Time-Memory tradeoffs in password
cracking
1
Basic Attacks
• Dictionary attack:
– What if password is chosen well?
• Brute Force (online version):
– Try all N possible passwords.
– Space: O(1); Time: O(N)
• Brute Force with pre-computation
– Offline: keep hashes of all N possible passwords
in DB
– Online: look up hash in DB
– Space: O(N); Time: O(log N)
2
Inverting a one-way hash
The one-way hash function is easy to
compute but hard to invert.
h : {0,1}n  {0,1}n
m  h 1 (c)
h( m)  C
•easy
m
h(m)
•hard
3
Chains
• Note that image h(x) can also be a source
– Both have n bits
• Chain:
x  h(x)  h(h(x)) h(h(h(x)))….
4
Time-Memory tradeoff – Offline
• Offline:
–
–
–
–
Pick m random values x1, … xm
Compute chain of t steps from each xi
Keep table of {xi , ht(xi) } – sorted by ht
Space: O(m)
Start Point End Point
X1
xi
xm
ht(xi)
5
Time-Memory tradeoff – cont.
• Online: (given value y)
–
–
–
–
–
Compute chain from y
Find hj(y) as end-point i
Begin from matching start point xi
Compute chain from xi until y found
Time: O(t)
y
sp
ep
6
Time-Memory tradeoff – cont.
• Online: (given value y)
–
–
–
–
–
Compute chain of t steps from y
Find hj(y) as end-point i
Begin from matching start point xi
Compute chain from xi until y found
Time: O(t)
y
sp
ep
7
Time-Memory tradeoff – cont.
• Online: (given value y)
–
–
–
–
–
Compute chain of t steps from y
Find hj(y) as end-point i
Begin from matching start point xi
Compute chain from xi until y found
Time: O(t)
!!
sp
y
ep
8
Setting the parameters
• How many values x1, … xm to use for
chains of length t, for N possibilities?
• Need y to appear (in the middle of some)
chain – this is the “coverage”
• Difficulty is that chains may “collide”
• Analysis shows a trade-off: 𝑡𝑚2 = 𝑁 2
• Working point: 𝑡 = 𝑚 = 𝑁 2/3
9
What if domains are different
• E.g. Password has 8 alphanumeric
characters
• Hash produces 128 bit
• Need to “return” to password domain to
build the chains
10
Reduce function
•
The reduce function is an “onto” function that
maps a hash to a desired password in the
character set
– reduce(hash(a password)) → next password
pass123
xrr12YYv679
Apple
h
R
Now use previous idea, with 𝒇(𝒙) = 𝑹(𝒉 𝒙 )
11
Rainbow Tables
• First pioneered by Philippe Oechslin
• Implemented in the Windows password
cracker 0phcrack
– lowercase alphanumeric passwords of 8
characters long
– case sensitive passwords of 5-16
characters in length
– valid UNIX passwords (96 symbols, 8
characters)
12
Rainbow tables
13
Many Reduce Functions
• Use a different reduction function for each
"link" in a chain
• When a hash collision occurs - the chains will
not merge (so long as collision doesn't occur
at the same position in each chain)
• Increases the probability of a correct crack
• Improves speed - approximately doubles the
speed.
14
Example
1.
We want to reverse the hash “re3xes”
2.
We apply reduction function R3 and get “rambo” .. we check the table and don’t find it there
3.
We then restart using R2 followed by R3 (and keep doing this with 3, 4, 5 reductions until we
succeed).
4.
We can see that with two reductions we get “linux23” which is in the table
5.
We lookup the start value “password” and then start our search of this chain, comparing the
hash at each iteration to our target hash “re3xes”. Once we find it we stop, and we discover the
password “culture” that generated that hash value..
15
Rainbow Tables
•
Rainbow Table for LanManager passwords (windows) config #0
Charset [ABCDEFGHIJKLMNOPQRSTUVWXYZ ]
Keyspace 8,353,082,582
Table size 610Mb
Success probability 0.9990
Cracks 5-alpha in a few seconds
http://www.antsight.com/zsl/rainbowcrack/demo_rainbowcrack_cfg0.txt
•
Rainbow Table for LanManager passwords (windows) config #1
Charset [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ]
Keyspace 80,603,140,212
Table size 3 GB
Success probability 0.9904
16
Rainbow Tables
•
Rainbow Table for MD5 (loweralpha-numeric 1-8)
Charset [abcdefghijklmnopqrstuvwxyz0123456789 ]
Keyspace 2,901,713,047,668
Table size 36 GB
Success probability 0.99904
10 MD5 hashes broken in 35 minutes..
•
Rainbow Table for Microsoft Office
–
40-bit encrypted files decrypted in 5 minutes on average
–
One table for MS Word and one table for MS Excel
–
Table size is 40 GB
–
99.9% accuracy MS Office
17
Rainbow Tables in Practice
• Pre-computed files are now available on bit
torrent
• Rainbow tables crackers are now online on
websites.
• Salts are one way to defeat rainbow tables.
18