are your passwords safe: energy-efficient bcrypt cracking ... · outline 1 bcrypt 2 implementations...
TRANSCRIPT
Are Your Passwords Safe: Energy-Efficient
Bcrypt Cracking with Low-Cost Parallel
Hardware
Katja Malvoni(kmalvoni at openwall.com)
Solar Designer(solar at openwall.com)
Josip Knezovic(josip.knezovic at fer.hr)
August 19, 2014Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 1 / 21
Motivation
• Bcrypt is:I SlowI SequentialI Designed to be resistant to brute force attacks and to remain
secure despite hardware improvements
• You could almost think why even bother optimizing
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 2 / 21
But
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 3 / 21
Outline
1 Bcrypt
2 Implementations• Parallella/Epiphany• ZedBoard and ZC706
3 Experimental Results
4 Future work
5 Takeaways
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 4 / 21
Bcrypt
Bcrypt
• Based on Blowfish block cipher
• Expensive key setup
• User defined cost setting
• Pseudorandom memory accesses
Blowfish. Photo source: http://wallpapers.free-review.net
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 5 / 21
Implementations Parallella/Epiphany
ArchitectureEpiphany
• 16/64 32-bit RISC cores operating at up to 1 GHz/800 MHz
• Energy-efficient - 2 W maximum chip power consumption
• 32 KB of local memory per core
• FPU can be switched to integer mode
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 6 / 21
Implementations Parallella/Epiphany
ImplementationEpiphany
• John the Ripper prepares data on ARM cores
• Bcrypt hashes computed on Epiphany
• Optimized in assembly
• Each Epiphany core computes two bcrypt hashes
• Computation overlapped to exploit dual-issue architectureI Integer ALUI FPU in integer mode
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 7 / 21
Implementations ZedBoard and ZC706
ArchitectureZynq 7020 and Zynq 7045
• Heterogeneous device
• Dual ARM Cortex-A9 MPCore
• Advanced low power 28nm programmable logic
• Zynq 7045 ∼4 times bigger than Zynq 7020
• AXI buses used for CPU-FPGA communication
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 8 / 21
Implementations ZedBoard and ZC706
ImplementationZynq 7020 and Zynq 7045
• John the Ripper prepares data on ARM cores
• Bcrypt instances compute hash(es)
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 9 / 21
Implementations ZedBoard and ZC706
ImplementationNumber of concurrent instances
• Number of concurrent instances limited by available BRAM
• Overlapping multiple bcrypt instances in one moduleI 56, 70 or 112 instances on Zynq 7020 with 140 BRAMs
◦ or many more on Zynq 7045 with 545 BRAMs
• Large communication overhead for low bcrypt cost setting
• Hardware defects of boards limit optimizations
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 10 / 21
Experimental Results
Epiphany vs x86
1,207 1,200
4,812 4,876
600
35
2,400
51
0
1,000
2,000
3,000
4,000
5,000
6,000
Epiphany 16 T7200 Epiphany 64 i7−2600K
Performance (c/s) Energy-efficiency (c/s/W)
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 11 / 21
Experimental Results
Performance and efficiency comparison
1,207
4,571 4,812
7,044
20,583
4,5565,347
6,246 6,596
6002,285 2,400
3,522 4,116
47 43 49 79
0
5,000
10,000
15,000
20,000
25,000
Epiphany 16 Zynq 7020 Epiphany 64 Zynq 7020 Zynq 7045 HD 7970 FX−8120 Xeon Phi 5110P i7−4770K
Performance (c/s) Energy-efficiency (c/s/W)
(emulated with 7045)
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 12 / 21
Experimental Results
Cost comparison
12.19
24.18
11.578.232
0
10.59
0
10.15
16.09
0
38.41
12.87
8.299
26.08
2.358
18.85
0
5
10
15
20
25
30
35
40
45
Epiphany 16 Epiphany 64 Zynq 7020 Zynq 7045 HD 7970 FX−8120 Xeon Phi 5110P i7−4770K
System price (c/s/$) Chip or device price (c/s/$)
$99 $199 -$75 $395 $119 $549 $505 $205 $2649 $650 $350- -
- - -
$2495 $1596
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 13 / 21
Experimental Results
Derived performance from cost 12
1,207
4,571
20,538
4,556 5,3476,246 6,596
9.6 64.5 226.3 35.7 43 50.2 53.71,207
8,112
28,462
4,4905,408
6,313 6,753
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
Epiphany 16 Zynq 7020 Zynq 7045 HD 7970 FX−8120 Xeon Phi 5110P i7−4770K
Performance for cost 12 (c/s) Theoretical performance for cost 5 (c/s) Measured performance for cost 5 (c/s)
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 14 / 21
Experimental Results
Theoretical Peak Performance AnalysisTheory
c/s =Nports ∗ f
(2cost ∗ 1024 + 585) ∗ Nreads ∗ 16(1)
• Nports - number of available readports to local memory or L1 cache
• Nreads - number of reads perBlowfish round
• 2cost ∗ 1024 + 585 - number ofBlowfish block encryptions in bcrypthash computation
• f (in Hz) - clock rate
Bcrypt
EksBlowfishEkspensive key schedule Blowfish
bcrypt(cost, salt, pwd)
1: state ← InitState()2: state ← ExpandKey(state, salt, key)3: repeat(2cost)4: state ← ExpandKey(state, 0, salt)5: state ← ExpandKey(state, 0, key)6: ctext ← “OrpheanBeholderScryDoubt”7: repeat(64)8: ctext ← EncryptECB(state, ctext)9: return Concatenate(cost, salt, ctext)
Katja Malvoni and Solar Designer Energy-efficient bcrypt cracking August 6, 2014 2 / 2
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 15 / 21
Experimental Results
Theoretical Peak Performance AnalysisComparison
4,497
7,496
17,989
29,179
10,494 11,093
1,207
4,571 4,812
20,538
4,8766,595
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
Epiphany 16 Zynq 7020 Epiphany 64 Zynq 7045 i7−2600K i7−4770K
Theoretical estimate for cost 5 (c/s) Measured performance for cost 5 (c/s)
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 16 / 21
Experimental Results
Related work
• F.Wiemer, R. Zimmermann. Speed and Area-OptimizedPassword Search of bcrypt on FPGAs
I bcrypt running on ZedBoard at 80 MHzI 40 parallel instancesI 5208 c/s at cost 5, 41.6 c/s at cost 12
• Yuri Gonzaga, Google Summer of Code 2011
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 17 / 21
Future work
Future work
• Parallella/EpiphanyI Using both Epiphany and Zynq 7020 at onceI Possible to integrate up to 64 chips on a single boardI Scalability of current implementation is promisingI 64 * 64 = 4096 cores with theoretical performance of 300000
c/s
• FPGAI Zynq 7020 and 7045 optimizations
◦ Improve clock rate◦ Reduce communication overhead
I Targeting bigger FPGAsI Targeting multi-FPGA boards
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 18 / 21
Takeaways
Takeaways
• Many-core low power RISC platforms and FPGAs are capable ofexploiting bcrypt peculiarities to achieve comparableperformance and higher energy-efficiency
• Higher energy-efficiency enables higher densityI More chips per board, more boards per system
• It doesn’t take ASICs to improve bcrypt crackingenergy-efficiency by a factor of 45+
I Although ASICs would do better yet
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 19 / 21
Thanks
Thanks
• Sayantan Datta
• Steve Thomas
• Parallella project
• Google Summer of Code
• Xilinx
• Faculty of Electrical Engineering and Computing, University ofZagreb
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 20 / 21
Questions
Questions
?
Katja Malvoni, Solar Designer, Josip KnezovicAre Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware August 19, 2014 21 / 21