Cracking Passwords With Time-memory Trade-offs. Gildas Avoine Université catholique de Louvain, Belgium

Size: px

Start display at page:

Download "Cracking Passwords With Time-memory Trade-offs. Gildas Avoine Université catholique de Louvain, Belgium"

Rosalyn Robbins
7 years ago
Views:

1 Cracking Passwords With Time-memory Trade-offs Gildas Avoine Université catholique de Louvain, Belgium

2 SUMMARY Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

3 MOTIVATIONS Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

4 One-way Function Function h : A B that is easy to compute on every input, but hard to invert given the image of an arbitrary input. Gildas Avoine Cracking Passwords with Time-memory Trade-offs 4

5 Example: Password-based Authentication User (username, pwd) username, pwd Computer Compute h(pwd) username 1 h(pwd 1 ) username 2 h(pwd 2 ) username 3 h(pwd 3 ).. username N h(pwd N ) Gildas Avoine Cracking Passwords with Time-memory Trade-offs 5

username 2 h(pwd 2 ) username 3 h(pwd 3 ).

6 Exhaustive Search Online exhaustive search: Computation: N := A Storage: 0 Precalculation: 0 Precalculated exhaustive search: Computation: 0 Storage: N Precalculation: N Gildas Avoine Cracking Passwords with Time-memory Trade-offs 6

exhaustive search: Computation: 0 Storage: N

7 HELLMAN TABLES Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

8 Precalculation Phase Martin Hellman s cryptanalytic time-memory trade-off (1980). Precalculation phase to speed up the online attack: T N2 M 2 Gildas Avoine Cracking Passwords with Time-memory Trade-offs 8

9 Precalculation Phase (recap) Invert h : A B. Define R : B A an arbitrary (reduction) function. Define f : A A such that f = R h. Chains are generated from arbitrary values in A. S 1 = X 1,1 f X 1,2 f X 1,3 f... S 2 = X 2,1 f X 2,2 f X 2,3 f.... S m = X m,1 f X m,2 f X m,3 f... f X 1,t = E 1 f X 2,t = E 2. f X m,t = E m The generated values should cover the set A (probabilistic). Only the first and the last element of each chain is stored. Gildas Avoine Cracking Passwords with Time-memory Trade-offs 9

.. S 2 = X 2,1 f X 2,2 f X 2,3 f.... S m = X m,1 f X m,2 f X m,3 f... f X 1,t = E 1 f X 2,t = E 2.

10 Online Attack Gildas Avoine Cracking Passwords with Time-memory Trade-offs 10

11 Online Attack (Recap) Given one output y B, we compute y 1 := R(y) and f f f generate a chain starting at y 1 : y 1 y 2 y 3... y s S 1 E 1 S m E m not y 1 y 2 y s y y 1 time needed to rebuild the chain time needed to find a matching endpoint Gildas Avoine Cracking Passwords with Time-memory Trade-offs 11

.. y s S 1 E 1 S m E m not y 1 y 2 y s y y 1 time needed to rebuild the

12 Coverage and Collisions Collisions occur during the precalculation phase. Several tables with different reduction functions. Gildas Avoine Cracking Passwords with Time-memory Trade-offs 12

13 OECHSLIN TABLES Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

14 Using Several Reduction Functions (Oechslin, 2003) Use a different reduction function per column: rainbow tables. Invert h : A B. Define R i : B A arbitrary (reduction) functions. Define f i : A A such that f i = R i h. f 1 f 2 f 3 S 1 = X 1,1 X 1,2 X 1,3... f 1 f 2 f 3 S 2 = X 2,1 X 2,2 X 2,3.... f1 f2 f3 S m = X m,1 X m,2 X m,3... f t X 1,t = E 1 f t X 2,t = E 2 ft X m,t = E m. Gildas Avoine Cracking Passwords with Time-memory Trade-offs 14

Define f i : A A such that f i = R i h. f 1 f 2 f 3 S 1 = X 1,1 X 1,2 X 1,3.

15 Discarding the Merges If 2 chains collide in different columns, they don t merge. If 2 chains collide in same column, merge can be detected. A table without merges is said perfect Gildas Avoine Cracking Passwords with Time-memory Trade-offs 15

16 Online Procedure is More Complex Given one output y B, we compute y 1 := R(y) and generate a chain starting at y 1 : f t s f t s+1 f t s+2 y 1 y 2 y 3... y s S 1 E 1 S m y y 1 y s E m y 2 y y 1 time needed to rebuild the chain time needed to find a matching endpoint Gildas Avoine Cracking Passwords with Time-memory Trade-offs 16

.. y s S 1 E 1 S m y y 1 y s E m y 2 y y 1 time needed to rebuild the chain time

17 Success Probability of a Table is Bounded Theorem Given t and a sufficiently large N, the expected maximum number of chains per perfect rainbow table without merge is: Theorem m max (t) 2N t + 1. Given t, for any problem of size N, the expected maximum probability of success of a single perfect rainbow table is: ( P max (t) ) t t + 1 which tends toward 1 e 2 86% when t is large. Gildas Avoine Cracking Passwords with Time-memory Trade-offs 17

Given t, for any problem of size N, the expected maximum probability of success of a single perfect rainbow

18 Average Cryptanalysis Time Theorem Given N, m, l, and t, the average cryptanalysis time is: T = k=lt k=1 c=t k 1 l (t c)(t c + 1) p k ( 2 i=t + q i i)l+ i=c where (1 m t(t 1) N )lt ( 2 q i = 1 m N i=t + q i i)l i=1 i(i 1) t(t + 1). Gildas Avoine Cracking Passwords with Time-memory Trade-offs 18

+ q i i)l+ i=c where (1 m t(t 1) N )lt ( 2 q i = 1 m N i=t + q i i)l i=1

19 REAL LIFE EXAMPLES Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

20 Statistics from 10,000 Leaked Hotmail Passwords Password Type % numeric 19% lower case alpha 42% mixed case alpha 3% mixed numeric alpha 30% other charac 6% Password Length % 7 37% 8 58% 9 70% Gildas Avoine Cracking Passwords with Time-memory Trade-offs 20

numeric alpha 30% other charac 6% Password Length % 7 37% 8 58%

21 Windows LM Passwords (Algorithm) Win98/ME/2k/XP uses the Lan Manager Hash (LM hash). The password is cut in two blocks of 7 characters. Lowercase letters are converted to uppercase. Gildas Avoine Cracking Passwords with Time-memory Trade-offs 21

22 Windows LM Hash (Results) Cracking an alphanumerical password (LM Hash) on a PC. Size of the problem: N = = Brute Force TMTO Online Attack (op) Time 2 h sec Precalculation (op) Time 0 33 days Storage 0 2 GB Gildas Avoine Cracking Passwords with Time-memory Trade-offs 22

23 Windows NT LM Passwords Win NT/2000/XP/Vista/Seven uses the NT LM Hash. The password is no longer cut in two blocks. Lowercase letters are not converted to uppercase. Gildas Avoine Cracking Passwords with Time-memory Trade-offs 23

24 Windows NT LM Hash (Results) Cracking a 7-char (max) alphanumerical password (NT LM Hash) on a PC. Size of the problem: N = Brute Force TMTO Online Attack (op) ? Time 99 hrs? Precalculation (op) 0? Time 0? Storage 0? Gildas Avoine Cracking Passwords with Time-memory Trade-offs 24

25 FINGERPRINT TABLES (Joint work with A. Bourgeois and X. Carpent) Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

26 Checkpoints (Avoine, Junod, Oechslin, 2005) Given one output y B, we compute y 1 := R(y) and generate a chain starting at y 1 : f t s f t s+1 f t s+2 y 1 y 2 y 3... y s S 1 E 1 S m y y 1 y s E m y 2 y y 1 checkpoint time needed to rebuild the chain time needed to find a matching endpoint Gildas Avoine Cracking Passwords with Time-memory Trade-offs 26

27 Ridge Functions Endpoints and checkpoints share the same nature. Each column contains a ridge function that outputs a (potentially empty) fingerprint of the chain. Endpoints are no longer stored. We no longer look for matching endpoints but for matching fingerprints. Gildas Avoine Cracking Passwords with Time-memory Trade-offs 27

28 Ridge functions (Avoine, Bourgeois, Carpent, 2012) S 1 F I N G ER S m y y 1 y s P R I N T S y 2 y y 1 ridges time needed to rebuild the chain time needed to find a matching endpoint Gildas Avoine Cracking Passwords with Time-memory Trade-offs 28

29 Fingerprint Tables Theorem The average amount of evaluations of h during the online phase using the fingerprint tables is: lt m T = N k=1 i 1 c i = t l W k = Q k = ( 1 m ) k 1 ( (Wk + Q k ) + 1 m ) lt (Wlt + Q lt ), N N, q c = 1 k (t c i ), P c = i=1 t ( 1 m ) i, N i=c t i 1 (q i q i+1 ), i=c j=c k (c i 1)(P ci + E ci ), E c = (m q c ) i=1 φ j t φ i. i=c Gildas Avoine Cracking Passwords with Time-memory Trade-offs 29

30 Windows NT LM Hash (Results) Cracking a 7-char (max) alphanumerical password (NT LM Hash) on a PC. Size of the problem: N = Brute Force TMTO Online Attack (op) Time 99 hrs 5.9 sec Precalculation (op) Time days Storage 0 16 GB Gildas Avoine Cracking Passwords with Time-memory Trade-offs 30

31 CONCLUSION Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

32 Limits of Cryptanalytic Time-memory Trade-offs A TMTO is never better than a brute force. TMTO makes sense in several scenarios. Attack repeated several times. Lunchtime attack. Attacker is not powerful but can download tables. Two conditions to perform a TMTO. Reasonably-sized problem. One-way function (or chosen plaintext attack on a ciphertext) Gildas Avoine Cracking Passwords with Time-memory Trade-offs 32

Rainbow Cracking: Do you need to fear the Rainbow? Philippe Oechslin, Objectif Sécurité. OS Objectif Sécurité SA, Gland, www.objectif-securite.

Rainbow Cracking: Do you need to fear the Rainbow? Philippe Oechslin, Objectif Sécurité. OS Objectif Sécurité SA, Gland, www.objectif-securite. ainbow Cracking: Do you need to fear the ainbow? Philippe Oechslin, Objectif Sécurité 1 On the menu 1. ainbow tables explained 2. Who is vulnerable 3. Tools and history 4. What you should do about it 2