tmto
TRANSCRIPT
![Page 1: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/1.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 1/29
Prepared By:
Parth Patel ( P11CO042 )
Guided By:
Dr. D. C. Jinwala
![Page 2: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/2.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 2/29
Introduction Exhaustive Search Dictionary of Hash
Martin Hellman's Cryptanalytic TMTO Why Called TMTO? Problems with Hellman’s TMTO Improvements Rainbow Table Schema Improved Rainbow Table Protection Existing Implementation Conclusion
![Page 3: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/3.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 3/29
Given Encryption function E. Plaintext P0 andcorresponding cipher text C0.
Recovering a key K ∊ N is equivalent toinverting one-way function.
C0 = EP0(K) EP0-1(C0) = K
Problem : Find pre image of a given output of One-Way function H.
Given a hash “Y” find any corresponding “X” such
that Y=H(X) where H is one-way function.
![Page 4: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/4.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 4/29
Traditional attack: Brute Force
Always theoretical possible
Needs exponential time to run Ex. MD-5 is 128 bit hash
Can we improve the time to recover
Password?
![Page 5: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/5.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 5/29
Pre-calculate all hashes, store all Store in sorted order Can crack hashes ‘immediately’
Uses massive amounts of space
If value column is ignored and 64-bit output of one-way function, the space required is 8*264 bytes (7Exabyte).
key value
aaaa10ba956cacf8861139efb9 software
bbbb6348157868b25c81aebfb9 security
cccc2c3b5aa76527deb882cf99 zoo
![Page 6: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/6.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 6/29
In 1980 Hellman described an attack toinverse N values of a function[1]
Needs N calculations before the attack Calculate N but store few to save storage Practically applicable when same
Cryptanalysis have to be carried out manytimes.
![Page 7: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/7.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 7/29
One have Given a One-way function .
H: {VariableLengthStrings} -> {0,1}n
Define a Reduction function which reducesthe output of H to input domain of H.
R: {0,1}n -> {VariableLengthStrings}
Now generate hash chain by applyingfunction “H” and “R” successively .
![Page 8: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/8.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 8/29
So the chain looks like this
aaaaaa --H--> 5AE419F8 --R--> eyiygsl --H--> AC4B68E2 --R--> sgfnyd …. --R--> keiget
Generate multiple chains with this schemabut different initial points.
Only Store starting point and ending point.
![Page 9: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/9.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 9/29
So the chain looks like this
aaaaaa --H--> 5AE419F8 --R--> eyiygsl --H--> AC4B68E2 --R--> sgfnyd …. --R--> keiget
Generate multiple chains with this schemabut different initial points.
Only Store starting point and ending point.
![Page 10: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/10.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 10/29
Given the hash “h8” find the pre image forthat
h8R
7
Not Found
Look up
![Page 11: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/11.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 11/29
Given the hash “h8” find the pre image forthat
7H
h7
Not Found
R10
Look up
![Page 12: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/12.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 12/29
Given the hash “h8” find the pre-image forthat
10H
h10
Found chainstarting with 4
R1
Look up
![Page 13: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/13.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 13/29
Re-compute chain starting with “4” until “h8”is encountered
At each step keep track of last used pre-image
![Page 14: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/14.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 14/29
Success Rate (Perfect table):
m = Chain Lengthn = Number Of ChainsN = Total number of possible hash
![Page 15: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/15.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 15/29
Table Lookup is Costly Slow IO The reduction function can give the same
password for two different hashes merges Even if you find an end in the table, you may not
find the password in the chain false alarms
![Page 16: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/16.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 16/29
Distinguished point Method suggested by L.Rivest.[2]
Continue to compute chain until a pointwhich satisfy some predefined condition. Ex: first/last 20 bits of hash is zero
So when running online attack do not lookup
table after each reduce operation but onlywhen predefined condition satisfied. Variable length chain. Helps to identify Merging chains.
![Page 17: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/17.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 17/29
Avoine suggested a method to reducecheckpoints[3]
It defines set of positions in the chains to becheckpoints. The value of checkpoint function G is
calculated for each checkpoint of each chainas shown.
![Page 18: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/18.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 18/29
During online attack for each check point were-calculate value for G.
When matching chain is found in table all thegenerated checkpoint values are comparedwith the check point values stored in table.
If they differ at least for one checkpoint it isdeclared as false alarm.
![Page 19: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/19.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 19/29
In 2003 Oechslin introduced new way of tablegeneration.
Instead of using one reduction function a setof reduction function {R1,R2,R3 …..} .
After each application of one-way function areduction function from this set is used.
Significant improvement in merging chains. If N reduction function is used then after any
collision there is only 1/N probability of merging chain.
![Page 20: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/20.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 20/29
Source: Rainbow table - Wikipedia
![Page 21: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/21.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 21/29
![Page 22: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/22.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 22/29
Source: Rainbow table - Wikipedia
![Page 23: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/23.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 23/29
In 2009, V. L. Thing and H. M. Ying introduced new
table structure.[5]
This table structure improves upon memory
requirements
![Page 24: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/24.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 24/29
Do not hash password directly. Use Salted Hash
saltedhash(password) = hash(password + salt) saltedhash(password) =hash(hash(password) + salt)
Key stretchingkey = hash(password)
for 1 to 65536 dokey = hash(key + password)
![Page 25: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/25.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 25/29
Rtgen Used to generate rainbow tables of various algo
LM, NTLM, MD5, SHA, ORACLE
Various implementation use this tables
Sam Inside, Able & Cain Ophcrack [13] 7.5 GB table size XP special (7.5GB)
96% Success Rate
Used against LM hash
Recover in less than 5 Minutes
![Page 26: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/26.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 26/29
DistrRTgen [8] Distributed Table Generation Project.
BOINC grid computing architecture.
Tables can be downloaded free. Security Research Lab [10] GSM call Interception A5/1 encryption Algorithm.
2 TB of Hybrid Table. Elcomsoft : Thunder tables 4 GB table.
Used to crack RC4 algorithm in Office Files.
![Page 27: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/27.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 27/29
Brute force attack is not always practical as ittakes too long
table lookup attack usually takes too muchamount of memory, sometimes beyondcurrent technology reach.
Time-Memory Trade-off attacks is anothergeneric framework that can be applied toinvert one-way function with opportunity tobalance required time vs. memory.
![Page 28: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/28.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 28/29
![Page 29: TMTO](https://reader030.vdocuments.site/reader030/viewer/2022021217/577ce0391a28ab9e78b2db32/html5/thumbnails/29.jpg)
7/29/2019 TMTO
http://slidepdf.com/reader/full/tmto 29/29