Les compromis temps-m emoire ` a lassaut de vos (nos) mots de - - PowerPoint PPT Presentation

Les compromis temps-m´ emoire ` a l’assaut de vos (nos) mots de passe !

Gildas Avoine Universit´ e catholique de Louvain, Belgium

Crossroad Topic

Probability Algorithms Computer Security

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 2

SUMMARY

Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

MOTIVATIONS

Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

One-wayness

Function that is easy to compute on every input, but hard to invert given the image of a random input.

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 5

Foundations of Cryptography: Public-Key

DL problem (discrete logarithm): Given   p g ga mod p   it is hard to retrieve a. RSA problem (e-th root modulo a composite n): Given   n e me mod n   it is hard to retrieve m.

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 6

Foundations of Cryptography: Symmetric Key

Cryptographic hash functions: MD5, SHA1, SHA3 Encryption functions: DES, AES

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 7

Example: Password-based Authentication

User (login, pwd) Computer login, pwd − − − − − − − − − − − − − → Compute h(pwd)

login1 h(pwd1) login2 h(pwd2) login3 h(pwd3) . . . . . .

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 8

Exhaustive Search

On-live exhaustive search:

• Computation: N
• Storage: 0
• Precalculation: 0

Precalculated exhaustive search:

• Computation: 0
• Storage: N
• Precalculation: N

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 9

HELLMAN TABLES

Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

Hellman Trade-off (1980)

Precalculation phase to speed up the on-live attack: T ∝ N2

M2

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 11

Precalculation

Invert h : A → B. Define R : B → A an arbitrary (reduction) function. Define f : A → A such that f = R ◦ S. Chains are generated from arbitrary values in A.

S1 = X1,1

f

→ X1,2

f

→ X1,3

f

→ . . .

f

→ X1,t = E1 S2 = X2,1

f

→ X2,2

f

→ X2,3

f

→ . . .

f

→ X2,t = E2 . . . . . . Sm = Xm,1

f

→ Xm,2

f

→ Xm,3

f

→ . . .

f

→ Xm,t = Em

The generated values should cover the set A. Only the first and the last element of each chain is stored.

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 12

On-live Attack

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 13

On-live Attack

False Alarms

Given one output C ∈ B, we compute Y1 := R(C) and generate a chain starting at Y1: Y1

f

→ Y2

f

→ Y3

f

→ . . . Ys

C ′ C time needed to find the false alarm time needed to detect a maching end point Sj Ej Y1 Ys

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 14

Coverage and Collisions

Time-memory trade-off techniques are probabilistic. Collisions occur during the precomputation phase. Several tables with different reduction functions.

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 15

OECHSLIN TABLES

Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

Oeschlin Tables (2003)

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 17

Rainbow Tables

Use a different reduction function per column: rainbow tables. Invert h : A → B. Define Ri : B → A arbitrary (reduction) functions. Define f i : A → A such that f i = Ri ◦ S.

S1 = X1,1

f 1

→ X1,2

f 2

→ X1,3

f 3

→ . . .

f t

→ X1,t = E1 S2 = X2,1

f 1

→ X2,2

f 2

→ X2,3

f 3

→ . . .

f t

→ X2,t = E2 . . . . . . Sm = Xm,1

f1

→ Xm,2

f2

→ Xm,3

f3

→ . . .

ft

→ Xm,t = Em

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 18

Discarding the Merges

If 2 chains collide in different columns, they don’t merge. If 2 chains collide in same column, merge can be detected. A table without merges is said perfect

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 19

Trade-off Within the Precalculation Phase

1 2 3 4 5 6 x 10

8

2 4 6 8 10 12 14 16 18 x 10

6

Nombre de centaines de millions de chaînes calculées Millions de chaînes n’ayant pas fusionné

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 20

On-live Attack: A More Complex Procedure

Given one output C ∈ B, we compute Y1 := R(C) and generate a chain starting at Y1: Y1

f

→ Y2

f

→ Y3

f

→ . . . Ys

C time needed to find Sj Ej Y1 Ys the chain C time needed to rebuild a maching end point

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 21

Success Probability of a Table is Bounded

Theorem Given t and a sufficiently large N, the expected maximum number

• f chains per perfect rainbow table without merge is:

mmax(t) ≈ 2N t + 1. Theorem Given t, for any problem of size N, the expected maximum probability of success of a single perfect rainbow table is: Pmax(t) ≈ 1 −

• 1 −

2 t + 1 t which tends toward 1 − e−2 ≈ 86% when t is large.

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 22

Average Cryptanalysis Time

Theorem Given N, m, ℓ, and t, the average cryptanalysis time is: T =

k=ℓt

• k=1

c=t−⌊ k−1 ℓ ⌋

pk((t − c)(t − c + 1) 2 +

i=t

• i=c

qii)ℓ+ (1 − m N )ℓt(t(t − 1) 2 +

i=t

• i=1

qii)ℓ where qi = 1 − m N − i(i − 1) t(t + 1).

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 23

REAL LIFE EXAMPLES

Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

Windows LM Passwords (Algorithm)

Win98/ME/2k/XP uses the Lan Manager Hash (LM hash). The password is cut in two blocks of 7 characters. Lowercase letters are converted to uppercase.

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 25

Windows LM Hash (Results)

Cracking an alphanumerical password (LM Hash) on a PC. Size of the problem: N = 8.06 × 1010 = 236.23. Brute Force TMTO On-live Attack (op) 4.03 × 1010 1.13 × 106 Time 2 h 15 0.226 sec Precalculation (op) 1.42 × 1013 Time 33 days Storage 2 GB

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 26

Statistics from 10,000 leaked Hotmail passwords

Password Type numeric 19% lower case alpha 42% mixed case alpha 3% mixed numeric alpha 30%

• ther charac

6%

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 27

Texas Instruments Digital Signature Transponder

Texas Instrument Digital Signature Transponder.

• 134.2 kHz.
• 130 million car immobilizer keys.
• Condition to enable fuel-injection system of the vehicle.

Cipher that uses 40-bit keys

Verifier Prover r − − − − − − − − − − − − − − − → id, Ek(r) ← − − − − − − − − − − − − − − −

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 28

Texas Instrument Key Cracking (Results)

Cracking a TI DST key on a PC. Size of the problem: N= 240. Brute Force TMTO On-live Attack (op) 5.50 × 1011 1.53 × 107 Time 30 h 30 3.07 sec Precalculation (op). 1.94 × 1014 Time 448 days Storage 8GB

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 29

FINGERPRINT TABLES

(Joint work with A. Bourgeois and X. Carpent)

Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

Checkpoints

Given one output C ∈ B, we compute Y1 := R(C) and generate a chain starting at Y1: Y1

fj−s

→ Y2

fj−s+1

→ Y3

fj−s+2

→ . . . Ys

C time needed to find the false alarm time needed to detect a maching end point Sj Ej Y1 Ys C ′ α Yα+s−t Xj,α

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 31

ridges

Endpoints and checkpoints share the same nature. Each column contains a ridge function that outputs a (potentially empty) fingerprint of the chain. Endpoints are no longer stored. Type-II false alarms.

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 32

Fingerprint Tables

Theorem The average amount of evaluations of h during the on-live phase using the fingerprint tables is: T =

ℓt

• k=1

m N

• 1 − m

N k−1 (Wk + Qk) +

• 1 − m

N ℓt (Wℓt + Qℓt) , ci = t − i − 1 ℓ

• ,

qc = 1 −

t

• i=c
• 1 − mi

N

• ,

Wk =

k

• i=1

(t − ci), Pc =

t

• i=c

 

i−1

• j=c

φj   (qi − qi+1) , Qk =

k

• i=1

(ci − 1)(Pci + Eci), Ec = (m − qc)

t

• i=c

φi.

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 33

Windows NT LM Passwords

Win NT/2000/XP/Vista/Seven uses the NT LM Hash. The password is no longer cut in two blocks. Lowercase letters are not converted to uppercase.

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 34

Windows NT LM Hash (Results)

Cracking a 7-char (max) alphanumerical password (NT LM Hash)

• n a PC. Size of the problem: N = 241.4.

Brute Force TMTO On-live Attack (op) 1.45 × 1012 2.94 × 107 Time 8 hrs 5.9 sec Precalculation (op) 6.29 × 1014 Time 1458 days Storage 16 GB

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 35

CONCLUSION

Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

Limits of TMTO

Scenarios

A TMTO is never better than a brute force. TMTO makes sense in several scenarios.

• Attack repeated several times.
• Lunchtime attack.
• Attacker is not powerful but can download tables.

Two conditions to perform a TMTO.

• Chosen plaintext attack.
• Reasonable-sized problem.

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 37

Limits of TMTO

56-bit DES

Brute Force TMTO On-live Attack (time) 20 years 1 week Precalculation (time) 8000 years Storage 512 GB

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 38

Perspectives

Precalculation phase.

• Discarding the merging chains on-the-fly.
• Parallelisation.

On-live phase.

• Parallelisation.
• Less expensive memories.

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 39

Passwords Are Like Underwear

Passwords are like underwear... Change yours often.

Passwords are like underwear… Don’t share them with friends

Reprinted in cooperation with the Office of Policy and Education, University of Michigan Cal Poly Information Security Team http://security.calpoly.edu

Passwords are like underwear… Be mysterious. Passwords are like underwear… Don’t leave yours lying around. Passwords are like underwear… The longer, the better.

Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 40