Les compromis temps-m emoire ` a lassaut de vos (nos) mots de - PowerPoint PPT Presentation

Les compromis temps-m´ emoire ` a l’assaut de vos (nos) mots de passe ! Gildas Avoine Universit´ e catholique de Louvain, Belgium

Crossroad Topic Algorithms Probability Computer Security Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 2

SUMMARY Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

MOTIVATIONS Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

One-wayness Function that is easy to compute on every input, but hard to invert given the image of a random input. Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 5

Foundations of Cryptography: Public-Key DL problem (discrete logarithm):   p  it is hard to retrieve a . Given g  g a mod p RSA problem ( e -th root modulo a composite n ):   n  it is hard to retrieve m . Given e  m e mod n Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 6

Foundations of Cryptography: Symmetric Key Cryptographic hash functions: MD5, SHA1, SHA3 Encryption functions: DES, AES Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 7

Example: Password-based Authentication User (login, pwd) Computer login, pwd − − − − − − − − − − − − − → Compute h (pwd) login 1 h (pwd 1 ) login 2 h (pwd 2 ) login 3 h (pwd 3 ) . . . . . . Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 8

Exhaustive Search On-live exhaustive search: ◦ Computation: N ◦ Storage: 0 ◦ Precalculation: 0 Precalculated exhaustive search: ◦ Computation: 0 ◦ Storage: N ◦ Precalculation: N Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 9

HELLMAN TABLES Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

Hellman Trade-off (1980) Precalculation phase to speed up the on-live attack: T ∝ N 2 M 2 Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 11

Precalculation Invert h : A → B . Define R : B → A an arbitrary (reduction) function. Define f : A → A such that f = R ◦ S . Chains are generated from arbitrary values in A . f f f f S 1 = X 1 , 1 X 1 , 2 X 1 , 3 . . . X 1 , t = E 1 → → → → f f f f S 2 = X 2 , 1 X 2 , 2 X 2 , 3 . . . X 2 , t = E 2 → → → → . . . . . . f f f f S m = X m , 1 X m , 2 X m , 3 . . . X m , t = E m → → → → The generated values should cover the set A . Only the first and the last element of each chain is stored. Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 12

On-live Attack Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 13

On-live Attack False Alarms Given one output C ∈ B , we compute Y 1 := R ( C ) and f f f generate a chain starting at Y 1 : Y 1 → Y 2 → Y 3 → . . . Y s S j C ′ E j Y s C Y 1 time needed to detect time needed to find the false alarm a maching end point Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 14

Coverage and Collisions Time-memory trade-off techniques are probabilistic. Collisions occur during the precomputation phase. Several tables with different reduction functions. Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 15

OECHSLIN TABLES Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

Oeschlin Tables (2003) Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 17

Rainbow Tables Use a different reduction function per column: rainbow tables. Invert h : A → B . Define R i : B → A arbitrary (reduction) functions. Define f i : A → A such that f i = R i ◦ S . f 1 f 2 f 3 f t S 1 = X 1 , 1 X 1 , 2 X 1 , 3 . . . X 1 , t = E 1 → → → → f 1 f 2 f 3 f t S 2 = X 2 , 1 X 2 , 2 X 2 , 3 X 2 , t = E 2 . . . → → → → . . . . . . f 1 f 2 f 3 f t S m = X m , 1 X m , 2 X m , 3 . . . X m , t = E m → → → → Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 18

Discarding the Merges If 2 chains collide in different columns, they don’t merge. If 2 chains collide in same column, merge can be detected. A table without merges is said perfect Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 19

Trade-off Within the Precalculation Phase 6 x 10 18 16 Millions de chaînes n’ayant pas fusionné 14 12 10 8 6 4 2 0 0 1 2 3 4 5 6 Nombre de centaines de millions de chaînes calculées 8 x 10 Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 20

On-live Attack: A More Complex Procedure Given one output C ∈ B , we compute Y 1 := R ( C ) and generate a chain starting at Y 1 : f f f Y 1 → Y 2 → Y 3 → . . . Y s S j C E j Y s C Y 1 time needed to rebuild time needed to find the chain a maching end point Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 21

Success Probability of a Table is Bounded Theorem Given t and a sufficiently large N, the expected maximum number of chains per perfect rainbow table without merge is: 2 N m max ( t ) ≈ t + 1 . Theorem Given t, for any problem of size N, the expected maximum probability of success of a single perfect rainbow table is: � t � 2 P max ( t ) ≈ 1 − 1 − t + 1 which tends toward 1 − e − 2 ≈ 86% when t is large. Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 22

Average Cryptanalysis Time Theorem Given N, m, ℓ , and t, the average cryptanalysis time is: k = ℓ t i = t p k (( t − c )( t − c + 1) � � T = + q i i ) ℓ + 2 k =1 i = c c = t −⌊ k − 1 ⌋ ℓ i = t (1 − m N ) ℓ t ( t ( t − 1) � + q i i ) ℓ 2 i =1 where q i = 1 − m N − i ( i − 1) t ( t + 1) . Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 23

REAL LIFE EXAMPLES Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

Windows LM Passwords (Algorithm) Win98/ME/2k/XP uses the Lan Manager Hash (LM hash). The password is cut in two blocks of 7 characters. Lowercase letters are converted to uppercase. Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 25

Windows LM Hash (Results) Cracking an alphanumerical password (LM Hash) on a PC. Size of the problem: N = 8 . 06 × 10 10 = 2 36 . 23 . Brute Force TMTO 4 . 03 × 10 10 1 . 13 × 10 6 On-live Attack (op) Time 2 h 15 0.226 sec 1 . 42 × 10 13 Precalculation (op) 0 Time 0 33 days Storage 0 2 GB Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 26

Statistics from 10,000 leaked Hotmail passwords Password Type numeric 19% lower case alpha 42% mixed case alpha 3% mixed numeric alpha 30% other charac 6% Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 27

Texas Instruments Digital Signature Transponder Texas Instrument Digital Signature Transponder. ◦ 134.2 kHz. ◦ 130 million car immobilizer keys. ◦ Condition to enable fuel-injection system of the vehicle. Cipher that uses 40-bit keys Verifier Prover r − − − − − − − − − − − − − − − → id , E k ( r ) ← − − − − − − − − − − − − − − − Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 28

Texas Instrument Key Cracking (Results) Cracking a TI DST key on a PC. Size of the problem: N= 2 40 . Brute Force TMTO 5 . 50 × 10 11 1 . 53 × 10 7 On-live Attack (op) Time 30 h 30 3.07 sec 1 . 94 × 10 14 Precalculation (op). 0 Time 0 448 days Storage 0 8GB Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 29

FINGERPRINT TABLES (Joint work with A. Bourgeois and X. Carpent) Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion

Checkpoints Given one output C ∈ B , we compute Y 1 := R ( C ) and generate a chain starting at Y 1 : f j − s f j − s +1 f j − s +2 Y 1 → Y 2 Y 3 . . . Y s → → α C ′ S j X j ,α E j Y s Y α + s − t C Y 1 time needed to detect time needed to find the false alarm a maching end point Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 31

ridges Endpoints and checkpoints share the same nature. Each column contains a ridge function that outputs a (potentially empty) fingerprint of the chain. Endpoints are no longer stored. Type-II false alarms. Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 32

Fingerprint Tables Theorem The average amount of evaluations of h during the on-live phase using the fingerprint tables is: ℓ t m 1 − m � k − 1 1 − m � ℓ t � � � T = ( W k + Q k ) + ( W ℓ t + Q ℓ t ) , N N N k =1 t � i − 1 � 1 − m i � � � c i = t − , q c = 1 − , ℓ N i = c   k t i − 1 � � �  ( q i − q i +1 ) , W k = ( t − c i ) , P c = φ j  i =1 i = c j = c k t � � Q k = ( c i − 1)( P c i + E c i ) , E c = ( m − q c ) φ i . i =1 i = c Gildas Avoine Cryptanalytic Time-memory Trade-off: Fingerprint Tables 33