Time-Memory tradeoffs in password cracking 1

Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all N possible passwords. –Space: O(1); Time: O(N) Brute Force with pre-computation –Offline: keep hashes of all N possible passwords in DB –Online: look up hash in DB –Space: O(N); Time: O(log N) 2

Inverting a one-way hash The one-way hash function is easy to compute but hard to invert. 3 m h(m) hard easy

Chains Note that image h(x) can also be a source –Both have n bits Chain: x  h(x)  h(h(x))  h(h(h(x)))…. 4

Time-Memory tradeoff – Offline Offline: –Pick m random values x 1, … x m –Compute chain of t steps from each x i –Keep table of {x i, h t (x i ) } – sorted by h t –Space: O(m) 5 Start PointEnd Point X1X1 xixi h t (x i ) xmxm

Time-Memory tradeoff – cont. Online: (given value y) –Compute chain from y –Find h j (y) as end-point i –Begin from matching start point x i –Compute chain from x i until y found –Time: O(t) 6 y ep spsp

Time-Memory tradeoff – cont. Online: (given value y) –Compute chain of t steps from y –Find h j (y) as end-point i –Begin from matching start point x i –Compute chain from x i until y found –Time: O(t) 7 y ep spsp

Time-Memory tradeoff – cont. Online: (given value y) –Compute chain of t steps from y –Find h j (y) as end-point i –Begin from matching start point x i –Compute chain from x i until y found –Time: O(t) 8 y ep spsp !!

Setting the parameters 9

What if domains are different E.g. Password has 8 alphanumeric characters Hash produces 128 bit Need to “return” to password domain to build the chains 10

11 Reduce function Apple xrr12YYv679 pass123 hR

12 Rainbow Tables First pioneered by Philippe Oechslin Implemented in the Windows password cracker 0phcrack –lowercase alphanumeric passwords of 8 characters long –case sensitive passwords of 5-16 characters in length –valid UNIX passwords (96 symbols, 8 characters)

13 Rainbow tables

14 Many Reduce Functions Use a different reduction function for each "link" in a chain When a hash collision occurs - the chains will not merge (so long as collision doesn't occur at the same position in each chain) Increases the probability of a correct crack Improves speed - approximately doubles the speed.

15 Example 1.We want to reverse the hash “re3xes” 2.We apply reduction function R3 and get “rambo”.. we check the table and don’t find it there 3.We then restart using R2 followed by R3 (and keep doing this with 3, 4, 5 reductions until we succeed). 4.We can see that with two reductions we get “linux23” which is in the table 5.We lookup the start value “password” and then start our search of this chain, comparing the hash at each iteration to our target hash “re3xes”. Once we find it we stop, and we discover the password “culture” that generated that hash value..

16 Rainbow Tables Rainbow Table for LanManager passwords (windows) config #0 Charset [ABCDEFGHIJKLMNOPQRSTUVWXYZ ] Keyspace 8,353,082,582 Table size 610Mb Success probability Cracks 5-alpha in a few seconds Rainbow Table for LanManager passwords (windows) config #1 Charset [ABCDEFGHIJKLMNOPQRSTUVWXYZ ] Keyspace 80,603,140,212 Table size 3 GB Success probability

17 Rainbow Tables Rainbow Table for MD5 (loweralpha-numeric 1-8) Charset [abcdefghijklmnopqrstuvwxyz ] Keyspace 2,901,713,047,668 Table size 36 GB Success probability MD5 hashes broken in 35 minutes.. Rainbow Table for Microsoft Office –40-bit encrypted files decrypted in 5 minutes on average –One table for MS Word and one table for MS Excel –Table size is 40 GB –99.9% accuracy MS Office

18 Rainbow Tables in Practice Pre-computed files are now available on bit torrent Rainbow tables crackers are now online on websites. Salts are one way to defeat rainbow tables.