Are Your Passwords Safe: Energy-Efficient

Bcrypt Cracking with Low-Cost Parallel

Hardware

Katja Malvoni(kmalvoni at openwall.com)

Solar Designer(solar at openwall.com)

Josip Knezovic(josip.knezovic at fer.hr)

August 19, 2014Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 1 / 21

Motivation

• Bcrypt is:I SlowI SequentialI Designed to be resistant to brute force attacks and to remain

secure despite hardware improvements

• You could almost think why even bother optimizing

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 2 / 21

But

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 3 / 21

Outline

1 Bcrypt

2 Implementations• Parallella/Epiphany• ZedBoard and ZC706

3 Experimental Results

4 Future work

5 Takeaways

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 4 / 21

Bcrypt

Bcrypt

• Based on Blowfish block cipher

• Expensive key setup

• User defined cost setting

• Pseudorandom memory accesses

Blowfish. Photo source: http://wallpapers.free-review.net

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 5 / 21

Implementations Parallella/Epiphany

ArchitectureEpiphany

• 16/64 32-bit RISC cores operating at up to 1 GHz/800 MHz

• Energy-efficient - 2 W maximum chip power consumption

• 32 KB of local memory per core

• FPU can be switched to integer mode

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 6 / 21

Implementations Parallella/Epiphany

ImplementationEpiphany

• John the Ripper prepares data on ARM cores

• Bcrypt hashes computed on Epiphany

• Optimized in assembly

• Each Epiphany core computes two bcrypt hashes

• Computation overlapped to exploit dual-issue architectureI Integer ALUI FPU in integer mode

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 7 / 21

Implementations ZedBoard and ZC706

ArchitectureZynq 7020 and Zynq 7045

• Heterogeneous device

• Dual ARM Cortex-A9 MPCore

• Advanced low power 28nm programmable logic

• Zynq 7045 ∼4 times bigger than Zynq 7020

• AXI buses used for CPU-FPGA communication

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 8 / 21

Implementations ZedBoard and ZC706

ImplementationZynq 7020 and Zynq 7045

• John the Ripper prepares data on ARM cores

• Bcrypt instances compute hash(es)

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 9 / 21

Implementations ZedBoard and ZC706

ImplementationNumber of concurrent instances

• Number of concurrent instances limited by available BRAM

• Overlapping multiple bcrypt instances in one moduleI 56, 70 or 112 instances on Zynq 7020 with 140 BRAMs

◦ or many more on Zynq 7045 with 545 BRAMs

• Large communication overhead for low bcrypt cost setting

• Hardware defects of boards limit optimizations

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 10 / 21

Experimental Results

Epiphany vs x86

1,207 1,200

4,812 4,876

600

35

2,400

51

0

1,000

2,000

3,000

4,000

5,000

6,000

Epiphany 16 T7200 Epiphany 64 i7−2600K

Performance (c/s) Energy-efficiency (c/s/W)

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 11 / 21

Experimental Results

Performance and efficiency comparison

1,207

4,571 4,812

7,044

20,583

4,5565,347

6,246 6,596

6002,285 2,400

3,522 4,116

47 43 49 79

0

5,000

10,000

15,000

20,000

25,000

Epiphany 16 Zynq 7020 Epiphany 64 Zynq 7020 Zynq 7045 HD 7970 FX−8120 Xeon Phi 5110P i7−4770K

Performance (c/s) Energy-efficiency (c/s/W)

(emulated with 7045)

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 12 / 21

Experimental Results

Cost comparison

12.19

24.18

11.578.232

0

10.59

0

10.15

16.09

0

38.41

12.87

8.299

26.08

2.358

18.85

0

5

10

15

20

25

30

35

40

45

Epiphany 16 Epiphany 64 Zynq 7020 Zynq 7045 HD 7970 FX−8120 Xeon Phi 5110P i7−4770K

System price (c/s/$) Chip or device price (c/s/$)

$99 $199 -$75 $395 $119 $549 $505 $205 $2649 $650 $350- -

- - -

$2495 $1596

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 13 / 21

Experimental Results

Derived performance from cost 12

1,207

4,571

20,538

4,556 5,3476,246 6,596

9.6 64.5 226.3 35.7 43 50.2 53.71,207

8,112

28,462

4,4905,408

6,313 6,753

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

Epiphany 16 Zynq 7020 Zynq 7045 HD 7970 FX−8120 Xeon Phi 5110P i7−4770K

Performance for cost 12 (c/s) Theoretical performance for cost 5 (c/s) Measured performance for cost 5 (c/s)

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 14 / 21

Experimental Results

Theoretical Peak Performance AnalysisTheory

c/s =Nports ∗ f

(2cost ∗ 1024 + 585) ∗ Nreads ∗ 16(1)

• Nports - number of available readports to local memory or L1 cache

• Nreads - number of reads perBlowfish round

• 2cost ∗ 1024 + 585 - number ofBlowfish block encryptions in bcrypthash computation

• f (in Hz) - clock rate

Bcrypt

EksBlowfishEkspensive key schedule Blowfish

bcrypt(cost, salt, pwd)

1: state ← InitState()2: state ← ExpandKey(state, salt, key)3: repeat(2cost)4: state ← ExpandKey(state, 0, salt)5: state ← ExpandKey(state, 0, key)6: ctext ← “OrpheanBeholderScryDoubt”7: repeat(64)8: ctext ← EncryptECB(state, ctext)9: return Concatenate(cost, salt, ctext)

Katja Malvoni and Solar Designer Energy-efficient bcrypt cracking August 6, 2014 2 / 2

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 15 / 21

Experimental Results

Theoretical Peak Performance AnalysisComparison

4,497

7,496

17,989

29,179

10,494 11,093

1,207

4,571 4,812

20,538

4,8766,595

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

Epiphany 16 Zynq 7020 Epiphany 64 Zynq 7045 i7−2600K i7−4770K

Theoretical estimate for cost 5 (c/s) Measured performance for cost 5 (c/s)

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 16 / 21

Experimental Results

Related work

• F.Wiemer, R. Zimmermann. Speed and Area-OptimizedPassword Search of bcrypt on FPGAs

I bcrypt running on ZedBoard at 80 MHzI 40 parallel instancesI 5208 c/s at cost 5, 41.6 c/s at cost 12

• Yuri Gonzaga, Google Summer of Code 2011

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 17 / 21

Future work

Future work

• Parallella/EpiphanyI Using both Epiphany and Zynq 7020 at onceI Possible to integrate up to 64 chips on a single boardI Scalability of current implementation is promisingI 64 * 64 = 4096 cores with theoretical performance of 300000

c/s

• FPGAI Zynq 7020 and 7045 optimizations

◦ Improve clock rate◦ Reduce communication overhead

I Targeting bigger FPGAsI Targeting multi-FPGA boards

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 18 / 21

Takeaways

Takeaways

• Many-core low power RISC platforms and FPGAs are capable ofexploiting bcrypt peculiarities to achieve comparableperformance and higher energy-efficiency

• Higher energy-efficiency enables higher densityI More chips per board, more boards per system

• It doesn’t take ASICs to improve bcrypt crackingenergy-efficiency by a factor of 45+

I Although ASICs would do better yet

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 19 / 21

Thanks

Thanks

• Sayantan Datta

• Steve Thomas

• Parallella project

• Google Summer of Code

• Xilinx

• Faculty of Electrical Engineering and Computing, University ofZagreb

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 20 / 21

Questions

Questions

?

Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 21 / 21