The DUHK Attack:因為亂數產生器的問題而造成的安全漏洞

Bruce Schneier 那邊看到的:「Attack on Old ANSI Random Number Generator」,攻擊的網站在「The DUHK Attack」,論文在「Practical state recovery attacks against legacy RNG implementations (PDF)」。

攻擊的對象是 ANSI X9.31 Random Number Generator:

DUHK (Don't Use Hard-coded Keys) is a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key.

然後攻擊的對象是 FortinetFortiOS

Traffic from any VPN using FortiOS 4.3.0 to FortiOS 4.3.18 can be decrypted by a passive network adversary who can observe the encrypted handshake traffic.

如果照說明的只到 4.3.18,那麼去年 11 月更新的 4.3.19 (參考「FortiOS 4.3.19 Release Notes」) 應該是修正了?不過裡面沒翻到類似的資料,是剛好把 RNG 換掉了嗎?

htpasswd 的 SHA 不會帶 salt (seed)...

剛剛發現 htpasswd (Apache.htpasswd 檔案產生程式) 提供的 SHA-1 不會使用 salt,不過 MD5 格式會...

以密碼「test」測試:

gslin@colo-p [~] [17:44/W7] touch test.txt
gslin@colo-p [~] [17:44/W7] htpasswd -b -m test.txt test1 test
Adding password for user test1
gslin@colo-p [~] [17:44/W7] htpasswd -b -m test.txt test2 test
Adding password for user test2
gslin@colo-p [~] [17:44/W7] htpasswd -b -s test.txt test3 test
Adding password for user test3
gslin@colo-p [~] [17:44/W7] htpasswd -b -s test.txt test4 test
Adding password for user test4

結果是:

test1:$apr1$GU6SyO0y$I.Ng9o4H8Tcje.M2A6ECb0
test2:$apr1$uqoX9b/x$7zGMAKqRjvoi6HHSKtaRO.
test3:{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=
test4:{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=

依照說明,htpasswd 使用的 SHA 是移植自 Netscape server 的 LDAP Directory Interchange Format (ldif):

Use SHA encryption for passwords. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif).

在安全疑慮 (Security Considerations) 上也有註明 htpasswd 使用的 SHA 是不帶 salt:

The SHA encryption format does not use salting: for a given password, there is only one encrypted representation.

現在密碼儲存應該是朝 bcryptPBKDF2 發展,參考依林姊姊的「請愛用 bcrypt 和 PBKDF2」,後者 PBKDF2 被用在 WPA2 上。