Rainbow Tables

February 13, 2010 Leave a comment

rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function. A common application is to make attacks against hashed passwords feasible. A salt is often employed with hashed passwords to make this attack more difficult, often infeasible.

An efficient windows XP password cracker that brute force the LM hash Ophcrack uses a rainbow table for alphanumeric characters of size 1 GB. Ophcrack is very effective and fast in cracking such passwords.

The Ophcrack contains the LanManager (LM) hashes of 99.9% of all alphanumerical passwords. These are passwords made of mixed case letters and numbers (about 80 billion hashes). Because the LanManager hash cuts passwords into two pieces of 7 characters, passwords of length 1 to 14 can be cracked with this table set. Since the LanManager hash is also not case sensitive, the 80 billion hashes in this table set corresponds to 283 passwords.

Strange enough and while LAN Manager is considered obsolete and current Windows operating systems use the stronger NTLM, NTLMv2 or Kerberos hashing methods, Windows systems before Windows Vista/Windows Server 2008 still compute and store the LAN Manager hash by default for compatibility with LAN Manager and earlier clients, as well as some 16-bit applications that are still in use on the most current versions of Windows. It is considered good security practice to disable this feature where it isn’t needed. Microsoft claimed that support for LM would be completely eliminated in the Windows Vista operating system. However Windows Vista and Windows Server 2008 still include support for the LM hash, although it is now disabled by default; the feature can be enabled for local accounts via a security policy setting, and for Active Directory accounts by applying the same setting to domain controllers. The same method can be used to turn the feature off in Windows 2000, Windows XP and NT. Users can also prevent a LM hash from being generated for their password by using a password at least 15 characters in length.

How to mitigate the Rainbow Table Attack

Rainbow table attack would be ineffective against one-way hashes that include salts.

The salt value is not secret and may be generated at random and stored with the password hash. A large salt value prevents precomputation attacks, including rainbow tables, by ensuring that each user’s password is hashed uniquely. This means that two users with the same password will have different password hashes (assuming different salts are used). In order to succeed, an attacker needs to pre-compute tables for each possible salt value. The salt must be large enough, otherwise an attacker can make a table for each salt value.

Filed under Hacking, Hashing, Security Tagged with , , , ,

Hashing Functions – Finding Collisions

February 12, 2010 Leave a comment

The simple definition of a hash function is the following:

A one-way hash function, H(M) transforms a message M of any length into a fixed-length hash value, h.

h = H(M), where h is of length m, which is a characteristic of the hash function used.
In addition, a one-way hash functions will have the additional characteristics:
Given h, it is hard to compute M such that H(M)= h.
Given M, it is easy to compute h.

An additional requirement is also needed when evaluating hash functions, this requirement is called collision-resistance.

It is hard to find two random messages, M and M’, such that H(M) = H(M’).

Two famous hashing functions used in our daily live are MD5 and SHA-1. Surprisingly, Microsoft has banned such hash functions 5 years ago to be used by its developer. In this article, I will investigate a set of issues about hash functions that will help us find collisions.

A birthday attack is simply a brute-force attacks. It gets its name from the surprising result that the probability that two or more people in a group of 23 share the same birthday is greater than 1/2; such a result is called a birthday paradox.

If some function, when supplied with a random input, returns one of k equally-likely values, then by repeatedly evaluating the function for different inputs, we expect to obtain the same output after about 1.2k1/2. For the above birthday paradox, replace k with 365.

You can check how to calculate such a probability here.

Another point about hash functions is that

If MD5(x) == MD5(y) then MD5(x+q) == MD5(y+q)

Having a pair messages x and y with the same MD5 value you can append any payload q and the MD5 values remain equal.

Being able to find collisions in MD5 hashing had the following consequences:

1- Vulnerabilities exposed in the Public Key Infrastructure (PKI) – read article MD5 considered harmful for more details.

2- All digital signatures like RSA, DSA/ElGamel, and Elliptical Curve never hash the data directly, but rather a hash of the data, often the choice is MD5. Also consider DRM (Digital Right Management) implementations using MD5. All these protection signatures and checksums are at risk because of these findings.

3- SSL uses concatenated MD5 and SHA-1sums; that ensures that a method to find collisions in in one of the functions doesn’t allow forging traffic protected with both functions.

However, the concatenated function is only as strong as the best component, not stronger. It was noted that 2-collisions lead to n-collisions: if it is feasible to find two messages with the same MD5 hash, it is effectively no more difficult to find as many messages as the attacker desires with identical MD5 hashes. Among the n messages with the same MD5 hash, there is likely to be a collision in SHA-1. The additional work needed to find the SHA-1 collision (beyond the exponential birthday search) is polynomial. This argument is summarized here.

I will be now investigating the algorithms to find collisions based on the ideas in this article.

Filed under Hacking, Hashing, Security Tagged with , , , ,

Follow

Get every new post delivered to your Inbox.

Join 132 other followers