.

Password Timing Attacks

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Jul 20, 2010 6:51 am

Password Timing Attacks

So many ways to crack a password!

On some systems, the server will check a cryptographic signature on a token sent by the user to prove that he has logged into the system. It will kick back an error message as soon as it spots a bad character. This means a computer returns an error for a completely bad token a tiny bit faster than one where the first character is correct.


By submitting signatures again and again, cycling through characters and measuring the time it takes for the computer to respond, hackers can ultimately figure out the correct digital signature.


http://www.computerworld.com/s/article/9179224/Researchers_Authentication_crack_could_affect_millions
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Jul 20, 2010 8:21 am

Re: Password Timing Attacks

This is pretty impressive.  Interesting, the method is not dissimilar from a blind SQLi attack.
~~~~~~~~~~~~~~
Ketchup
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Jul 20, 2010 12:20 pm

Re: Password Timing Attacks

It's true, it is the same idea.
You're clever Ketchup...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Sat Jul 24, 2010 7:37 am

Re: Password Timing Attacks

I wonder how feasible this would be on a live network, though. Latency can be highly variable depending on the environment...

Interesting nonetheless....
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software