Rainbow Cracking: Do you need to fear the Rainbow? Philippe Oechslin, Objectif Sécurité. OS Objectif Sécurité SA, Gland,

Transcription

1 ainbow Cracking: Do you need to fear the ainbow? Philippe Oechslin, Objectif Sécurité 1

2 On the menu 1. ainbow tables explained 2. Who is vulnerable 3. Tools and history 4. What you should do about it 2

3 Time-Memory Trade-Off (TMTO) o Problem: Inverse a function, e.g. a hash 2 h2 o Traditional attack: Brute Force Try every possible input to the hash until you find the correct one Needs massive amount of time, no memory o Generate a complete dictionary of hashes: Look the hash up, find the password immediately Needs no time, massive amount of memory o Time-Memory Trade-Off (TMTO): educe brute-force time by using memory 3

4 Martin ellman's Cryptanalytic TMTO o In 1980 ellman described an attack to inverse N values of a function: o Needs N calculations before the attack o For the attack N2/3 units of memory N2/3 calculations 80% success rate 4

5 The trade-off N T~ memory M2 N = number of passwords time decreases with the square of memory M time T 5

6 TMTO's are based on chains o Define a reduction function that creates a password from a hash 0 h0 h0 2 o Now create chains of passwords: 0 h0 2 h2 3 h3 9 o Create many chains and store only start and the end o We can not travel the chain backwards, but if we know the start, we can find any element 6

7 The trick: 0 h0 2 h2 3 h3 9 1 h1 3 h3 9 h9 6 4 h4 8 h8 7 h7 1 chain start chain end password given hash o Create a chain from the given hash o When you stumble upon an end that is stored in your table, look up the start and advance to the password 7

8 The problem with merges 0 h0 2 h2 3 h3 9 1 h1 3 h3 9 h9 6 4 h4 8 h8 7 h7 1 h5 7 h7 1 o The reduction function can give the same password for two different hashes merges o Even if you find an end in the table, you may not find the password in the chain false alarms 8

9 Multiple tables o The larger a table, the higher the chance that an additional chain will merge with an existing chain. the benefit of adding more chains decreases o It is more efficient to create several different tables based on different reduction functions 9

10 ainbow tables h0 h2 h h6 h3 h h3 h5 h o ainbow tables use a different reduction function for each step of the chains o Chains can only merge if they have the same password at the same position 10

11 ainbow tables are better o Because they have less merges, rainbow tables can be much larger o Larger tables are more efficient About 10 times more than previous versions o ainbow tables need less memory lookups than ellman's original tables 11

12 Who is vulnerable? o Password hashing schemes that add random data to passwords (salt) are not vulnerable o Most vulnerable hash: Windows LanMan hash (all caps, truncated at 7, DES) o Other vulnerable hashes Oracle System password hash (all caps, predictable salt, DES) Windows NT hash (MD4) Cisco PIX (MD5) MySql 3.23, MySql 4.1 without salt Many web based applications 12

13 Funny hashes o The Lanmanager hash LMash Password is cut into pieces of 7 chars esult: two half-hashes Lowercase letters are uppercase o Oracle hash Lowercase letters are uppercased Password is prepended with username before hashing johnny / bingo thus not equal to miller / bingo johnny / bingo equal to john / nybingo! The admin account is called SYSTEM on all DB's we can calculate the hashes of SYSTEM in advance 13

14 Tools and history o ainbow tables invented 2003 at EPFL / LASEC Making a Faster Cryptanalytic Time-Memory Trade-Off, Philippe Oechslin, CYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, 2003 o Instant NTCrack: developed for research 14 seconds for an alphanumeric LanMan hash o Advanced instant NTCrack: online demo summer 2003 alphanumeric LanMan hashes cracked in 7.7 seconds 14

15 o One million hits in three days 15

16 Other tools o September 2003: ainbowcrack by Zhu Shuanglei can be customized for other hashes o Using rainbowcrack, several sites offer(ed) online cracking sarca rainbow tables: rainbowcrack.com: community project, you can use the tables if you submit your own tables passcracking.ru, md5crack.com and many others o August 2004: ophcrack 1.0 with free tables for alphanumeric passwords new online demo cracks passwords in 1.6 seconds 16

17 Atstake LC5 (Symantec) 17

18 Cain (by MAO of oxid) 18

19 ophcrack 2, livecd o April 2005: ophcrack 2 released Windows and Linux GUI etrieves Windows hashes from encrypted SAM (no need to be administrator) hosted on ophcrack.sourceforge.net (48'000 downloads by now) o November 2005: ophcrack livecd insert CD, boot PC, watch passwords being broken 60'000 downloads 19

20 More tools: o August 2005 (defcon 13): The schmoo group offers free rainbowcrack tables (41GB) Announces new cracker project o November 2005: rainbowcrackonline.com large collection of tables to use online for a monthly fee o April 2006: ophcrack 2.2 with tableset WS-20k charset 0-9A-Za-z!\"#$%&'()*+,-./:;<=>?@[\]^_`{ }~ average time: 4 minutes table size 7.5GB (vs. 230GB for rainbowcrackonline) available at ($$$) 20

21 Demo 21

22 Demo: performance o Brute force: 30 days o Brute dictionnary: 48 terabytes o Trade-off 20'000 times faster than brute force 6'600 times less memory than brute dictionnary o Time spent creating the tables: 250 days 22

23 Friendly uses of ainbow tables o Protecting privacy in FID tags people don't want to be traced through the identifiers broadcast by their FID tags o Solution: Tag emits a sequence of random values Owner knows the initial value of the sequences of all his tags Tag is identified by owner by testing all possible values of all sequences (brute force, 3 minutes) With rainbow tables, tag can be read in milliseconds o educing Time Complexity in FID Systems, Avoine, Dysli and Oechslin, 12th Annual Workshop on Selected Areas in Cryptography (SAC'05),

24 Are passwords useful at all? o ainbow cracking benefits three times from Moore's law cracking time decreases linearly with processor speed and with the square of memory size Every year, crackers become 4 times faster! o More and more people band together to create rainbow tables o Soon, all your passwords are belong to us. 24

25 ow to protect yourself o Avoid broken password hashes disable LMhashes in Windows Why is this not the default? o Avoid unsalted hashes when possible ask your manufacturer to implement salted hashes Unix has it since almost 30 years o When you can't Use _very_ complex passwords 25

26 ainbow resistant passwords o To create rainbow tables all hashes have to be calculated once. o If the passwords are complex enough, auditors will not be able to complete the tables o Existing tables use 10 years of calculations for a complexity of 246 o Use a complexity which is at least 1'000'000 times as much (266), if you are not paranoid 26

27 ainbow resistant passwords o Character set: mixed case alpha + numbers + 33 special chars o LanMan: impossible because max length is 7 ( 243 ) o Oracle: length 11 because it uppercases the password o Other (NThash MD4, MD5, SA1,..): length 10 o If you are paranoid: length 20 (2128) o Better: used salted hashes. 27

28 Thank you for your attention, any questions? 28