Cracking Unix passwords using FPGA platforms - Hyperelliptic org
Recommend Documents
Dec 29, 2013 ... Fact: All the public-key crypto we use relies on three assumptions: ... A user
actually tries to use crypto! .... The SIMON and SPECK Families of.
Computer Aided Cryptographic Engineering. Dan Page. SPEED, June 2007. (
joint work with Andrew Moss, Manuel Barbosa, Nigel Smart ...) (an apology: some
...
focuses on the control of permissions and passwords within the UNIX ... The
Internet Worm highlighted two of UNIX's most serious weaknesses: the security.
Jul 21, 2013 ... In functional encryption, ciphertexts encrypt inputs x and keys are issued for
circuits C. Using the key SKC .... Daniel J. Bernstein, Yun-An Chang, Chen-Mou
Cheng, Li-Ping Chou, Nadia .... Brown (March 2006): security “proof”.
recent work we have created a new kind of graphical password system ... A user is likely to forget a ... the elements of the different passwords or remember the password ...... interpretation of this phenomenon is that users who forgot their.
C. : a group of degree zero divisor classes of C g = 1 ⇒ J. C elliptic curve ..... ω=aτ+b, max{a,b} = c∙min{a,b} + d. ▫ Λ=log. 2. (min{a,b})+19log. 2 c/17+log. 2 d+2.
like digital signature, public key encryption, key agreements, ... For those needs, Elliptic .... (as recommended in [22, 25]), the modular reduction is cheap. This is ...
Existing solutions such as textual and graphical passwords are subject to ...
Keywords: Authentication, (Visual) Passwords, Token, 3D, Hamiltonian. 1 Visual
...
May 6, 2009 - FPGA Implementation of a Parallelized MT19937 Uniform. Random Number Generatorâ, Vinay Sriram and David. Kearney present a fast ...
Aug 4, 2008 - Abstract â We have implemented in FPGA recently published class of public key algorithms â ... Rabin's digital signature method [20]; .... Definition 3 A quasigroup (Q, â) of order 2d is called Multivariate Quadratic Quasigroup ..
security benefits in comparison to passwords, using PINs instead of ... 1-800 CALL ATT becomes 1-800 225 5288. ..... qualitative, using an iPhone app and 25 subjects; and one .... of the 4th USENIX conference on Hot topics in security, pages.
Red Cross. # Organizations with ongoing activities. # Ongoing protection activities. Serbia: 4W Dashboard - Protection,
email: {maanrl, masdan, juplos, pakrli}@utu.fi. Abstract- Streaming applications are a keystone in several emerging multimedia services like DVB-IPTV, VoD and.
Latest news: Twitter was cracked at the beginning of February, 2013. ... Frenchman even succeeded in breaking into Barack Obama's twitter account in.
BEE2 FPGA platform which can run at 400 million password calcula- tions/second. ... Recovering an individual password requires a few minutes on a Virtex-4. FPGA. ... for cryptanalyzing stream ciphers more complex time/memory/data trade-offs are known
platform. Making a good decision is usually not easy, which makes the comparison of FPGAs and GPUs ..... [2] Z. Feng, X. Tian and S. Chang, âA parallel molecular docking ... [4] G. M. Morris, D. S. Goodsell, R. S. Halliday et al., âAutomated.
versus single-threaded software on a CPU. ... steps needed by existing HLS software. ..... AutoPilot provides arbitrary precision integer (APInt) and arbitrary ...
The Discrete Wavelet Transform is a classic real-time imaging algorithm that is ... DSP processor to a FPGA based implementation of an image real-time ... of using well known programming languages such as C/C++ and assembly language.
grid computations, direct methods for solving large sparse system equations such as .... 27.57. 0.86 %. Benchmark system results from 3.2 GHz Pentium 4.
May 29, 2017 - mainly consider abelian varieties isogenous to hyperelliptic Jacobians ... the universal triviality of the Chow group of 0-cycles of cubic ...
Knizhnik-Zamolodchikov equation given in terms of hyperelliptic integrals. 1 Introduction. The starting point of our investigation is the observation due to F.A. ...
proof of the elliptic Szpiro inequality for pencils over bases of higher genus. 2. Hyperelliptic symplectic fibrations. First we recall some basic definitions and ...
Sep 23, 2009 - ... protocols for secure key exchange and digital signatures are based on the ... hyperelliptic Ate pairing (which has a different definition than the ...
Aug 29, 2015 - through media (social engineering), brute-force search through automated ... order to authenticate to a secure internet banking service, ... smart card or biometric object. ..... This penalizes schemes where insider fraud at one.
Cracking Unix passwords using FPGA platforms - Hyperelliptic org
Cracking Unix passwords using FPGA platforms Nele Mentens, Lejla Batina, Bart Preneel, Ingrid Verbauwhede COSIC, Katholieke Universiteit Leuven SHARCS 25.02.2005
Outline • Time-memory trade-off • Unix password hashing • Time-memory trade-off for Unix password hashing • Implementation options and results • Future work • Conclusion
Time-memory trade-off • Encryption C = EK(P) • Fixed and known plaintext K EK(P) is a one-way function • Attack scenario: find K for given C • Straightforward methods:
P E
– exhaustive key search – precomputation table with all (K,C)-pairs
• Time-memory trade-off (Hellman, 1980): – less time than exhaustive key search – less memory than precomputation
C
Time-memory trade-off Two functions are defined: • g: {0,1}n {0,1}k called reduction function maps a ciphertext to a key. g
C
{0,1}k or f(K) = g(EK(P)) • f: {0,1}k maps a key to a key.
P K1
E
f C
g
K2
K
Time-memory trade-off Now a chain of length t can be constructed:
P K0
E
f C0
g
P K1
f
E
C1
g
f
K2
Kt
or
K0
f
K1
K2
Kt
Time-memory trade-off Original idea from Hellman: • m chains of length t • Only the start point (SP) and the end point (EP) of a chain are stored in a table.
Time-memory trade-off Preparation of the attack (off-line part): • Start from a key and apply a repeated sequence of encryptions and reduction functions. • The length of this sequence (chain) is t. • Start from another key and do the same. • Repeat this until m chains have been computed. • Create a table with m start point-end point pairs.
Time-memory trade-off Attack (on-line part): • Start from the given ciphertext Ca and do the chain computations (repeated sequence of encryptions and reduction functions) until there is a match with the end point of a chain. • Start from the start point of this chain and compute all intermediate ciphertexts until Ca is found. The key just before Ca is the right one.
Time-memory trade-off Attack example: • Start from Ca until EP4 is found. • Start from SP4 until Ca is found. • K2 of chain 4 is the key we need.
EP1 EP2 EP3 EP4 EP5 EP6 EP7 EP8
SP1 SP2 SP3 SP4 SP5 SP6 SP7 SP8
stored pairs of keys
Ca g Ka f Kb f Kc f Kd f Ke f Kf=EP4 SP4 E C1 g K1 E C2 g K2 E C3=Ca
Time-memory trade-off improvements: • distinguished points (Rivest, Borst et al., Stern): only store end points with a special property e.g. last 20 bits are 0 reduced number of memory accesses but variable length chains • rainbow tables (Oechslin): use a different reduction function in every iteration decreased probability of merging chains
Time-memory trade-off Cost for success probability 86% for 1 rainbow table with m = 22k/3 and t = 2k/3 • Precomputation: time 2k and memory 22k/3 • Recovery of one key: time 22k/3 Improved analysis based on full cost: see Michael Wiener’s talk
Unix password hashing The Unix password system uses 25 modified DES blocks. 64 zeros password salt password salt
password salt
plaintext
DES DES
DES hash
key 25x
salt
DES ciphertext
Unix password hashing /etc/passwd: – write-protected file – contains username, salt and hash – data are stored as ASCII characters
Time-memory trade-off for Unix password hashing P K0
E
f C0
g
P K1
E
f C1
Ki = password – assume k=48 P = 64 zeros E = 25 modified DES blocks Ci = hash g = reduction function
g
K2
Kt
Implementation options and results Options for the reduction functions: S-boxes, xor functions, bit swaps • • •
All options have low hardware complexity. For rainbow tables we need one general reduction function from which different reduction functions can be derived. Our reduction function is an xor with a counter, which has a different value for each reduction function.
Implementation options and results Generation of the tables (off-line part): • Implementation platform: BEE2 designed at UC Berkeley • Variant of time-memory trade-off: rainbow tables • Generation of start points will be done in the FPGA using a counter. The counter in the reduction function can be re-used for this purpose.
Implementation options and results The BEE2 platform: • One BEE2 module consists of five Virtex-IIPro-70 FPGAs. • Each BEE2 module has 20 GB DDR-RAM and a 10 Gb/s ethernet connector. • The platform is modular. Currently it consists of 2 modules, but 10 more are being produced. • The platform can handle frequencies up to 200-300 MHz. • The cost per module is ± $7500
Implementation options and results SP
pipelined implementation 64−bit hash
password
25DES
counter
gi
56−bit counter
hash
bit−wise XOR
EP 56−bit image
Implementation options and results Some numbers on the precomputation part: • Computation for one salt takes 8 days on 1 BEE2 module. • Precomputation for all salts in one year requires 92 modules. • Memory complexity per salt is 2
2 48 3
∗ 14 Bytes = 56 GBytes
Implementation options and results Some numbers on the on-line part: •
Recovering a password using one Virtex-4 takes
(
)
216 216 − 1 1.5µs < 1 hour 2
•
Using 25 pipelining steps it will only take a few minutes.
Implementation options and results Comparison with other implementations:
Biham, 1997 UCL, 2002 Oechslin, 2003 this work
platform
algorithm
speed(enc/s)
64-bit Alpha computer Virtex1000
56-bit DES
2M
40-bit DES
66M
P4, 1.5 GHz, 56-bit DES 0.7M 500 MB RAM BEE2 25 x 56-bit 100M modified DES
Future work • Perform the attack for one salt • Optimize the choice of parameters • Examine how many tables would be optimal • Try this on PlayStation 3
Conclusions • FPGA implementation of the Unix password system • FPGA creates the table inputs for the offline part of the time-memory trade-off • Decisions need to be made on other aspects of the attack
