Time-Memory tradeoffs in password cracking

1

Basic Attacks

• Dictionary attack:– What if password is chosen well?

• Brute Force (online version):– Try all N possible passwords.– Space: O(1); Time: O(N)

• Brute Force with pre-computation– Offline: keep hashes of all N possible passwords

in DB– Online: look up hash in DB– Space: O(N); Time: O(log N)

2

3

Inverting a one-way hash

The one-way hash function is easy to compute but hard to invert.

nnh }1,0{}1,0{: )(1 chm Cmh )(

m h(m)

• hard

• easy

Chains

• Note that image h(x) can also be a source– Both have n bits

• Chain: x h(x) h(h(x)) h(h(h(x)))….

4

Time-Memory tradeoff – Offline

• Offline: – Pick m random values x1, … xm

– Compute chain of t steps from each xi

– Keep table of {xi , ht(xi) } – sorted by ht

– Space: O(m)

5

Start Point End Point

X1

xi ht(xi)

xm

Time-Memory tradeoff – cont.

• Online: (given value y)– Compute chain from y– Find hj(y) as end-point i– Begin from matching start point xi

– Compute chain from xi until y found

– Time: O(t)

6

y

epsp

Time-Memory tradeoff – cont.

• Online: (given value y)– Compute chain of t steps from y– Find hj(y) as end-point i– Begin from matching start point xi

– Compute chain from xi until y found

– Time: O(t)

7

y

epsp

Time-Memory tradeoff – cont.

• Online: (given value y)– Compute chain of t steps from y– Find hj(y) as end-point i– Begin from matching start point xi

– Compute chain from xi until y found

– Time: O(t)

8

y

epsp

!!

Setting the parameters

• How many values x1, … xm to use for chains of length t, for N possibilities?

• Need y to appear (in the middle of some) chain – this is the “coverage”

• Difficulty is that chains may “collide”

• Analysis shows a trade-off: • Working point:

9

What if domains are different

• E.g. Password has 8 alphanumeric characters

• Hash produces 128 bit• Need to “return” to password domain to

build the chains

10

11

Reduce function

• The reduce function is an “onto” function that maps a hash to a desired password in the character set– reduce(hash(a password)) → next password

Now use previous idea, with

Applexrr12YYv67

9pass123

h R

12

Rainbow Tables

• First pioneered by Philippe Oechslin• Implemented in the Windows password cracker

0phcrack

– lowercase alphanumeric passwords of 8 characters long

– case sensitive passwords of 5-16 characters in length

– valid UNIX passwords (96 symbols, 8 characters)

13

Rainbow tables

14

Many Reduce Functions

• Use a different reduction function for each "link" in a chain

• When a hash collision occurs - the chains will not merge (so long as collision doesn't occur at the same position in each chain)

• Increases the probability of a correct crack • Improves speed - approximately doubles the

speed.

15

Example

1. We want to reverse the hash “re3xes”

2. We apply reduction function R3 and get “rambo” .. we check the table and don’t find it there

3. We then restart using R2 followed by R3 (and keep doing this with 3, 4, 5 reductions until we succeed).

4. We can see that with two reductions we get “linux23” which is in the table

5. We lookup the start value “password” and then start our search of this chain, comparing the hash at each iteration to our target hash “re3xes”. Once we find it we stop, and we discover the password “culture” that generated that hash value..

16

Rainbow Tables

• Rainbow Table for LanManager passwords (windows) config #0Charset [ABCDEFGHIJKLMNOPQRSTUVWXYZ ]Keyspace 8,353,082,582Table size 610MbSuccess probability 0.9990Cracks 5-alpha in a few secondshttp://www.antsight.com/zsl/rainbowcrack/demo_rainbowcrack_cfg0.txt

• Rainbow Table for LanManager passwords (windows) config #1Charset [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ]Keyspace 80,603,140,212 Table size 3 GBSuccess probability 0.9904

17

Rainbow Tables

• Rainbow Table for MD5 (loweralpha-numeric 1-8)Charset [abcdefghijklmnopqrstuvwxyz0123456789 ]Keyspace 2,901,713,047,668 Table size 36 GB Success probability 0.9990410 MD5 hashes broken in 35 minutes..

• Rainbow Table for Microsoft Office– 40-bit encrypted files decrypted in 5 minutes on average– One table for MS Word and one table for MS Excel– Table size is 40 GB– 99.9% accuracy MS Office

18

Rainbow Tables in Practice

• Pre-computed files are now available on bit torrent

• Rainbow tables crackers are now online on websites.

• Salts are one way to defeat rainbow tables.