3

I am trying to solve a security challenge on a website.

Basically, the website computes sha1(key + cookie) to sign a cookie so that the user can't change it himself, and to accomplish the goal you have to find the key value.

I have two (not really good) ideas to find the secret key value :

  • 1: Online (way too slow) try all combinations of the authentication hash with an empty (0 bytes) cookie: this way the website will compute sha1(key) only and will stop displaying an error when I find the correct secret key value.
  • 2: Offline (still very slow but better since you don't need any network requests) go on the website and get {cookie, cookie_hash}. Try to hash xxx + cookie for every possible value of xxx : when sha1(xxx + cookie) == cookie_hash, I know that xxx == secret key.

The thing is, as you noticed, that even the second method is brute forcing and therefore very slow.

Do you think there is a faster method?

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
christophetd
  • 217
  • 1
  • 12
  • How long of a secret are we talking about here? (For that matter, how long is the cookie value?) GPUs can brute-force SHA1 at an astonishing rate, but you're still going to have a hard time brute-forcing more than a few billion values, meaning 30-odd bits of entropy. That's not a lot. – CBHacking Sep 21 '15 at 10:27
  • Judging by the passwords / keys used in the other challenges, I'd say less that 10 characters (at least less than 15) composed of letters (including capitals) and numbers. – christophetd Sep 21 '15 at 10:34
  • I don't mean to be 'that guy', but a lot of those 'l3rn 2 h4xx' sites use very easy passwords, if it's not on google already and you don't know the cookie/salt I'd just brute force it all at once, it will give you the password+salt, then just remove one letter from the end of the string, try it, repeat until it says you're right. Mind sharing the site you're on? – Noah Wood Sep 21 '15 at 10:49

1 Answers1

3

and to accomplish the goal you have to find the key value.

Do you really need to recover the key to accomplish the goal?

The scheme you have described is vulnerable to the classic length extension attack where a hash function is misused as a message authentication code. The attack is described very well in the Wikepedia article so I shall avoid replicating the example here.

With the length extension attack, you can generate a valid signature without knowing the actual key value, which is presumably enough to solve the challenge.