time-memory tradeoffs in password cracking
DESCRIPTION
Time-Memory tradeoffs in password cracking. Basic Attacks. Dictionary attack: What if password is chosen well? Brute Force (online version): Try all N possible passwords. Space: O(1); Time: O(N) Brute Force with pre-computation Offline: keep hashes of all N possible passwords in DB - PowerPoint PPT PresentationTRANSCRIPT
Time-Memory tradeoffs in password cracking
1
Basic Attacks
• Dictionary attack:– What if password is chosen well?
• Brute Force (online version):– Try all N possible passwords.– Space: O(1); Time: O(N)
• Brute Force with pre-computation– Offline: keep hashes of all N possible passwords in
DB– Online: look up hash in DB– Space: O(N); Time: O(log N)
2
3
Inverting a one-way hash The one-way hash function is easy to compute but hard to invert. nnh }1,0{}1,0{: )(1 chm Cmh )(
m h(m)
• hard
• easy
Chains
• Note that image h(x) can also be a source– Both have n bits
• Chain: x h(x) h(h(x)) h(h(h(x)))….
4
Time-Memory tradeoff – Offline
• Offline: – Pick m random values x1, … xm
– Compute chain of t steps from each xi
– Keep table of {xi , ht(xi) } – sorted by ht
– Space: O(m)
5
Start Point End Point
X1
xi ht(xi)
xm
Time-Memory tradeoff – cont.
• Online: (given value y)– Compute chain from y– Find hj(y) as end-point i– Begin from matching start point xi – Compute chain from xi until y found– Time: O(t)
6
y
epsp
Time-Memory tradeoff – cont.
• Online: (given value y)– Compute chain of t steps from y– Find hj(y) as end-point i– Begin from matching start point xi – Compute chain from xi until y found– Time: O(t)
7
y
epsp
Time-Memory tradeoff – cont.
• Online: (given value y)– Compute chain of t steps from y– Find hj(y) as end-point i– Begin from matching start point xi – Compute chain from xi until y found– Time: O(t)
8
y
epsp
!!
Setting the parameters
• How many values x1, … xm to use for chains of length t, for N possibilities?
• Need y to appear (in the middle of some) chain – this is the “coverage”
• Difficulty is that chains may “collide”
• Analysis shows a trade-off: • Working point:
9
What if domains are different
• E.g. Password has 8 alphanumeric characters
• Hash produces 128 bit• Need to “return” to password domain to
build the chains
10
11
Reduce function
• The reduce function is an “onto” function that maps a hash to a desired password in the character set– reduce(hash(a password)) → next password
Now use previous idea, with
Apple xrr12YYv679 pass123
h R
12
Rainbow Tables
• First pioneered by Philippe Oechslin• Implemented in the Windows password cracker
0phcrack
– lowercase alphanumeric passwords of 8 characters long
– case sensitive passwords of 5-16 characters in length
– valid UNIX passwords (96 symbols, 8 characters)
14
Many Reduce Functions
• Use a different reduction function for each "link" in a chain
• When a hash collision occurs - the chains will not merge (so long as collision doesn't occur at the same position in each chain)
• Increases the probability of a correct crack • Improves speed - approximately doubles the
speed.
15
Example
1. We want to reverse the hash “re3xes”2. We apply reduction function R3 and get “rambo” .. we check the table and don’t find
it there3. We then restart using R2 followed by R3 (and keep doing this with 3, 4, 5 reductions
until we succeed).4. We can see that with two reductions we get “linux23” which is in the table5. We lookup the start value “password” and then start our search of this chain,
comparing the hash at each iteration to our target hash “re3xes”. Once we find it we stop, and we discover the password “culture” that generated that hash value..
16
Rainbow Tables• Rainbow Table for LanManager passwords (windows) config #0
Charset [ABCDEFGHIJKLMNOPQRSTUVWXYZ ]Keyspace 8,353,082,582Table size 610MbSuccess probability 0.9990Cracks 5-alpha in a few secondshttp://www.antsight.com/zsl/rainbowcrack/demo_rainbowcrack_cfg0.txt
• Rainbow Table for LanManager passwords (windows) config #1Charset [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ]Keyspace 80,603,140,212 Table size 3 GBSuccess probability 0.9904
17
Rainbow Tables• Rainbow Table for MD5 (loweralpha-numeric 1-8)
Charset [abcdefghijklmnopqrstuvwxyz0123456789 ]Keyspace 2,901,713,047,668 Table size 36 GB Success probability 0.9990410 MD5 hashes broken in 35 minutes..
• Rainbow Table for Microsoft Office– 40-bit encrypted files decrypted in 5 minutes on average– One table for MS Word and one table for MS Excel– Table size is 40 GB– 99.9% accuracy MS Office
18
Rainbow Tables in Practice
• Pre-computed files are now available on bit torrent
• Rainbow tables crackers are now online on websites.
• Salts are one way to defeat rainbow tables.