180 likes | 316 Views
Time-Memory tradeoffs in password cracking. Basic Attacks. Dictionary attack: What if password is chosen well? Brute Force (online version): Try all N possible passwords. Space: O(1); Time: O(N) Brute Force with pre-computation Offline: keep hashes of all N possible passwords in DB
E N D
Basic Attacks • Dictionary attack: • What if password is chosen well? • Brute Force (online version): • Try all N possible passwords. • Space: O(1); Time: O(N) • Brute Force with pre-computation • Offline: keep hashes of all N possible passwords in DB • Online: look up hash in DB • Space: O(N); Time: O(log N)
Inverting a one-way hash The one-way hash function is easy to compute but hard to invert. easy m h(m) hard
Chains • Note that image h(x) can also be a source • Both have n bits • Chain: x h(x) h(h(x)) h(h(h(x)))….
Time-Memory tradeoff – Offline • Offline: • Pick m random values x1, … xm • Compute chain of t steps from each xi • Keep table of {xi ,ht(xi) } – sorted by ht • Space: O(m)
Time-Memory tradeoff – cont. • Online: (given value y) • Compute chain from y • Find hj(y) as end-point i • Begin from matching start point xi • Compute chain from xi until y found • Time: O(t) y ep sp
Time-Memory tradeoff – cont. • Online: (given value y) • Compute chain of t steps from y • Find hj(y) as end-point i • Begin from matching start point xi • Compute chain from xi until y found • Time: O(t) y ep sp
Time-Memory tradeoff – cont. • Online: (given value y) • Compute chain of t steps from y • Find hj(y) as end-point i • Begin from matching start point xi • Compute chain from xi until y found • Time: O(t) y !! ep sp
Setting the parameters • How many values x1, … xmto use for chains of length t, for N possibilities? • Need y to appear (in the middle of some) chain – this is the “coverage” • Difficulty is that chains may “collide” • Analysis shows a trade-off: • Working point:
What if domains are different • E.g. Password has 8 alphanumeric characters • Hash produces 128 bit • Need to “return” to password domain to build the chains
Reduce function • The reduce function is an “onto” function that maps a hash to a desired password in the character set • reduce(hash(a password)) → next password Now use previous idea, with pass123 xrr12YYv679 Apple h R
Rainbow Tables • First pioneered by Philippe Oechslin • Implemented in the Windows password cracker 0phcrack • lowercase alphanumeric passwords of 8 characters long • case sensitive passwords of 5-16 characters in length • valid UNIX passwords (96 symbols, 8 characters)
Many Reduce Functions • Use a different reduction function for each "link" in a chain • When a hash collision occurs - the chains will not merge (so long as collision doesn't occur at the same position in each chain) • Increases the probability of a correct crack • Improves speed - approximately doubles the speed.
Example • We want to reverse the hash “re3xes” • We apply reduction function R3 and get “rambo” .. we check the table and don’t find it there • We then restart using R2 followed by R3 (and keep doing this with 3, 4, 5 reductions until we succeed). • We can see that with two reductions we get “linux23” which is in the table • We lookup the start value “password” and then start our search of this chain, comparing the hash at each iteration to our target hash “re3xes”. Once we find it we stop, and we discover the password “culture” that generated that hash value..
Rainbow Tables • Rainbow Table for LanManager passwords (windows) config #0 Charset [ABCDEFGHIJKLMNOPQRSTUVWXYZ ] Keyspace8,353,082,582 Table size 610Mb Success probability 0.9990 Cracks 5-alpha in a few seconds http://www.antsight.com/zsl/rainbowcrack/demo_rainbowcrack_cfg0.txt • Rainbow Table for LanManager passwords (windows) config #1 Charset [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ] Keyspace80,603,140,212 Table size 3 GB Success probability 0.9904
Rainbow Tables • Rainbow Table for MD5 (loweralpha-numeric 1-8) Charset [abcdefghijklmnopqrstuvwxyz0123456789 ] Keyspace2,901,713,047,668 Table size 36 GB Success probability 0.99904 10 MD5 hashes broken in 35 minutes.. • Rainbow Table for Microsoft Office • 40-bit encrypted files decrypted in 5 minutes on average • One table for MS Word and one table for MS Excel • Table size is 40 GB • 99.9% accuracy MS Office
Rainbow Tables in Practice • Pre-computed files are now available on bit torrent • Rainbow tables crackers are now online on websites. • Saltsare one way to defeat rainbow tables.