Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene.

transcript

Exercises2013-05-02

Information Security Course

Eric Laermans – Tom Dhaene

Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans

Introduction

Password storage in MS Windows old system

LM hash (LAN Manager hash)– untill Windows Me

new system NTLM hash (NT LAN Manager)

– since Windows NT 3.1

Introduction

Password storage in MS Windows encoded storage

in SAM (Security Accounts Manager)– non-accessible while OS is active

» file locked by OS when Windows is operating (impossible to read, copy or remove)

– QUESTION 1:» still possible to access file to test passwords

offline?

LM Hash

Limitations passwords of at most 14 ANSI-characters

95 possible characters a.k.a. “printable ASCII”

LM Hash

Operation1. converting lower case to upper case

2. adding NULL-characters to obtain 14 characters

3. splitting in two sequences of 7 characters

4. each of these sequences is used as a key to encrypt “KGS!@#$%” (ECB) results in two encoded blocks of 8 bytes the thus obtained 16 bytes are the LM Hash

QUESTION 2 possible attacks, weaknesses? estimated time required for possible attack?

NTLM Hash

Operation MD4-hash of password

case-sensitive password MD4: hash function with 128 bits hash value

– predecessor of MD5– strong collision resistance totally broken– effective strength as a one-way-function

(preimage resistance) only 102 bits» rather theoretical weakness, not really

practical

QUESTION 3 comparie with present password storage in Linux? reasonable time to crack?

Backward compatibility

double password storage using NTLM Hash using LM Hash

if possible, otherwise fake value default up to Windows XP

– can be disabled by registry modification– disabled by default since Windows Vista

QUESTION 4 weaknesses of this scheme? better than LM Hash only? how can you make sure LM Hash is not stored?

Improved attacks

Attacks until now (generally) feasible if LM Hash is available

but still requires quite a lot of compuation time if brute force is used

QUESTION 5 suggestions to improve the attack technique?

– hint: can part of the job be precomputed?

Improved attacks

Precomputed hash chains not feasible to precompute and store all encoded

passwords QUESTION 6:

– how much storage would be required for password encoded using LM Hash?

Improved attacks

Precomputed hash chains how can we select the password we want to

store? precomputed hash chains

– technique using trade-off between required computation time and required storage

– for N possible passwords: » storage: O(N2/3)» computation time: O(N2/3)

Improved attacks

Precomputed hash chains two functions

hash function H:PC– transforms password into encoded password– domain: space of possible passwords (P)– range: space of possible hash values (C)

reduction function R:CP– derives a (pseudorandom) password from hash

value» doesn’t need to be a one-way-function» simple choice possible

– domain: space of possible hash values (C)– range: space of possible passwords (P)

Improved attacks

Precomputed hash chains choose a (sufficiently large) number (n) of different

passwords pj,0 (with j:0..(n-1))

compute (not too large) a number (k) of links for each chain

pj,i+1 = R(H(pj,i)) (with i:0..(k-1))

only store the start and end points of the chains pj,0 and pj,k (with j:0..(n-1))

Improved attacks

Precomputed hash chains cracking an encoded password h

compute: p(0) = R(h) compute: p(i) = R(H(p(i-1)))

– until some p(i) is found which is present in the table of end points pj,k of the hash chains

recompute the chain, starting from pj,0 until the right value pj,k-i-1 is found, such thatH(pj, k-i-1) = h

NOTE: some chains may overlap chains may contain loops false positives are possible

Improved attacks

Precomputed hash chains required improvement upon basic approach

multiple tables– each with different reduction function– reducing impact op overlapping chains– number typically proportional to chain length

» drawback: larger search time (proportional to chain length and number of chains)

Improved attacks

Precomputed hash chains possible simplification

“distinguished points”– stop chain computation when easily

distinguishable password is reached (instead of fixed length chains)

» e.g. starting / ending with 10 null-bits

QUESTION 7:– what is the advantage of this approach?

Improved attacks

Rainbow tables improvement over precomputed hash chains

using different reduction function for each link in the chain

– k reduction functions Ri needed (with i:0..(k-1))

– pj,i+1 = Ri (H(pj,i)) (with i:0..(k-1))

look up encoded password h

– compute p(0,0) = Rk-1(h) and lookup in table of end points

– if not found, look up p(1,1) = Rk-1(H(Rk-2(h)))

– if needed, continue with p(i,i) = Rk-1(H(p(i,i-1)))

» with p(i,j) = Rk-i+j-1(H(p(i,j-1)))

Improved attacks

Rainbow tables advantages

fewer lookups than with multiple tables for precomputed hash chains

– approximately half as many fewer overlapping chains

– and easier to identify which chains merge no loops in chains chains of constant length

– in opposition to “distinguished points”

Improved attacks

Rainbow tables references:

P. Oechslin, “Making a faster cryptanalytic time-memory trade-off,” Advances in Cryptology -CRYPTO 2003, pp. 617-630http://lasec.epfl.ch/pub/lasec/doc/Oech03.pdf

project RainbowCrackhttp://project-rainbowcrack.com/

Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene.

Documents