2016 - Michael Jack - Ensuring Password Cracking Ain’t Easy REDUX

[Applause] Exxon make it and forger I on the ethical hacking program of abertay protec don't fill your second year because Dundee sucks and this is what that's what it looks like thanks to Gavin in there Duncan if they'll kick in a boat and I'm also a member of the ethical hacking society out there we have a luxurious vice president we can very hungover up the back there and I'm entered cryptography in defense and if you want the beat why we should TLS all the things away we shouldn't find me a Gavin hall where we will talk for days about that and on a side note i'm quite into the national security things for catering extremism capitalism and again

if you want to chat to me with that i'll speak you for hours of our Isis and you can find me on pretty much everything at mikey j ck and quick tensor can plug that this last time as well and but the ethical hacking society we run our own conference often dundee we run it when are we running at fabula like wait fabulet 2017 and we were to these when we run it this year I don't know what we're doing this year because again a vice presidents always drunk and we have an after party we're about 300 attendees at capacity as you're typing for fancy come get drunk and do some hacking Scotland and sleep so I'm going to open web page the

vet bagger in the more capital hash functions are and talk just briefly about air password cracking and why we don't want to be using hash functions for password storage talk briefly again about key derivation functions and what I recommend it last year and that's in the wrong order I talk about the past passion competition talker it's when I Oregon too and then finally talked about a harsh upgrade or how we can migrate from all broken functions two new ones so this is the obligatory XKCD right you know 25 4096 / RSA that's fine because we're going to drug them and beat them to death with a wrench or until he tells us the password and

so why do we care about us and just quickly and well that wonderful time Adobe was hot right and we got like debased crossword puzzle over the password tents and and some of the passwords were an md5 sum of them wearing and who knows what the hell did resume at the restaurant right and so I think know if you go on to have a bean corn com I think Troy hunt and X like a billion just about 1.1 billion and sets of usernames and passwords right as far as I'm aware the sort of active set of real human created passwords that are kicking about and somewhere between over 1.5 to 2 billion bytes we have a pretty

big data set and for this sort of thing and people get broken into all the type of eight and pop talk anyone so and we're going to just briefly cover well not briefly but we're going to cover what hash functions are and and and why we were used right so one of the mathematical functions so we have some input that we pumped through this algorithm it gives us a flex latest output the digest right and the reason that we like this is it's a compression function essentially rate so we take some some data of arbitrary size and we can compress it down into 160 bits of you use my shower one and 256 bits for a

shot to right and so you have add basically d your digest and some function and your input and again you're calling algorithms here sharwan chateau and the West Spanish our family shot three Eric a chat and which is above adored one because we thought kind of that Chateau would be much more broken than as at this point now and so char three was introduced to complement rather than replace Chateau so that's a little bit odd and but as far as we know there's nothing wrong with fair shot at the moment right so from a cryptographic hash functions we expect these things pre image and second fear meet resistance and crucially collision resistance right so just briefly on

these a pre-event resistance Kevin some hash value D it's difficult to find another message and such that d is equal to that a right so essentially what we're saying here is that it should be difficult for some definition of difficult so the definition of difficult is basically beyond reach of the adversary that we want speaker system and or you can start talking about things that p equals NP and get into asymptotic polynomial time which we're not going to do because adds far too much wrong last night start talking to that back and but basically this is the principle that and given a harsh it should be difficult and to find some other message that and treat the hash

right a second few images us that pre image resistance is a bit of a technicality so for some fix em put em one so we give the attacker and then put the it can't change they have to essentially find another input m2 which will and produce the same hash right and so the difference between this and a collision is that m1 is fixed and then the one we all know about collision resistance or given any input m1 and it should be difficult to find another input end to such that digests the m1 and m2 the scene so this is what we most people understand that hash functions right so if you have a file and any small subtle

change and so these were created pretty much right after each other so the may idea is not that different the better way of doing this with the beam to air going to share some but when we thought with after and so you can see here the only difference use one character but you have a radically different em hope of the hash right and so there was quite a war a talk recently about and sha-1 been fairly broken right and so the the free start collision against the fool he runs a sha-1 and was pretty much the first and actual attack makita boton Shaolin because the pagana was against the fill Iran's and so mark stephens and he you

know pretty much loves beacon how she's right you can go get his tool hash class clash and you can we'll run that on your PSD cluster that you obviously have taken about the house and you can find Jannetty air your own collisions so what are three star collision basically the miracle Dawnguard construction we have our message block and you have our chin in value or your initialization vector right so the first block and we don't have a chain in value so the chain in value is usually the block that comes before right but the first walk we need to supply an IV right so the free start collision and basically means that under that Samson ally of the attacker control

can control the IV and if they can control the IV and then they can create a collision right so i think the IV that they found effort and by like four bytes or two bikes right and I mean it's quite a nice attack and it's not it shouldn't really have us worried about sha-1 and hugely the context that we usually talk about as certificates right so to go from some arbitrary n1 and n2 collision to a collision involving certificates the order of magnitude and against Clayton earth to get a certificate collision and as orders of magnitude harder right because there's a lot more variables at play and having said that and you should be moving away from sha-1

and the md5 free stock collision was found in language sex and we didn't have a field break against md5 till 2004 and again having said that and the c/e browser forum right if you ever wanted to see a [ __ ] of info SEC and go look at what they debate and the see a browser fallen basically wanted deprecated shall one which we're doing and but then you have semantic on the other hand and just meant a new syrups or shower 14 and super special vendors right and so having said that you should be moving away from sha-1 air to shatter in anything new air that your your implement right and so one of the other cool things about

hash functions is the profession right and very very quick so you're talking your tenth of a second to generate something right so the problem here is is that we can just go buy em thi an X and we can compute like billions of md5 a second or hundreds of million shall I make so the the sort of state of the art at the moment if you're looking to brute force you're looking are not providing of about 10 to 12 characters and then you're really talking about the realms of impossibility even in the range of ten to 12 characters your kind of a you kind of fishing and dark right and you're going to have to have a lot of

reason to go after and someone with a password of a latent characters when I brute force right and the other thing here is that it doesn't matter what your underlying function is if your password is password one or a day of the week 12 and we're going to track it and we're going to crack it pretty quickly right and this is quite nice a link this is from one passwords or password generation thing so they've moved from Gavin you adjust in a mishmash of nonsense to the sort of you know dictionary words separated by special characters and now a third remember exactly but i'm pretty sure that they're less the dictionary words is public right so

while it's great for memory it's probably not great in the long term because you know the people that do password cracking and not myself but they're generally pretty clever right if you go into the crack in forums like after the fill and linkedin breach came out and the cracked like eighty-six percent that dumped in like four or five days right and so these people are pretty clever and this sort of thing I don't think is going to fly for very long and i'm part of the place ratio right so this is a gem in Disney or Jerry kasnia don't mean Prince's name and but his company sick air sagathia and high-performance computing they specialize in vex built for password

cracking so this is there sort of monster rank every talus so each if you use a couple of Zeon's like 32 64 gigs of you know badass ECC ram right and say it back 20 grand but you be able to compute 200 billion md5 a second or like 687 million char 10 seconds and these actually are the bandages has weight benches on the gtx 1080 for any graphics cards enthusiasts right and so that's pretty impressive so we need something a little bit slower so what we have is what we came up with was a key derivation functions so the basic the fundamental principle here is we just ate some cryptographic function so it can be an underlying hash function

or a block cipher and the standard model of us has been kicking about I think the paper and was like Bruce Schneier and 97 a belief and but the standard model is you have some spare search space 2 to the X and we basically want to extend that and by T which is we're and we get T from our function and so then the attacker has to search to the ass costi mate and that's basically standard model so this is one of my slides from last year and this was like my second or third last late on what we should be using so back then state-of-the-art for this was pbk DF to pass would be key

derivation function to and or script right and so all off and nest i believe of standardized pbk tf2 and basically I said you know if you need to be faps if you need to be compliant for whatever reason and you probably want to use pbk tf2 but if your ultra paranoid so for those of you that use their key base and to manage your PGP keys and I think I don't know if they're you I still does it but they've used script from day one and because they obviously take if you want they take your private key and so and the guy that designed us and colon perishable was our security or as one of the security officers for BST and

the reason he created and was he runs our backup a company called partner and he basically bellletstalk nap as the M the sort of cloud backup service or the ultra paranoid but us somewhat of a paradox and other self but anyway and the goal here was to replace pbk tf2 and at the current time at V crypt was the other sort of state-of-the-art and the key derivation function right and its primary goal able to beam am really hard so this is interesting there's a really long mothers quite sure actually but I'm going to start getting mathematical formulas out because quite frankly I just don't like math and but basically you want an algorithm which uses almost as many memory

locations and as it does operations right so for the number of clock cycles that we're using para pipe and we should be using a similar amount of RAM so that's when I random access machines or sequential memory hardness essentially the same thing and but we don't want at parallel well item right so you should use a large some larger in trauma my cell are as you're talking like a kilobyte around here is what we regard as a significant amount of RAM and it shouldn't parallel well right having and so this other requirement and here it was sort of introduced with them are going to we're going to talk about that later but essentially and if there's a

warm out of memory being used we should up the and the clock cycles per byte to compensate for that and I'm one of the one of the many attacks here is tiny memory trade-off right so and if your problem can be solved quickly but requires more memory and you can spend more time and less memory right and or you can use more memory and solve the problem more quickly right so the classic example of type memory trade-off as rainbow tables and look up tables right you do so on a pre computation so then you only have to check against your West when it comes to the crack and rather than do the computation on the

flag right and so at the time script was pretty state-of-the-art compostable a pretty smart guy right and but unfortunately in terms of a you know what we Lakers cryptography so what cryptographers like at just to clarify not a cryptographer definitely not a mathematician I can barely tell the Titan most days right and by what cryptographers life is a simplicity so PB kdf two calls a smiths which then caused Rome X which caused bought max which calls south of waiting and then we pop that back into PB gdf to sew em the beginning here we take our password we pump it through pbk tf2 to get that stream we then feed that into ash mix that goes into romex blah blah blah and

then we run one last phone the pbk df2 at the end and to hear a password right now unfortunately for scrap wrong net wrong net to the side channel so if you have some spy process on the machine that's running and script you can then use in cash payments a channels you can basically compute the the passwords faster by looking at em house and the memory locations that script is access and then you can pre-compute you free and so it has deeper ahmo's your cpu memory costs ramp walk size and then some parallelization factor and the other nice thing here is that em it's all done a 32-bit math so one of the sort of requirements of slowing it down

and not kerala air paralyzing well as a 32-bit masturbate and I think script on the time when you first benchmark that and core two processors it was about one bite of RAM for every 10 cork cycles right and so password hashing competition and was initiated thinking 2012 and [Music] the best way to do anything by consensus for cryptography is to have a competition and it's basically like a ruler therapy and that people submit their candidate and then once we have the list of candidates and all the submitters try to break each other's ciphers along with some a panel of your subject matter experts will try and reach the candidate rate so the other interesting trip the competition that's

running at the moment as am the Caesar competition for an earth indicated and cypher to replace a GCM because as I walk and called your shoulder black cap and there are some problems with GCM and that's not a panacea but while we're talking about that just anything less than key ls12 with and ahead cypher and as you know broken and so yeah I think that's leading their own place I'll just stare but yeah password hash air passport Akasha net and seemed sort of idea is ness competition for AES and so the panel so some of the names you make recognize and it was initiated by jean-philippe and however you see a second there ahem Jeremy Disney again the guy who runs the

got ya Matthew gene you probably know them klepto professor from Johns Hopkins and Colin Powell Garrett off script and and zooskool whoa coxal Haren who is the guy doing and that new cryptocurrency looks really cool I forget what's called and so the basic goals here so they had 24 canvas initially and two of them with their were withdrawn to the end of twenty two candidates and about name and finite but the the goals here were wearing anything really wild they basically wanted something that had a simple construction and in terms of cryptographic primitives and something that was easy to implement right because as we just saw from script you know Colin like eight primitives nested

inside each other not a fun time and the primary goal one terms of security was to be resistant to like your massive parallel a GPU or application specific integrated circuit track invite and they want inside channel resistance and they wanted resistance from tight memory tree doors as well and crucially as well in terms of end use the one is the parameterization to be pretty simple right so the only two knobs you can use that you should be using to Tunis and our memory and type and we'll get into that and again the last sort of requirement of this is that M the function itself and any underlying functions and should be patent and boiled free and for the you know the

greater good of the community so initialize in 2012 and the CFP ran for a year close the marks that first and the announce the finalists in q3 2014 and ironically at the time I gave this talk or the version of this talk in 2014 I had no idea this was going on and which kind of sucks but he'll and then the announce the winner on their july 9th of last year so the winner was a function called argan to and Aragon to I was designed by some lovely Belgium Aang and although the number of primitives that we have in cryptography designed by Belgians is really disproportionate right I mean they keep designing really good trip though and

the current and latest version nurse is 1.3 and and we're going to talk briefly about some of the other end versions and the problems they had so the N the possible input parameters with us so we only actually care about P and s for the most part and so your message thing your password in your nonce so I'm again we're getting to this bar soul is required but you have your message string your knowns and your degree of parallelism so the the parallelism is what defines so many independent and compute change you like rights independent compute change but but it is synchronized get into this your air is the maximum amount of RAM to be filled

and Kelly Bates and T number of iterations so that's your time parameter m and then you can you can use icq keys with us so you can use it a key function as well and and then some associate dia up to you know some arbitral and the link its and some length like 32 bytes so this is me trying to understand like three papers have been written on this on my whiteboard and then you know now you're just repeating out there cheers to that and so I quite a high level how it works and so we set up h0 so each 0 is a 64 byte value and we run some hash function over all these values and so the values are

taken and we we spend the values of the 32-bit integer a representation of work with the values and then we run some hash over and the case are gone too they use the break to be a function so Blake to be was designed by the guy that mushy competition and they've actually just in the last few days I names the new version or produced a new version of bleak for EM scrutiny the way that human so we run a hash function over the password the soul and all the other planners em and we get some 64 byte value right and so the the sort of the legwork comes in here where we take a 2d

array so you know a byte array with ing Anna and then we fell n number of em amount of RAM so that is the the memory that the amount of the maximum ram defined in the input parameters right and we take that number of a 1024 bite walks and then we see eventually that sequential dependent and we fill that that rig right so the first bi 0 and bi 1 are dependent on the National 64 byte value that you get em from hashing all this and then from then on the the box or dependent on what came before ascension so this is great and this is from the RFC so and then an engineering task force the crypto m.c

frg the crypto forum research group and have recently produced our draft there RFC furnace to standardize ER and their RFC if you're not into math or cryptography me is great to go read because they have lovely diagrams like this helps you explain it but so then Clemente the the reference implementation uses an for memory slices so this is the slices are basically high we partition RAM and then we have penumbral lanes so again the the number of lanes is defined in your your peril ISM factor right so at each slice and they're computed in parallel and they can't reference books and from other slices right and but all other blocks can be referenced right because as they

could and the way I understand that as the acute reference other block start with them introduce a side channel and a song of some sort right and so this is an when Eragon is doing a single pass but we'll all get into that as well and so basically we filled this 2d array over and over again for some tea aerations that you kept and we XOR the previous board with an x-block and and then the Harsha's returned as a tag of the the last column right so your last book see em as X sword with our last column from here right and then we returned the tag again our hash function and underlying hash function bleak to

over the sea column and then that the tomes are attack right so sweet we've just we've just done some not very complicated math and so it's actually a family of hash functions so there's two variations so there's 2i and 2d and it's very memory hard and you can fill a gag around like a fraction of a second right and the the parameterization that we only really care about in terms of the pointer as the time cost our memory cost and the parallelism and the the actual paper and the RFC provide recommended em and put drummers for various applications I'm not going to get into that if you want to deploy it and you're right net cord you probably

just want whatever and the widely decrypter library you're using the Specht unless you're doing something pretty crazy but ok and and yeah the ietf CHC frg em are trying to standardize that's right so the two implementation there to sort of versions were exist for really good reason so too i am the next block when we're filling this a 2d array the next book is independent the password and soul whereas argument 2d and those books are dependent on the password and salt so 2i is vulnerable to n 2d sony as vulnerable to say channels right because we can pre-compute we can pre-compute memory location so and so if you're using I you probably want to be using that and your adversarial

Satan so that is your client and then 2d can be used and things like cryptocurrencies and for proof of work and this sort of thing right and Saudi as the faster of the two but aims for greater and GPU and he said resistance so it's far better it resisted an air-tight memory feet of attacks right and yep just said that that's great and yeah so if you're using this for passwords key derivation you want argan to i right and or even if they're not doing key derivation with it if it's an adversary of sam and or anywhere that the adversary can readily access the the rom of the cpu and you want to deploy I

because it's designed to be resistant against these sort of side channels right so the performance is pretty good and you can go to the password type password hashing net and they've got the reference reference implementation and they also have like a nice little command line tool and you can go and clear over and you can pump the RAM up to like more round than the computer actually has and watch it almost kill itself that's fun and but it's heavily xat sexual optimized so again it's designed to relieve us that air withstand a sec attacks so when we talk about x86 optimization and things like the latest register design and n tell me md cpus so there's actually our

payment penalty on the registers are a corpsicle penny so if you're the 128 and 256 bit registers on and tell processors for example if the memory locations don't match up and I think it's X invite segments and if these are all sort of implementing this one spare you know specific hardware and then imposes out a cork cycle paint later to try and deal with that may and they also designed against the sort of way is the way it's done tell me and d processor sort of quirks memory and memory synchronization right so they aim for being able to parallel well but for them around to increase because we want to take advantage of you know the

ridiculously 40 core chips that AMD are making but no one's buying right and so yet again not that draft pretty much about that table pretty much tells you what you need to know so om command link tool is quite nice and you can go play about with that and I should have mentioned this earlier but assault an independent soul is required for each password and it will just straight-up refuse you if you don't give it at least an eight bike salt and what don't you can see yep at the top and then acumen in 16 byte souls but I think it goes up to 32 bytes I believe and yeah so it has a couple of nice features

tacked on the end of it as well and so it's got need of a shock reasons or harsh of rhythm in this context is and if you have the elation code set of thousands or fails that we use their last part where they let you choose your own key BTW the F to K and and at some point in the future that iteration capable come and secure so we want to we want to upgrade the a recent code without having to request a password from the user and this will do that no problem and it's bell n which is really nice and it also has clients ever handoff so this is again where the dual

independent and dependent and moment ations coming so if you have for example I will key device that you don't want to kill by doing you know hundreds of thousands of iterations or some random vector function that I'm telling you to use and you can basically compute the Fox 220 air the 4 64 byte value on the client and then you can do some black magic to that ship off to your server and your server will do the work for you which is a which again is quite useful and pull from terms of performance and if you just don't want to do that for for whatever reason right and although having said that are they implement that an application and not

screwed up is somewhat more difficult than what I've just described and so why do you want to use this instead of script well it's much easier to parameter a parameters generally you're only going to be Mason with the time and the maximum around be filled buttons right and it's far simpler and as we discussed previously right no script was calling like five things so you know I let need pbk tf2 which in turn you did each Mac which entirely did sha-256 or you know whatever shall you using and also needed salsa 20 equals well right this only needs itself and Blake to be and you can actually switch out Blake to be for whatever pseudo-random function

you want to use and by again it was designed as a package and so you probably just want to stick with that and unless you doing what you do and again we've got the data independent and dependent modes as well I'm saying you know your client server handoff and your native harsh upgrades right and the security analysis that's done on this and particularly because a point to write as much simpler and it's much easier to crypt analyze this function and Blake to be there as to shut down eyes smax you know and we just saw the room XR the SH an on it right and and that's as being trapped analyzed and so the this paper came out and

March a belief and and they basically figured out a method where you could run art into it about four times less a memory so this is why we're at version 1.3 of Argan and so there will be vulnerabilities and there will be problems and your and cryptographic primitives probably at some point and so you will have to you know check and make sure that you're always running the current version of this right so mhm i believe the paper was january because the tweet according to my presentiments was done in march so that makes much more sense and essentially the problem that the hard was that when they were fell in the 2d array and memory and rather than over

right in the previous walks they were simply replacing them which introduced our essential aside China which allows for a type memory trade-off attack and so it is being kept analyzed and and has been continually improved so you can pretty much use this wherever the hell one and there's bindings for and basically everything and the reffing the reference implementation is on the github and you can if you're crazy Google to see and I don't want to look at sea and thought you want to look at the Python to be honest and but yeah so please go use argon to if you are designing applications that take passwords and or if you happen to be designing a cryptocurrency you might

want to consider that right and so the last sort of problem sort of great we now have some great memory memory hard hash function for storing our passwords and but how do we get from the old rubbish of md5 and in shower and if you're doing something really crazy like adobe em to the new one right so I have the Gathering Hall a big shadow here and he actually told me about this steel con so and the python django web framework and basically nails this you basically take the old sha-1 hash then you run that through your new function so argan to PB kdf to and our waiver and you get free puppy in a bag

and basically how this works is when your user logs in and you check the Argan two of the password and if you don't have the Argan two of the password you then fall back the chicken for the origin to the sha-1 of password right so that's without user logon so obviously once your user logs and gives you the password and again you can then just run that through Street argument and eventually over time you rule from have an amex to know predominantly more and at some point you can call the time and on your old hash function right and so yeah I think that is that's where the last late yes so if anyone has any

questions or just general insults and please fire away oh

I didn't really look into that much and it's lest it is a feature and but the believe the IFC expands with slightly more and it's not an entirely new concept I believe argan tues the foxtrot implement it but and it's been sort of kicking about is my dear for for a while

hi any questions yeah right well oh yeah so it's a simile against using hachey restore the password so you will stay in the scenario something he breeds happening password is going up there's a main scenario so most of these breeds that tackle is able to get into the like a web server or database server and and the database maybe he run Hashcash or whatever his tool and they he cracked the password but reality when be like consider linkedin example you have a Logan function so even if you use harden 200 attacker is not able to crack the password with his haircut during the proof so what will be custom rules he can customize the authentication control

the way of linking function and he can make okay if you sir password equal to the input password equal to the half that said a logo said he'll do that of his people that's a plainness so he can even you know he may need to wait some time to restore it get all the data but still he's able to it's a password so if you don't need to worry about what Hashem agonism they are you see if it is a powerful hacking I don't need to crack the password I can same time in custom function store the password printers in somewhere file or have a voice or in so yeah do you have any better protection

mechanisms in anger hey I thought I do not do web apps I just do the market interrupter but no as your attackers you know this is only helping you if you're talking about you know the database getting packed out and then you know the password crack and falling people set and churning away below GPUs smoking out as you say it's not going to help you against a you know a malicious organ function or or anything without anyone else sweet thank you guys you