exercises 2013-05-02 information security course eric laermans – tom dhaene
TRANSCRIPT
Exercises2013-05-02
Information Security Course
Eric Laermans – Tom Dhaene
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 2
Introduction
Password storage in MS Windows old system
LM hash (LAN Manager hash)– untill Windows Me
new system NTLM hash (NT LAN Manager)
– since Windows NT 3.1
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 3
Introduction
Password storage in MS Windows encoded storage
in SAM (Security Accounts Manager)– non-accessible while OS is active
» file locked by OS when Windows is operating (impossible to read, copy or remove)
– QUESTION 1:» still possible to access file to test passwords
offline?
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 4
LM Hash
Limitations passwords of at most 14 ANSI-characters
95 possible characters a.k.a. “printable ASCII”
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 5
LM Hash
Operation1. converting lower case to upper case
2. adding NULL-characters to obtain 14 characters
3. splitting in two sequences of 7 characters
4. each of these sequences is used as a key to encrypt “KGS!@#$%” (ECB) results in two encoded blocks of 8 bytes the thus obtained 16 bytes are the LM Hash
QUESTION 2 possible attacks, weaknesses? estimated time required for possible attack?
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 6
NTLM Hash
Operation MD4-hash of password
case-sensitive password MD4: hash function with 128 bits hash value
– predecessor of MD5– strong collision resistance totally broken– effective strength as a one-way-function
(preimage resistance) only 102 bits» rather theoretical weakness, not really
practical
QUESTION 3 comparie with present password storage in Linux? reasonable time to crack?
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 7
Backward compatibility
double password storage using NTLM Hash using LM Hash
if possible, otherwise fake value default up to Windows XP
– can be disabled by registry modification– disabled by default since Windows Vista
QUESTION 4 weaknesses of this scheme? better than LM Hash only? how can you make sure LM Hash is not stored?
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 8
Improved attacks
Attacks until now (generally) feasible if LM Hash is available
but still requires quite a lot of compuation time if brute force is used
QUESTION 5 suggestions to improve the attack technique?
– hint: can part of the job be precomputed?
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 9
Improved attacks
Precomputed hash chains not feasible to precompute and store all encoded
passwords QUESTION 6:
– how much storage would be required for password encoded using LM Hash?
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 10
Improved attacks
Precomputed hash chains how can we select the password we want to
store? precomputed hash chains
– technique using trade-off between required computation time and required storage
– for N possible passwords: » storage: O(N2/3)» computation time: O(N2/3)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 11
Improved attacks
Precomputed hash chains two functions
hash function H:PC– transforms password into encoded password– domain: space of possible passwords (P)– range: space of possible hash values (C)
reduction function R:CP– derives a (pseudorandom) password from hash
value» doesn’t need to be a one-way-function» simple choice possible
– domain: space of possible hash values (C)– range: space of possible passwords (P)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 12
Improved attacks
Precomputed hash chains choose a (sufficiently large) number (n) of different
passwords pj,0 (with j:0..(n-1))
compute (not too large) a number (k) of links for each chain
pj,i+1 = R(H(pj,i)) (with i:0..(k-1))
only store the start and end points of the chains pj,0 and pj,k (with j:0..(n-1))
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 13
Improved attacks
Precomputed hash chains cracking an encoded password h
compute: p(0) = R(h) compute: p(i) = R(H(p(i-1)))
– until some p(i) is found which is present in the table of end points pj,k of the hash chains
recompute the chain, starting from pj,0 until the right value pj,k-i-1 is found, such thatH(pj, k-i-1) = h
NOTE: some chains may overlap chains may contain loops false positives are possible
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 14
Improved attacks
Precomputed hash chains required improvement upon basic approach
multiple tables– each with different reduction function– reducing impact op overlapping chains– number typically proportional to chain length
» drawback: larger search time (proportional to chain length and number of chains)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 15
Improved attacks
Precomputed hash chains possible simplification
“distinguished points”– stop chain computation when easily
distinguishable password is reached (instead of fixed length chains)
» e.g. starting / ending with 10 null-bits
QUESTION 7:– what is the advantage of this approach?
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 16
Improved attacks
Rainbow tables improvement over precomputed hash chains
using different reduction function for each link in the chain
– k reduction functions Ri needed (with i:0..(k-1))
– pj,i+1 = Ri (H(pj,i)) (with i:0..(k-1))
look up encoded password h
– compute p(0,0) = Rk-1(h) and lookup in table of end points
– if not found, look up p(1,1) = Rk-1(H(Rk-2(h)))
– if needed, continue with p(i,i) = Rk-1(H(p(i,i-1)))
» with p(i,j) = Rk-i+j-1(H(p(i,j-1)))
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 17
Improved attacks
Rainbow tables advantages
fewer lookups than with multiple tables for precomputed hash chains
– approximately half as many fewer overlapping chains
– and easier to identify which chains merge no loops in chains chains of constant length
– in opposition to “distinguished points”
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 18
Improved attacks
Rainbow tables references:
P. Oechslin, “Making a faster cryptanalytic time-memory trade-off,” Advances in Cryptology -CRYPTO 2003, pp. 617-630http://lasec.epfl.ch/pub/lasec/doc/Oech03.pdf
project RainbowCrackhttp://project-rainbowcrack.com/