CentOS 7 net install notes

Now that CentOS 7 is out, I took it out for a test drive. Here are some notes that you may find useful.

I used Virtualbox to install the netinstall iso. This iso contains only the minimal system and you can select additional software if you want during the installation setup.

Notes-

  1. In the setup screen, you are supposed to enter the installation URL. I just couldn’t get it work. This was the error I was getting-

centos_error_setup_url

The root cause of the issue was that the machine wasn’t able to get DNS entry from DHCP server for some reason. So pressed ALT+CTRL+F2 to go to  a shell and modify /etc/resolv.conf with dns servers. And boom! everything worked perfectly

2. After base install, ifconfig command doesn’t work. You need to install following package-

yum install net-tools

 

 

 

Password Hashing Salt- Should It Be Random?

 Recently I had a discussion on whether password hashes salted with random bits are more secure than the one salted with guessable or known bits. Let’s see:

If the system storing password is compromised as well as the system which stores the salt, the attacker will have access to hash as well as salt, so whether the salt is random or not, doesn’t matter. The attacker can generate pre-computed rainbow tables to crack the hash. Here comes the interesting part- it is not so trivial to generate pre-computed tables. Let us take example of WPA security model. The WPA password is actually never sent to Wireless Access Point. Instead, it is hashed with your SSID (the network name- like Linksys, Dlink etc). A very good explanation of how this works is here. In order to retrieve password from hash, you will need to know the password as well as salt (network name). Church of Wifi has already pre-computed hash tables which has top 1000 SSIDs and about 1 million passwords. The size is of all tables is about 40 GB. As you can read on their site, someone used 15 FGPA arrays for 3 days to generate  these tables.

Assuming victim is using the SSID as “a387csf3” and password as “123456”, will it be cracked by those tables? No, it cannot. Even if the password is weak, the tables don’t have hashes for SSID a387csf3.  This is the benefit of having random salt. It will deter crackers who thrive upon pre-computed tables. Can it stop a determined hacker? Probably not. But using random salts does provide additional layer of defense.

While we are on this topic, let us discuss additional advantage of storingrandom salts on a separate system.

Scenario #1 : Password hashes are stored on system X and salt values used for hashing are stored on system Y. These salt values are guessable or known (e.g. username)

Scenario#2 : Password hashes are stored on system X and salt values used for hashing are stored on system Y. These salt values are random.

In case system X has been compromised, as you can guess, there is a huge advantage of using random salt on a separate system (Scenario #2) . The attacker will need to guess addition values to be able to crack hashes. If a 32 bit salt is used, 2^32= 4,294,967,296 (about 4.2 billion) iterations will be required for each salted password.

Hope you find this post useful, I truly appreciate your comments/feedback. Thanks!