exercises 2013-05-02 information security course eric laermans – tom dhaene
TRANSCRIPT
![Page 1: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/1.jpg)
Exercises2013-05-02
Information Security Course
Eric Laermans – Tom Dhaene
![Page 2: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/2.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 2
Introduction
Password storage in MS Windows old system
LM hash (LAN Manager hash)– untill Windows Me
new system NTLM hash (NT LAN Manager)
– since Windows NT 3.1
![Page 3: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/3.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 3
Introduction
Password storage in MS Windows encoded storage
in SAM (Security Accounts Manager)– non-accessible while OS is active
» file locked by OS when Windows is operating (impossible to read, copy or remove)
– QUESTION 1:» still possible to access file to test passwords
offline?
![Page 4: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/4.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 4
LM Hash
Limitations passwords of at most 14 ANSI-characters
95 possible characters a.k.a. “printable ASCII”
![Page 5: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/5.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 5
LM Hash
Operation1. converting lower case to upper case
2. adding NULL-characters to obtain 14 characters
3. splitting in two sequences of 7 characters
4. each of these sequences is used as a key to encrypt “KGS!@#$%” (ECB) results in two encoded blocks of 8 bytes the thus obtained 16 bytes are the LM Hash
QUESTION 2 possible attacks, weaknesses? estimated time required for possible attack?
![Page 6: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/6.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 6
NTLM Hash
Operation MD4-hash of password
case-sensitive password MD4: hash function with 128 bits hash value
– predecessor of MD5– strong collision resistance totally broken– effective strength as a one-way-function
(preimage resistance) only 102 bits» rather theoretical weakness, not really
practical
QUESTION 3 comparie with present password storage in Linux? reasonable time to crack?
![Page 7: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/7.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 7
Backward compatibility
double password storage using NTLM Hash using LM Hash
if possible, otherwise fake value default up to Windows XP
– can be disabled by registry modification– disabled by default since Windows Vista
QUESTION 4 weaknesses of this scheme? better than LM Hash only? how can you make sure LM Hash is not stored?
![Page 8: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/8.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 8
Improved attacks
Attacks until now (generally) feasible if LM Hash is available
but still requires quite a lot of compuation time if brute force is used
QUESTION 5 suggestions to improve the attack technique?
– hint: can part of the job be precomputed?
![Page 9: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/9.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 9
Improved attacks
Precomputed hash chains not feasible to precompute and store all encoded
passwords QUESTION 6:
– how much storage would be required for password encoded using LM Hash?
![Page 10: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/10.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 10
Improved attacks
Precomputed hash chains how can we select the password we want to
store? precomputed hash chains
– technique using trade-off between required computation time and required storage
– for N possible passwords: » storage: O(N2/3)» computation time: O(N2/3)
![Page 11: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/11.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 11
Improved attacks
Precomputed hash chains two functions
hash function H:PC– transforms password into encoded password– domain: space of possible passwords (P)– range: space of possible hash values (C)
reduction function R:CP– derives a (pseudorandom) password from hash
value» doesn’t need to be a one-way-function» simple choice possible
– domain: space of possible hash values (C)– range: space of possible passwords (P)
![Page 12: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/12.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 12
Improved attacks
Precomputed hash chains choose a (sufficiently large) number (n) of different
passwords pj,0 (with j:0..(n-1))
compute (not too large) a number (k) of links for each chain
pj,i+1 = R(H(pj,i)) (with i:0..(k-1))
only store the start and end points of the chains pj,0 and pj,k (with j:0..(n-1))
![Page 13: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/13.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 13
Improved attacks
Precomputed hash chains cracking an encoded password h
compute: p(0) = R(h) compute: p(i) = R(H(p(i-1)))
– until some p(i) is found which is present in the table of end points pj,k of the hash chains
recompute the chain, starting from pj,0 until the right value pj,k-i-1 is found, such thatH(pj, k-i-1) = h
NOTE: some chains may overlap chains may contain loops false positives are possible
![Page 14: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/14.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 14
Improved attacks
Precomputed hash chains required improvement upon basic approach
multiple tables– each with different reduction function– reducing impact op overlapping chains– number typically proportional to chain length
» drawback: larger search time (proportional to chain length and number of chains)
![Page 15: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/15.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 15
Improved attacks
Precomputed hash chains possible simplification
“distinguished points”– stop chain computation when easily
distinguishable password is reached (instead of fixed length chains)
» e.g. starting / ending with 10 null-bits
QUESTION 7:– what is the advantage of this approach?
![Page 16: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/16.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 16
Improved attacks
Rainbow tables improvement over precomputed hash chains
using different reduction function for each link in the chain
– k reduction functions Ri needed (with i:0..(k-1))
– pj,i+1 = Ri (H(pj,i)) (with i:0..(k-1))
look up encoded password h
– compute p(0,0) = Rk-1(h) and lookup in table of end points
– if not found, look up p(1,1) = Rk-1(H(Rk-2(h)))
– if needed, continue with p(i,i) = Rk-1(H(p(i,i-1)))
» with p(i,j) = Rk-i+j-1(H(p(i,j-1)))
![Page 17: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/17.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 17
Improved attacks
Rainbow tables advantages
fewer lookups than with multiple tables for precomputed hash chains
– approximately half as many fewer overlapping chains
– and easier to identify which chains merge no loops in chains chains of constant length
– in opposition to “distinguished points”
![Page 18: Exercises 2013-05-02 Information Security Course Eric Laermans – Tom Dhaene](https://reader030.vdocuments.site/reader030/viewer/2022032806/56649f065503460f94c1bf67/html5/thumbnails/18.jpg)
Information SecurityVakgroep Informatietechnologie – IBCN – Eric Laermans
p. 18
Improved attacks
Rainbow tables references:
P. Oechslin, “Making a faster cryptanalytic time-memory trade-off,” Advances in Cryptology -CRYPTO 2003, pp. 617-630http://lasec.epfl.ch/pub/lasec/doc/Oech03.pdf
project RainbowCrackhttp://project-rainbowcrack.com/