Skip to content

Instantly share code, notes, and snippets.

View defuse's full-sized avatar
🔬

Taylor Hornby defuse

🔬
1.3k followers · 3 following
View GitHub Profile
@defuse
defuse / primes.sh
Created March 20, 2017 23:53
Test OpenSSL RSA Random Number Generator
#!/bin/bash
# primes.sh -- @DefuseSec
echo -n >/tmp/primes.txt
# Generate 1000 primes.
for i in {1..500}; do
# Use 192-bit keys for speed (could potentially mask RNG bugs that only affect bigger keys)
openssl genrsa 192 2>/dev/null | \
openssl rsa -text 2>/dev/null |\
@defuse
defuse / side-channel-password-guessing.md
Last active March 11, 2021 03:28

This was a comment I posted on bcrypt-ruby/bcrypt-ruby#43 (before I realized that issue was 5 years old!) which got deleted so I moved it here.

Let's make the attack concrete to see if it works. I have a dictionary of 232 candidate passwords I want to try against a user account. I know the user's salt. There is no rate limiting. Ideally, it should take 232 online queries to search through all of my candidate passwords. Here's the attack:

  1. Using my knowledge of the salt, I hash ~216 random preimages until I find one for every possible 2-byte prefix of the hash.
  2. Now I send each of those 216 preimages in turn to the server and observe the side-channel. I may have to repeat this a few times in order to improve the SNR, let's say 100 times. So in 100*216 online queries I learn the first 2 bytes of the hash.
  3. Now that I know the first 2 bytes of the hash, I do 232 offline work to hash all of my candidate passwords a
@defuse
defuse / hash-function.md
Last active May 26, 2018 10:02
Hash Function

For a 512-bit input x, the 256-bit hash of x, H(x) is defined as follows. Simulate a frictionless table on which disks may slide around and collide with the sides of the table as well as other disks according to Newton's laws (elastic collisions). The simulated box is 32m by 32m subdivided into a 16x16 grid of squares. At the center of each square place a 1m-radius disk with unit mass and 1m/s velocity in a direction that encodes the next two bits of x: 00=up, 01=down, 10=left, 11=right. Simulate this state's evolution for T=1024 seconds. Now generate the output as follows. Starting with an empty output, enumerate all of the disks (in the same order they were generated) and append a 0 to the output if the velocity vector has a positive upwards component or a 1 otherwise. The simulation must be as precise as necessary for the output to be correct.

Is H collision-resistant? Can you break it? If you can't, what's the largest value of T for which you can?

See breaks and patches in the comments below.

@defuse
defuse / example.js
Created May 12, 2018 01:59
Insecure code that's visually identical to secure code.
let KEY = new Uint8Array(16);
function generate_key() {
let KEY = new Uint8Array(16);
window.crypto.getRandomValues(KEY);
return KEY;
}
KEY = generate_key();
document.body.innerText = KEY;