{"id":108919,"date":"2023-10-24T07:00:00","date_gmt":"2023-10-24T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=108919"},"modified":"2023-10-24T06:23:11","modified_gmt":"2023-10-24T13:23:11","slug":"20231024-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20231024-00\/?p=108919","title":{"rendered":"Why is there a hash of a weak password in the Windows cryptographic libraries?"},"content":{"rendered":"<p>A customer found the byte sequence <code>ba7816bf8f01cfea\u00ad414140de5dae2223\u00adb00361a396177a9c\u00adb410ff61f20015ad<\/code> in the Windows cryptographic libraries. This is the SHA256 hash of the notoriously insecure password <code>abc<\/code>. (See pages 14 through 16 of the <a href=\"https:\/\/csrc.nist.gov\/csrc\/media\/projects\/cryptographic-standards-and-guidelines\/documents\/examples\/sha_all.pdf\"> NIST Computer Security Resource Center, Cryptographic Standards and Guidelines, SHA examples<\/a> document.) Why does the Windows cryptographic library use such a ridiculously weak password, and what is this password used for?<\/p>\n<p>While it&#8217;s true that <code>abc<\/code> is a horrible password, it&#8217;s also the case that the Windows cryptographic libraries aren&#8217;t using it as a password. The value is part of a self-test that the libraries perform to verify that nothing obvious has gone wrong with the standard providers.<\/p>\n<p>You can find this hard-coded &#8220;well-known SHA256&#8221; in the <a href=\"https:\/\/github.com\/microsoft\/SymCrypt\/blob\/4d3fd5136855648d2a5e987f3b95473b056876b1\/lib\/sha256.c#L333\"> sha256.c module<\/a>, with the &#8220;plaintext&#8221; in <a href=\"https:\/\/github.com\/microsoft\/SymCrypt\/blob\/4d3fd5136855648d2a5e987f3b95473b056876b1\/lib\/selftest.c#L8\"> selftest.c<\/a>. The values are <a href=\"https:\/\/github.com\/microsoft\/SymCrypt\/blob\/4d3fd5136855648d2a5e987f3b95473b056876b1\/lib\/sha256.c#L342\"> used by the function <code>Sym\u00adCrypt\u00adSha256\u00adSelf\u00adTest<\/code><\/a> to verify that the algorithm produces the expected answer.<\/p>\n<p>The fact that an insecure password appears in the cryptography libraries doesn&#8217;t mean that the library is using them as passwords. In this case, they are just test data.<\/p>\n<p><b>Bonus chatter<\/b>: I bet you can find insecure passwords in a lot of binaries if you set your mind to it. Just scan for the bytes <code>61 62 63<\/code> in any binary, and if you find it, you can get all excited: &#8220;Hey, your binary contains the insecure password <code>abc<\/code>!&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>They&#8217;re part of an internal self-test.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-108919","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>They&#8217;re part of an internal self-test.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/108919","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=108919"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/108919\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=108919"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=108919"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=108919"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}