Lmst

New blog post:
In which I explore the impact of SQL Server 2025’s PBKDF2 hashing algorithm on password cracking and compare it with SQL Server 2022.
#sqlserver #sqldba #microsoftsqlserver #mssqlserver #mssql #mssqldba #sql #security #pbkdf2
https://vladdba.com/2025/06/23/looking-into-sql-server-2025s-new-pbkdf2-hashing-algorithm/

Извлечение паролей из разных браузеров

Если пользователь забыл мастер-пароль от парольного менеджера Bitwarden , 1Password , KeepassXC , то пароли невозможно восстановить. Другое дело — встроенные парольные менеджеры браузеров Chrome и Firefox, для расшифровки которых есть специальные инструменты. Этот факт следует иметь в виду при хранении пользовательских данных — и не допускать, чтобы злоумышленник получил физический или удалённый доступ к компьютеру с правами пользователя. Примечание: перечисленные ниже инструменты не работают с последними версиями браузеров и приведены исключительно в информационно-образовательных целях.

https://habr.com/ru/companies/globalsign/articles/874804/

#парольные_менеджеры #взлом_паролей #парольные_хранилища #PBKDF2 #SHA256 #Chrome #Firefox #AES #Triple_DES #Firefox_Passwords_Decryptor #Browser_Cookie #куки #SQLite #cookiejar #CryptProtectData #CryptUnprotectData

Парольная защита статичной HTML-страницы на JS

Обычно парольная защита производится через веб-сервер, который проверяет пароль и выдаёт контент. Стандартный способ: .htaccess и htpasswd . Но что, если нужно выложить зашифрованную веб-страницу и файлы на публичном хостинге, где у нас нет контроля над сервером? Эту проблему решают инструменты StatiCrypt и Portable Secret . Для шифрования HTML перед публикацией StatiCrypt использует AES-256 и WebCrypto, а расшифровка происходит с помощью ввода пароля в браузере на стороне клиента, как показано в демо (пароль test ). StatiCrypt генерирует статическую страницу, которую можно безопасно заливать на любой хостинг, в том числе бесплатный сторонний хостинг, такой как GitHub Pages.

https://habr.com/ru/companies/globalsign/articles/868780/

#StatiCrypt #AES256 #WebCrypto #парольная_защита #PBKDF2 #Portable_Secret #шифрование_файлов

Про #GRUB можно позабыть уже несколько лет как — явно находится под чьим-то влиянием и до сих пор отказывается реализовать поддержку #LUKS 2-й версии, в части использования #Argon2 / #Argon2id.

Важно это потому, что в мире полно ферм для майнинга криптовалют, так или иначе арестованных органами общественного правопорядка. Это изначально специализированные #ASIC для перебора значений hash-функций. В результате, стало возможным взламывать грубой силой почти все варианты дискового шифрования, если для хранения пароля используются обычные #PBKDF2 / #PBKDF, не адаптированные под противодействие крипто-майнинговым фермам. Примером, нормальной современной #PBKDF является тот же #Argon2 и его вариации.

Альтернатива в том, что позволяет тот же #systemd-boot. Например, для полнодискового шифрование через LUKS берётся SSD/NVMe разбитый через #GPT с выделением раздела EFI System Partition, на котором размещаются образы #initrd / #initramfs и бинарники загрузчика systemd-boot являющиеся EFI-приложением.

Всё содержимое EFI System Partition может проверяться Secure Boot'ом — быть заверены своим собственным сертификатом в дереве. Не только бинарники, но и текстовые *.conf файлы в /boot/loader/entries/ описывающие каждый вариант загрузки. Поскольку они содержат такие вещи как:

title    ... — как зовётся в меню загрузочном
linux    /vmlinuz-6.6-x86_64 — какое ядро ОС использовать
initrd    /intel-ucode.img — какой микрокод процессора грузить
initrd    /initramfs-6.6-x86_64.img — сам загрузочный образ
...
options quiet — могут быть и в одну строчку все сразу
options splash
options rd.udev.log_level=3
options systemd.show_status=auto
options sysrq_always_enabled=1
options intel_iommu=on
options iommu=pt
...

Т.е. файлы *.conf могут содержать всякие опции/параметры ядра, отвечающие за безопасность работы системы. Например, раздачей таких рекомендаций недавно развлекался #ФСТЭК (вот оригинал официальной публикации).

Про различия в вариантах #Argon2, почему собственно RFC 9106 рекомендует использовать #Argon2id

#Argon2d maximizes resistance to GPU cracking attacks. It accesses the memory array in a password dependent order, which reduces the possibility of time–memory trade-off (TMTO) attacks, but introduces possible side-channel attacks.
#Argon2i is optimized to resist side-channel attacks. It accesses the memory array in a password independent order.
#Argon2id is a hybrid version. It follows the #Argon2i approach for the first half pass over memory and the #Argon2d approach for subsequent passes.

#linux #crypto #lang_ru

Its been, I've lost count, 6 years? And still GRUB2 does not support #argon2 while #pbkdf2 absolutely gets stomped .

Effectively rendering #fde with encrypted boot insecure on Linux (X86). While with u-boot on ARM you can use argon2

I do not understand why this isn't like a high priority issues for GNU

@sun_rise дык есть же #^https://manjaro.org/ — вполне стабильный вариант arch'а не для школьников. а рабочих ноутов с десктопами.

можно поставить и так же как обычный Arch — тупо в текстовом режиме засетапить поэтапно всё, что полагаешь нужным и необходимым для себя.

Например, тебе надо чтобы диск шифровался полностью и при этом хочется именно через LUKS v2, а не 1-й версии предлагаемый гуёвыми инсталляторами дистрибутивов.

а предлагают они это потому, что по умолчанию пихают GRUB в качестве загрузчика, который имеет не полную поддержку LUKS2 — не умеет работать с такой #PBKDF2 как Argon2

потому отказываешься от GRUB, используешь systemd-boot вместо этого, расположив его на ESP (EFI System Partition) вместе с парой текстовых файлов и initramfs-образами и vmlinuz образами.

на диске же у тебя и swap и корневой раздел являются LUKS2-томами с Argon2 в качестве PBKDF2. незашифрованным является лишь этот самый ESP. располагающиеся файлы на нём можно подписать и валидировать при загрузке компа средствами Secure Boot.

если же использовать GRUB, то он умеет держать на ESP лишь себя любимого (EFI-приложение), а грузить initramfs с основного раздела на диске, зашифрованного LUKS1 или же LUKS2, но с PBKDF2 отличной от Argon2.
таким образом, вроде бы как большая безопасность системы, меньше шансов, что тебе подпихнут пропатченный initramfs. но полнодисковое шифрование используется не только в целях «доверенной загрузки», но и тупо на случай утраты контроля над жёстким диском. в ходе кражи, обыска или чего-то подобного.

а когда очень надо, тот же ESP размером в сто-двести мегабайт можно вообще хоть на флешке или карте памяти держать, и как резервную копию, и чтобы при загрузке компа не использовался ESP на диске, а брался с флешки :)

Blogged: Creating hashes in .NET

https://damienbod.com/2024/07/01/creating-hashes-in-net/

#dotnet #aspnetcore #identity #sha512 #Pbkdf2 #hash

Musing about Password-Based Cryptography for the Government

What would a modern NIST standard for password-based cryptography look like?

Obviously, we have PBKDF2–which, if used with a FIPS-approved hash function, gives you a way to derive encryption keys and/or password validators from human-memorable secrets.

However, PBKDF2 isn’t memory-hard.

In 2012, several cryptographers initiated the Password Hashing Competition (PHC) to study the state-of-the-art for password-based cryptography at the time. Part of this motivation was that memory-hard hashing (first developed by Colin Percival in scrypt a few years prior) provided greater defense against the increasing parallelism of modern password cracking techniques.

After a few years of cryptanalysis, the PHC selected an algorithm called Argon2, and gave special recognition to four other finalists.

And, quote the NIST SP 800-63B:

A memory-hard function SHOULD be used because it increases the cost of an attack.
If you were expecting, “Nevermore,” you’re currently reading the wrong literary genre.

“So, we’re done, right? Just use Argon2 and call it a day.”

We did it! Yayyyyyyyy~

…

Of course, it’s not that simple.

(Artist source unknown, meme generated from imgflip)

What is Argon2?

Argon2 is defined in IETF RFC 9106. There are several variants of Argon2 that have subtly different security properties (Argon2d, Argon2i, Argon2id, Argon2ds — the latter one providing a property called cache-hardness. which Steve Thomas’s slide deck from BSidesLV 2022 explores in depth).

Argon2id is the variant most of us settled on in 2024.

Regardless of the variant used, the same underpinnings are used. From RFC 9106, section 3.2:

Argon2 uses an internal compression function G with two 1024-byte inputs, a 1024-byte output, and an internal hash function H^x(), with x being its output length in bytes. Here, H^x() applied to string A is the BLAKE2b ([BLAKE2], Section 3.3) function, which takes (d,ll,kk=0,nn=x) as parameters, where d is A padded to a multiple of 128 bytes and ll is the length of d in bytes. The compression function G is based on its internal permutation. A variable-length hash function H’ built upon H is also used. G is described in Section 3.5, and H’ is described in Section 3.3.
Bold text for emphasis.

If you weren’t adept at playing Crypto Algorithm Bingo, it might be easy to miss the fact that BLAKE2b is NOT a cryptographic algorithm approved for use in FIPS validated modules.

So, full stop, unless NIST and the US Department of Commerce turn over a new leaf and add BLAKE2 to the approved algorithms list for FIPS, this is a non-starter.

Well, why not use yescrypt? Or scrypt for that matter?

Yescrypt (and scrypt before it) are based on Salsa20/8. In fact, most of the time computing a KDF output with either algorithm is spent on Salsa20-encryption regions of memory.

After all the computing resources are spent on Salsa20/8 and memory management, PBKDF2-SHA256 is used to compress the output to a fixed length. This is arguably complying with NIST’s requirements to use PBKDF2–albeit with an iteration count of 1 (so it’s just artificially sweetened HMAC, if we’re being honest with ourselves).

How are systems complying today?

I’ve heard a few conflicting stories over the years from folks that care a lot about FIPS (presumably because the US government is a significant chunk of their annual recurring revenue). It’s possible I’m misremembering what they said, so please take these secondhand anecdotes with an appropriate amount of salt.

One person claimed that Scrypt is fine since “the last step is PBKDF2”, and if an auditor blinks, you allegedly just need to document all the Salsa20 stuff as “obfuscation” and PBKDF2 is what you’re really doing to comply.

Another approach I heard was to run a memory-hard KDF in parallel with PBKDF2, then use HKDF to combine the two outputs.

Between the two, I’m more likely to believe that an auditor would approve the latter HKDF-based design, but I’ve never worked at a NIST CMVP lab, so who knows?

Unfortunately, NIST SP 800-63B has little to say about the specifics:

Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [SP 800-132] and Balloon [BALLOON]. A memory-hard function SHOULD be used because it increases the cost of an attack.

I already said that PBKDF2 isn’t memory hard, so that’s useless here.

The other example they gave, Balloon Hashing, is frankly a weird recommendation to make, given the lack of a stable reference implementation and how poorly specified it is.

This is starting to look like a catch-22. Maybe we would be better off not supporting passwords anymore.

But what if you can’t make that decision?

What would a modern NIST standard for password-based cryptography even look like?

Towards Gargon: Government-flavored Argon2

Is that last question even answerable?

I argue, “Probably yes.” From the introduction to RFC 9106:

Argon2 is also a mode of operation over a fixed-input-length compression function G and a variable-input-length hash function H. Even though Argon2 can be potentially used with an arbitrary function H, as long as it provides outputs up to 64 bytes, the BLAKE2b function [BLAKE2] is used in this document.

Clearly, the Argon2 RFC authors intended to allow the hash function be swapped out for another one.

So can we just str_replace() BLAKE2b with SHA512 (or SHA3-512) and call our job done?

No, that would be too easy.

The internal compression function, G

Argon2’s design involves computing the internal compression function, G, over regions of memory. The linked section of that version of RFC 9106 provides a good overview of the construction.

G is defined in terms of the permutation, P.
P is based on the round function of BLAKE2b.
The BLAKE2b round function is based on ChaCha, which is similar to Salsa20 (and designed by the same author), which we already established isn’t approved for FIPS.

So if we’re going to invent a Government-tolerable variant of Argon2, we’ll need to be a bit more creative about our choice for G as well.

More precisely, even if we keep the overall structure of G intact, we’ll need to define a FIPS-able permutation, P.

The permutation, P, for building the internal compression function, G

A reasonable person would assume we would need to pick a component from the hash function we’re building atop which has an increased circuit depth. After all, that’s what the Argon2 designers did:

The modular additions in GB are combined with 64-bit multiplications. Multiplications are the only difference from the original BLAKE2b design. This choice is done to increase the circuit depth and thus the running time of ASIC implementations, while having roughly the same running time on CPUs thanks to parallelism and pipelining.
RFC 9106

And this is where reasonableness hits a wall. There are several directions that one could go to invent Government-tolerable Argon2.

The SHA-2 family compression function (i.e., , , , and ).
The basic block permutation function from SHA3 (i.e., , , , , and ).
Look elsewhere in the FIPS algorithm suite, such as AES (e.g., in Counter Mode, to exploit the hardware acceleration of AES in modern CPUs).

Each of these ideas is terrible in their own way.

The cryptanalysis results showing that the best attack against a full hash function costs 2 to some power queries don’t imply the security of each constituent component. So you’re really rolling the dice if you pursue this.

AES might be okay, depending on how it’s constructed and used. But the devil’s always in the details.

It’s starting to seem like Gargon’s possibility is fleeting, after all.

Wouldn’t life be simpler if NIST just approved BLAKE2b and/or Argon2 for use in FIPS validated modules?

Yes, life would be much simpler. NIST should do that.

Unfortunately, until that day comes, there are yet more windmills that need tilting.

https://scottarc.blog/2024/06/17/the-quest-for-the-gargon/

#Argon2 #crypto #Cryptography #CryptographyStandards #cybersecurity #encryption #FIPS #NIST #passwordBasedCryptography #passwords #PBKDF2 #security

With syncthing the encryption is realized using Xchachapoly aes-siv and #scrypt is used for primary key derivation. this makes it robust against even state based attackers unlike #pbkdf2

This is a #PBKDF2 hate account ! Vive la #Argon2 🎉 !

#CryptoAsInCryptography

"Since the time PBKDF2 was designed, we’ve seen the rise of powerful GPUs become common place. To defend against this rising onslaught of GPU hashing power is a relatively new algorithm, argon2."

https://blog.dataparty.xyz/blog/wtf-is-a-kdf/#how-does-argon2-work

#cryptography #argon2 #pbkdf2

How Does Argon2 Work?
The cryptographic power of argon2 is sublte but brilliant. Instead of focusing on CPU time by requiring large numbers of hash iterations, argon2 wages war on your GPUs memory capacity. When hashing a password with argon2 an application developer can dial up the amount of RAM that is required to complete the computation. In so doing it starves the globs of highly parallel computation cores in a GPU reducing the total processing power the GPU can bring to bear.

Tails - Weak cryptographic parameters in LUKS1 https://tails.boum.org/security/argon2id/index.en.html #cryptsetup #parameter #dm-crypt #argon2id #weakness #crypto #pbkdf2 #tails #luks #kdf

@niconiconi @Moon @PeterCxy @a1ba Doesn'it still lack support for a bunch of LUKS settings & modes that have been around for a while?

Or is this warning (https://wiki.archlinux.org/title/GRUB#Encrypted_/boot) finally obsolete and wrong somewhere?

At least going by (info "(grub) cryptomount") (https://www.gnu.org/software/grub/manual/grub/html_node/cryptomount.html) on Debian argon2id still isn't supported despite PBKDF2 being recommended against nowadays.

#GRUB #LUKS #PBKDF2 #PBKDF #Argon2 #EncryptedBoot

LUKS: Alte verschlüsselte Container unsicher? Ein Ratgeber für Updates

Angeblich konnte die französische Polizei einen LUKS-Container knacken. Kein Grund zur Panik, aber ein Anlass, Passwörter und LUKS-Parameter zu hinterfragen.

https://www.heise.de/news/Alte-LUKS-Container-unsicher-Ein-kleiner-Update-Ratgeber-8981054.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege

#Argon #LUKS #Linux #PBKDF2 #Security #Verschlüsselung #cryptsetup

@Ihazchaos Hey Terri, zu dem Thema LUKS hat mein @ct_Magazin-Kollege Sylvester Tremmel (@syt) was auf @heiseonline geschrieben.

https://www.heise.de/news/Alte-LUKS-Container-unsicher-Ein-kleiner-Update-Ratgeber-8981054.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege

#LUKS #KDF #PBKDF2 #Cryptsetup

Changing years and years of passwords, still. Thank you so much #LastPass the "No. 1 password manager" and this #Breach

You had one job

At sign-in. Advise that the password might be too weak. Not everyone looks security news. Password from 2013 doesn't cut it today. Also, why not increasing #PBKDF2 iterations at login?

My wife had 500

Also do what you were doing with the main password, do more #PBKDF2 password iterations. The vault data is as important as the result of the password hashing

I just checked my @bitwarden settings and the number of #PBKDF2 SHA-256 iterations was just 5000 (five-thousand). The sooner this is fixed for existing accounts, the better.

#security #passwords #PBKDF