3 (default, Apr 20 2012, 22:39:59)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from passlib.hash import bcrypt
>>> bcrypt.encrypt('kalle', rounds=4, salt='1234567890123456789012')
'$2a$04$123456789012345678901u9TR3ZsWr3m7NxL0UZWrF0pxdXbJe2jO'
>>> bcrypt.encrypt('kalle', rounds=4, salt='123456789012345678901u')
'$2a$04$123456789012345678901u9TR3ZsWr3m7NxL0UZWrF0pxdXbJe2jO'

As you can see, it’s really easy to use and experiment with bcrypt in the Python interpreter. I highly recommend it!

How the salt works

The salt must be at least 22 characters long and it doesn’t matter if it’s longer than that, since all characters in addition to that will be ignored. So use a 22 characters salt.

As you saw in the previous part of this post, two different salts resulted in the same output. There are a couple of reasons behind that. The first one is that the characters you give to bcrypt as salt aren’t interpreted as ASCII or UTF-8 characters, but as base64. However, it’s not the usual base64 alphabet but:

./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789

With this alphabet, every character uses 6 bits, instead of 7 as a ASCII character does.

The second reason is that that bcrypt takes a salt of exactly 128 bits. 22 characters where each character uses 6 bits means that they use a total of 132 bits. So the last 4 bits of the last of the 22 characters will be ignored.

. (period) in the alphabet corresponds to 000000 and N corresponds to 001111. Therefore will the hash not differ if the 22th character is . to N. However, O corresponds to 010000, which means that it will result in different hash. Here you can see how it works:

>>> bcrypt.encrypt('kalle', rounds=4, salt='123456789012345678901M')
'$2a$04$123456789012345678901.GZyLszhboAmO/L.DQdxwE7n3c04N7Qa'
>>> bcrypt.encrypt('kalle', rounds=4, salt='123456789012345678901N')
'$2a$04$123456789012345678901.GZyLszhboAmO/L.DQdxwE7n3c04N7Qa'
>>> bcrypt.encrypt('kalle', rounds=4, salt='123456789012345678901O')
'$2a$04$123456789012345678901OYspTNPKklQIIHjaV7fayCuiYOlHRrXu'

As you also can see, if you use the salt 123456789012345678901M, the output’s salt is:

$2a$04$123456789012345678901.GZyLszhboAmO/L.DQdxwE7n3c04N7Qa

Note that it’s a period in the end and not a M.

Link

Here is a nice Stack Oveflow answer I read that explains this very well:

http://stackoverflow.com/a/2237009/595990

PHP’s Crypt Function in Python

I found that PHP’s crypt function is available in Python through the library Passlib.

These two scripts will print the same hash:

PHP

<?php
echo crypt('kalle', '$6$rounds=1234567$kalleanka$');

Python

#!/usr/bin/python3

from passlib.hash import sha512_crypt

print(sha512_crypt.encrypt('kalle', salt='kalleanka', rounds=1234567))

The output:

$6$rounds=1234567$kalleanka$P8noS3rinSFU30ssGtoFo2XMAW1tba
xbIxj8ypQ.khOGM8RgsNRy1vVFG8eRfYtZ.bfgYxeS7ZFnypnjXuSH9.

You can install Passlib through the terminal with:

sudo apt-get install python3-passlib

How to Search Encrypted on Google

Google has a pretty clumsy URL for searching with SSL, like Wikipedia. However, the encrypted version of Google Search is currently only in beta, so it may be the reason behind it. Anyway, here is the URL to it:

https://encrypted.google.com/webhp?hl=en

To change to your country’s version, replace the last two letters en to something more fitting. In my case sv since I’m from Sweden.

With the Firefox add-on Add to Search Bar you should be able to add an entry for this version to your search bar. And as with all other search fields in Firefox, it’s possible to add a keyword for the search field by right clicking the field and pressing “Add a Keyword for this Search…”.

However, if you care about your privacy, don’t forget to check out DuckDuckGo. Click here to read my short introduction to the search engine.

How to Browse Facebook Encrypted

As far as I know will only the Account Settings page on Facebook encrypt your connection if you haven’t changed the default settings. Not even the login page seems to connect over SSL by default, which seems a bit strange for such a large site. Maybe they don’t really care about the users’ security.

However, on the Account Settings page there is an option below Account security that asks you if you want to browse Facebook on a secure connection. I can’t see a reason to not use it, so I advise you to go in there and update your account. I have done it myself on all my accounts, and I haven’t experienced any problems.

The flaw with this is that you have to be logged in to make Facebook realise that you want to use an encrypted connection. Therefore doesn’t the login page use SSL by default, so you have to manually add an s to http in the URL.

By using https will you be protected from applications like FireSheep, even if you are on a unencrypted network. And you will also protect your data from being read by others on the way between you and the server.

How to Use the Encrypted Version of Wikipedia

For long I didn’t know that there even existed an encrypted version of Wikipedia, since you can’t reach it by simply adding an s after http. The regular address that you are used to looks like this:

http://en.wikipedia.org/wiki/Main_Page

And the secure address looks like this:

https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page

So it’s a bit lot longer and troublesome to access. However, that mustn’t be a problem. If you are using DuckDuckGo as your search engine and has set it to search through SSL, it will automatically change the outgoing Wikipedia links to the encrypted version. If you would like to have the encrypted Wikipedia as an option in the search bar in Firefox, you can add an entry for it with this add-on.

If you are curios about DuckDuckGo, read my short blog post about it:

http://danielj.se/2011/06/27/alternative-to-google-search-duckduckgo/

Alternative to Google Search: DuckDuckGo

A search engine that I have heard some talk about lately is DuckDuckGo, which I also recently have set as my default search engine in Firefox.

The advantage over Google is that they value the user’s privacy much higher. DDG doesn’t track you, you can set DDG to always search through their encrypted version (https), and you can also set DDG to prevent the sites you visit from knowing what keywords you used to get to them. On the following page you can find the privacy settings, along with many, many more options (far more than those Google offers for their search engine):

https://duckduckgo.com/settings.html

What I like as a Swede is that they also have an option to choose region, which will increase the search results from that country. So I have in my Firefox search box added one entry for the regular DuckDuckGo, and one for it with the region set to Sweden.

If you wonder why you should be careful when you search stuff on the Internet, you can visit www.donttrack.us. It’s a homepage by DuckDuckGo that describes how the tracking of you works when you are using Google.
I’m not a person who searches for herpes, illegal stuff or something similar. But I can’t say that I really like to share all my keywords and data that I put into the search box with (advertisement) corporations and people around the whole world.

If you look around on DuckDuckGo you will find many smart features, like !Bang. So it’s a really competent search engine, that not only doesn’t track you and values your privacy, but offers good search results, loads of options and many features.

Change to hacker “safe” password

According to this article, is a 7 characters passwords pretty hopeless nowadays, because of the GPU-power that the regular consumer graphic cards got. Instead does the article recommends you to change to a longer password, with at least 12 characters. Then I can feel a bit safe, with my 15 characters password.

I wonder when we will need to have full sentences as passwords due to the increasing power in our machines.

Just so you don’t get me or the article wrong. It’s only “safe” with a 12+ characters password as long as the hacker doesn’t have access to the database, with the password stored in it in plain text. Then is it only helpful with a long password if it’s hashed and/or salted.

Crack hashes with IGHASHGPU

I found a very nice and fast software for cracking hashes, like sha1 and md5. It went through almost 1000 million hashes per second on my computer, compared with Cain which did about 6,5 millions per second. But I have only a half broken ATI 4870. This is what the website says about 5970:

Recovery speed on ATI HD 5970 peaks at 5600M/s MD5 hashes and 2300M/s SHA1 hashes.

And that is freaking awesome!

Their homepage where you can download it

Decrypt passwords with Cain & Abel

I have used Cain & Abel before (some years ago) for network sniffing. But today, when I wanted to try out decrypting passwords, I googled and found out that Cain & Abel can do that too. Or maybe I shouldn’t call it decrypting, because I was solving hashes. It worked great, but it takes a huge amount of time when it’s more than 6-7 characters in the password. Therefore can it be a good idea to download a rainbow table if you want to minimize the time spent “decrypting”.

Download Cain & Abel here

http://www.oxid.it/cain.html