high speed implementation of bcrypt password search using
play

High-Speed Implementation of bcrypt Password Search using - PowerPoint PPT Presentation

Mar 06, 2023 •193 likes •484 views

RUHR-UNIVERSITT BOCHUM High-Speed Implementation of bcrypt Password Search using Special-Purpose Hardware 10. December 2014 Horst Grtz Institute for IT-Security Ruhr University Bochum Friedrich Wiemer and Ralf Zimmermann Friedrich Wiemer

  1. RUHR-UNIVERSITÄT BOCHUM High-Speed Implementation of bcrypt Password Search using Special-Purpose Hardware 10. December 2014 Horst Görtz Institute for IT-Security Ruhr University Bochum Friedrich Wiemer and Ralf Zimmermann Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 1

  2. RUHR-UNIVERSITÄT BOCHUM Outline Motivation 1 bcrypt 2 Design of Implementation 3 Results 4 Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 2

  3. RUHR-UNIVERSITÄT BOCHUM Motivation Password Hashing Function? Can’t we just store passwords in plain? 1 blog.ebay.com/ebay-inc-ask-ebay-users-change-passwords 2 blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 3

  4. RUHR-UNIVERSITÄT BOCHUM Motivation Password Hashing Function? Can’t we just store passwords in plain? 12 1 blog.ebay.com/ebay-inc-ask-ebay-users-change-passwords 2 blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 3

  5. RUHR-UNIVERSITÄT BOCHUM Motivation Secure Storage? MD5 MD5 SHA{1, 2, 3} SHA{1, 2, 3} . . . . . . Password Hash Salt Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 4

  6. RUHR-UNIVERSITÄT BOCHUM Motivation Secure Storage? MD5 MD5 SHA{1, 2, 3} SHA{1, 2, 3} . . . . . . Password Hash Salt don’t use standard hash functions Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 4

  7. RUHR-UNIVERSITÄT BOCHUM Motivation Secure Storage! PBKDF2 bcrypt Cost scrypt Password Hash Salt Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 5

  8. RUHR-UNIVERSITÄT BOCHUM Motivation Why do we care? password cracking has an inherent parallel structure FPGAs enable to exploit this parallelism bcrypt claims to resist hardware optimizations currently available implementations 3 suffer from interface bottlenecks and instable operations 3 K. Malvoni et al. Are Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware 8th USENIX Workshop on Offensive Technologies (WOOT 14), 2014 Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 6

  9. RUHR-UNIVERSITÄT BOCHUM What is bcrypt? Introduced in 1999 by Provos and Mazières. 4 Implemented in OpenBSD 2.1, Ruby on Rails, and PHP as standard password hash. bcrypt cost-parameterized based on modified Blowfish 4 www.usenix.org/events/usenix99/full_papers/provos/provos.pdf Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 7

  10. RUHR-UNIVERSITÄT BOCHUM What is bcrypt? Introduced in 1999 by Provos and Mazières. 4 Implemented in OpenBSD 2.1, Ruby on Rails, and PHP as standard password hash. bcrypt Blowfish symmetric blockcipher cost-parameterized Feistel network based on modified Blowfish 4 www.usenix.org/events/usenix99/full_papers/provos/provos.pdf Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 7

  11. RUHR-UNIVERSITÄT BOCHUM bcrypt Structure setup state, using the password and salt as key with modified Blowfish key schedule encrypt magic value output ciphertext as hash Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 8

  12. RUHR-UNIVERSITÄT BOCHUM bcrypt Structure Work needs ( 2 cost + 1 + 1 ) · 521 setup state, using the password and salt as key Blowfish encryptions (roughly 2 cost + 10 ) with modified Blowfish key schedule encrypt magic value needs 3 · 64 Blowfish encryptions output ciphertext as hash Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 8

  13. RUHR-UNIVERSITÄT BOCHUM Implementation Cracker Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 9

  14. RUHR-UNIVERSITÄT BOCHUM Target Platforms Low cost, low power FPGA Zedboard Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 10

  15. RUHR-UNIVERSITÄT BOCHUM Target Platforms Low cost, low power FPGA High Performance FPGA Zedboard Virtex-7 Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 10

  16. RUHR-UNIVERSITÄT BOCHUM Optimization Optimization Goal? Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 11

  17. RUHR-UNIVERSITÄT BOCHUM Optimization Low Area Footprint (bcrypt) Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 12

  18. RUHR-UNIVERSITÄT BOCHUM Optimization Low Area Footprint (bcrypt) High-Speed (Blowfish) Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 12

  19. RUHR-UNIVERSITÄT BOCHUM Design First Attempt 100 MHZ (BUSCLK) 100 MHz (BCRCLK) bcrypt Password Core Generator Salt Register bcrypt Core bcrypt Password Core Memory Interface bcrypt Password Hash Register Internals Memory bcrypt Core bcrypt Core Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 13

  20. RUHR-UNIVERSITÄT BOCHUM Design First Attempt 100 MHZ (BUSCLK) 100 MHz (BCRCLK) bcrypt Password Core Generator Salt Register bcrypt Core bcrypt Password Core Memory Interface bcrypt Password Hash Register Internals Memory bcrypt Core bcrypt Core Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 13

  21. RUHR-UNIVERSITÄT BOCHUM Design Quad Core 100 MHZ (BUSCLK) 100 MHz (BCRCLK) bcrypt bcrypt bcrypt bcrypt Quad Core Quad Core Quad Core Quad Core Salt Register bcrypt bcrypt bcrypt bcrypt Quad Core Quad Core Quad Core Quad Core Interface Quad Core Password Hash Register bcrypt bcrypt Generator bcrypt Core Core Quad Core Password bcrypt bcrypt bcrypt Memory Core Core Quad Core Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 14

  22. RUHR-UNIVERSITÄT BOCHUM Design Blowfish Core One Round Left i Right i f S0 P i S1 S2 S3 Left i+1 Right i+1 Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 15

  23. RUHR-UNIVERSITÄT BOCHUM Design Blowfish Core One Round Problematic SBox addresses can not Left i Right i be computed in the same f clock as the look up is S0 P i S1 used S2 S3 needs 2 clock cycles per round Left i+1 Right i+1 Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 15

  24. RUHR-UNIVERSITÄT BOCHUM Design Blowfish Core Retimed Retimed Round Prefetch Input Left Input Right Left i Right i f S0 S1 P 1 S2 P i+1 S3 Left i+1 Right i+1 Left 1 Right 1 Advantages needs only 1 clock per round Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 16

  25. RUHR-UNIVERSITÄT BOCHUM Resulting Resources Zedboard estimations for one zedboard: 40 cores as upper bound, BRAMs as limiting resource first design attempt (password in registers): 12 cores fit, LUT utilization way to high Quad Core Design: 40 cores fit, while using “big” interface Virtex-7 Quad Core Design: 316 cores per FPGA Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 17

  26. RUHR-UNIVERSITÄT BOCHUM Resulting Resources Resource utilization of design and submodules LUT FF Slice BRAM Overall 64.8% 13.06% 93.29% 95.71% Quad Core 2,777 720 801 13 Single Core 617 132 197 3 Blowfish Core 354 64 71 0 Password Generator 216 205 81 0 Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 18

  27. RUHR-UNIVERSITÄT BOCHUM Resulting Hashrates Compared to cost factor 5 cost factor 12 Hashes Hashes Hashes Hashes Second Watt Second Second Watt Second Zedboard 6,511 1,550 51.95 12.37 Malvoni (GSoC) 780 Malvoni et al. 4,571 682.24 64.83 9.68 Virtex-7 51,437 2,572 410.4 20.52 Xeon E3-1240 6,210 20.7 50 0.17 GTX 750 Ti 1,920 6.4 15 0.05 Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 19

  28. RUHR-UNIVERSITÄT BOCHUM Brute Force Attack Cost 5 CPU ∗ break-even GPU ∗ CPU+GPU ∗ 20 Total costs in $1 000 000 Virtex-7 zedboard Malvoni et al. 15 10 7 5 5 10 15 20 25 30 35 40 45 50 Number of attacked passwords Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 20

  29. RUHR-UNIVERSITÄT BOCHUM Questions? Thank you for your attention! Images: Wikimedia Commons, flickr Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 21

Recommend

Hierarchical Content Stores in High-Speed ICN Routers: Emulation and Prototype Implementation

Hierarchical Content Stores in High-Speed ICN Routers: Emulation and Prototype Implementation

Hierarchical Content Stores in High-Speed ICN Routers: Emulation and Prototype Implementation Rodrigo B. Mansilha 1,2,6 , Lorenzo Saino 3,6 , Marinho P. Barcellos 2 , Massimo Gallo 4,6 , Emilio Leonardi 5 , Diego Perino 4,6 , Dario Rossi 1,6 1

653 views • 28 slides
Authentication Dr. Steven Bitner Hashing Hashing is ONE WAY encryption You cannot

Authentication Dr. Steven Bitner Hashing Hashing is ONE WAY encryption You cannot

Authentication Dr. Steven Bitner Hashing Hashing is ONE WAY encryption You cannot retrieve the plain text Common hashes: md5 sha1 sha256 $password = hash (md5,$password); Better (though less common hash) Bcrypt

355 views • 18 slides
High-speed Checkpointing for High Availability Brendan Cully brendan@cs.ubc.ca Department of

High-speed Checkpointing for High Availability Brendan Cully brendan@cs.ubc.ca Department of

Introduction Design and Implementation Evaluation Conclusion High-speed Checkpointing for High Availability Brendan Cully brendan@cs.ubc.ca Department of Computer Science The University of British Columbia Xen Summit 5, November 2007

514 views • 26 slides
High-speed parallel software implementation of the T pairing Diego F. Aranha Institute of

High-speed parallel software implementation of the T pairing Diego F. Aranha Institute of

High-speed parallel software implementation of the T pairing Diego F. Aranha Institute of Computing UNICAMP Joint work with Julio L opez and Darrel Hankerson Diego F. Aranha, Julio L opez, Darrel Hankerson High-speed parallel

623 views • 44 slides
MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL (WEST MIDLANDS CREWE) BILL Monday 19 March 2018 (Afternoon) In Committee Room 5 PRESENT: James Duddridge (Chair) Sandy Martin Mrs Sheryll

956 views • 57 slides
Introduction of High speed line High speed line Japan International Consultants for

Introduction of High speed line High speed line Japan International Consultants for

Introduction of High speed line High speed line Japan International Consultants for Transportation Co., Ltd. (JIC) Index Trend of the HSR Project HSR Project in The World Superiority of Introducing HSR Transport Needs

1.02k views • 25 slides
HIGH-LEVEL SEARCH Instead of directly solving a High-level Search Methods given probem

HIGH-LEVEL SEARCH Instead of directly solving a High-level Search Methods given probem

HIGH-LEVEL SEARCH: FROM HYPER- HEURISTICS TO ALGORITHM SELECTION MUSTAFA MISIR HIGH-LEVEL SEARCH Instead of directly solving a High-level Search Methods given probem (~instance), Operates upon perform a search on algorithm space

526 views • 23 slides
Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for NextGen-VLA antenna project Qinglong Li, Andreas Beling, Joe C. Campbell University of Virginia, Charlottesville, VA 22904 Outline High power photodiode

746 views • 25 slides
High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor

High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor

High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor Corporation Belgium Vision 2006 P E R F O R M Outline Introduction Architecture Analog high speed CIS Digital high speed CIS

593 views • 32 slides
Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder

Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder

Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder Interface for Overview New linear position/velocity sensor Non-contact High resolution High speed Based on proven

320 views • 27 slides
1 High Speed UK Connecting the Nation, Connecting the North: The Only Way is Woodhead High

1 High Speed UK Connecting the Nation, Connecting the North: The Only Way is Woodhead High

1 High Speed UK Connecting the Nation, Connecting the North: The Only Way is Woodhead High Speed UK Connecting the Nation Who are we? Colin Elliff BSc CEng MICE Civil Engineering Principal, HSUK Quentin Macdonald

899 views • 85 slides
RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power

RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power

RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power Integrated Circuits 2009. 04. 27 Kwangseok Seo Seoul National University Outline Outline Introduction RTD/HEMT Integration Technology

369 views • 22 slides
High Speed Rail for Australia: Opportunities and Issues by Dale Budd Hunter Business Chamber

High Speed Rail for Australia: Opportunities and Issues by Dale Budd Hunter Business Chamber

High Speed Rail for Australia: Opportunities and Issues by Dale Budd Hunter Business Chamber Newcastle, 7 December 2012 What is high speed rail? High speed rail refers to passenger trains travelling at 250 km/h or more, on purpose-built tracks.

354 views • 11 slides
High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges & Approaches Security: Challenges & Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

647 views • 28 slides
High-speed dispersing between two deinking loops: are there optimisation possibilities?

High-speed dispersing between two deinking loops: are there optimisation possibilities?

High-speed dispersing between two deinking loops: are there optimisation possibilities? Benjamin FABRY and Bruno CARRE Niagara Falls, September 2007 Guideline Introduction Theoretical aspects High-speed dispersing between two

464 views • 44 slides
High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

1 2 High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is University of Illinois at Chicago & much slower than it could be. Technische Universiteit Eindhoven Is software applied to much data? with

1.17k views • 115 slides
Chapter: 9 9 9 9 Chapter: Chapter: Chapter: High-Speed Downlink High-Speed Downlink Packet

Chapter: 9 9 9 9 Chapter: Chapter: Chapter: High-Speed Downlink High-Speed Downlink Packet

3G Evolution 3G Evolution 3G Evolution 3G Evolution Chapter: 9 9 9 9 Chapter: Chapter: Chapter: High-Speed Downlink High-Speed Downlink Packet Access Deepak Dasalukunte Department of Electrical and Information Technology 16-Apr-2009

393 views • 25 slides
Using Low-Speed Links for High-Speed Wireless Data Delivery Henning Schulzrinne Dept. of

Using Low-Speed Links for High-Speed Wireless Data Delivery Henning Schulzrinne Dept. of

Using Low-Speed Links for High-Speed Wireless Data Delivery Henning Schulzrinne Dept. of Computer Science Columbia University (with Stelios Sidiroglou and Maria Papadopouli) ORBIT Research Review - May 13, 2004 1 Overview Disconnected

226 views • 22 slides
High-speed engineering of high-speed software D. J. Bernstein Traditional software engineering:

High-speed engineering of high-speed software D. J. Bernstein Traditional software engineering:

High-speed engineering of high-speed software D. J. Bernstein Traditional software engineering: Design programming environment to minimize programmer time. Environment is now constant. Write tons of software. Software is now constant. Try

389 views • 4 slides
High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

Preliminaries FPGA Implementation Results, Comparisons and Conclusions High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma Skytt a Helsinki University of Technology Department of Signal

528 views • 36 slides
EXPLORER+727 Comprehensive communication hub for vehicles EXPLORER+ 727 High-speed

EXPLORER+727 Comprehensive communication hub for vehicles EXPLORER+ 727 High-speed

EXPLORER+727 Comprehensive communication hub for vehicles EXPLORER+ 727 High-speed broadband-on-the-move: Automatically tracks satellite positions enabling high-speed connectivity while on-the-move. Simultaneous 432 kbps data and phone

412 views • 11 slides
dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc. Unifying the Global Response to Cybercrime Credits & More Info Design & Implementation: Robert Edmonds <edmonds@fsi.io> Website:

786 views • 40 slides
5 Control and Implementation of State Space Search 5.0 Introduction 5.4 The Blackboard

5 Control and Implementation of State Space Search 5.0 Introduction 5.4 The Blackboard

5 Control and Implementation of State Space Search 5.0 Introduction 5.4 The Blackboard Architecture for Problem 5.1 Recursion-Based Search Solving 5.2 Pattern-directed Search 5.5 Epilogue and 5.3 Production Systems References 5.6

593 views • 28 slides
CALIFORNIAS HIGH-SPEED TRAIN A presentation to Los Angeles Metropolitan Transportation

CALIFORNIAS HIGH-SPEED TRAIN A presentation to Los Angeles Metropolitan Transportation

CALIFORNIAS HIGH-SPEED TRAIN A presentation to Los Angeles Metropolitan Transportation Authority By Jeff Barker , Deputy Director, California High- Speed Rail Authority May 2010 BACKGROUND First discussions started 30 years ago

205 views • 17 slides

More recommend