Checksum != SecurityAn example hacking into bad Javascript authentication

What’s so Bad?

The Enemy

Breaking Bad Closing

Found in the wild: a web app testing environment

function  promptUserForPassword(pass)  {      if  (jesChecksum(pass)  !=  9887)  {          pass  =  prompt("Please  enter  the  passkey","");  

       if  (pass  ==  null)  {              document.location.href  =  defaultHref;          }  else  {              verifyPassword(pass);          }      }  else  {          successfulLogin(pass);      }  }  

What’s so Bad?

The Enemy

Breaking Bad Closing

function  jesChecksum(str)  {      var  primes  =  [  2,  3,  5,  7,11,                                  13,17,19,23,29,                                  31,37,41,43,47,                                  53,59,61,67,71,                                  73,79,83,89,97];      var  rtn  =  0;  

   for  (i  =  0;  i  <  (str.length);  i++)  {          tmp  =  str.charCodeAt(i)  *  primes[i];          rtn  =  rtn  +  tmp;      }  

   return  rtn;  }

What’s so Bad?

The Enemy

Breaking Bad Closing

What’s so Bad?

The Enemy

Breaking Bad Closing

A hash function is any function that can be used to map digital data of any size to digital data of a fixed size.

“checksums are often used to verify data integrity, but should not be relied upon to also verify data authenticity"

What’s so Bad?

The Enemy

Breaking Bad Closing

“It is infeasible to find two different messages with the same [cryptographic] hash”

What’s so Bad?

The Enemy

Breaking Bad Closing

It should be feasible to find two different messages with the same checksum.

What’s so Bad?

The Enemy

Breaking Bad Closing

What’s so Bad?

The Enemy

Breaking Bad Closing

jesChecksum(pass)  ==  9887

Find “pass” such that

function  jesChecksum(str)  {      …      for  (i  =  0;  i  <  (str.length);  i++)  {          tmp  =  str.charCodeAt(i)  *  primes[i];          rtn  =  rtn  +  tmp;      }      …  }

The simplicity of this algorithm makes it very easy to solve.

What’s so Bad?

The Enemy

Breaking Bad Closing

Thanks to Unicode: Solve 2x + 3y = 9887 over integers

One such solution is “Ŏఁ” Ŏఁ = String.fromCharCode(334, 3073);

What’s so Bad?

The Enemy

Breaking Bad Closing

Using the right tool for the job requires you to understand the tools available

What’s so Bad?

The Enemy

Breaking Bad Closing

Don’t roll your own security either

What’s so Bad?

The Enemy

Breaking Bad Closing

And definitely don’t do security client side in Javascript

What’s so Bad?

The Enemy

Breaking Bad Closing

Thanks

Justin Mancinelli

@piannaf http://piannaf.github.io

https://www.linkedin.com/in/justinmancinelli

Slide 5:http://en.wikipedia.org/wiki/Hash_function

Slide 6:http://en.wikipedia.org/wiki/Checksum

Slide 7:http://en.wikipedia.org/wiki/Cryptographic_hash_function

Slide 8:http://blog.codinghorror.com/checksums-and-hashes/

Slide 13: http://xkcd.com/1286/http://www.explainxkcd.com/wiki/index.php/Encryptic