tmto

7/29/2019 TMTO

http://slidepdf.com/reader/full/tmto 1/29

Prepared By:

Parth Patel ( P11CO042 )

Guided By:

Dr. D. C. Jinwala

7/29/2019 TMTO


Introduction Exhaustive Search Dictionary of Hash

Martin Hellman's Cryptanalytic TMTO Why Called TMTO? Problems with Hellman’s TMTO Improvements Rainbow Table Schema Improved Rainbow Table Protection Existing Implementation Conclusion

7/29/2019 TMTO


Given Encryption function E. Plaintext P0 andcorresponding cipher text C0.

Recovering a key K ∊ N is equivalent toinverting one-way function.

C0 = EP0(K) EP0-1(C0) = K

Problem : Find pre image of a given output of One-Way function H.

Given a hash “Y” find any corresponding “X” such

that Y=H(X) where H is one-way function.

7/29/2019 TMTO


Traditional attack: Brute Force

Always theoretical possible

Needs exponential time to run Ex. MD-5 is 128 bit hash

Can we improve the time to recover

Password?

7/29/2019 TMTO


Pre-calculate all hashes, store all Store in sorted order Can crack hashes ‘immediately’

Uses massive amounts of space

If value column is ignored and 64-bit output of one-way function, the space required is 8*264 bytes (7Exabyte).

key value

aaaa10ba956cacf8861139efb9 software

bbbb6348157868b25c81aebfb9 security

cccc2c3b5aa76527deb882cf99 zoo

7/29/2019 TMTO


In 1980 Hellman described an attack toinverse N values of a function[1]

Needs N calculations before the attack Calculate N but store few to save storage Practically applicable when same

Cryptanalysis have to be carried out manytimes.

7/29/2019 TMTO


One have Given a One-way function .

H: {VariableLengthStrings} -> {0,1}n

Define a Reduction function which reducesthe output of H to input domain of H.

R: {0,1}n -> {VariableLengthStrings}

Now generate hash chain by applyingfunction “H” and “R” successively .

7/29/2019 TMTO


So the chain looks like this

aaaaaa --H--> 5AE419F8 --R--> eyiygsl --H--> AC4B68E2 --R--> sgfnyd …. --R--> keiget

Generate multiple chains with this schemabut different initial points.

Only Store starting point and ending point.

7/29/2019 TMTO


Given the hash “h8” find the pre image forthat

h8R

7

Not Found

Look up

7/29/2019 TMTO


Given the hash “h8” find the pre image forthat

7H

h7

Not Found

R10

Look up

7/29/2019 TMTO


Given the hash “h8” find the pre-image forthat

10H

h10

Found chainstarting with 4

R1

Look up

7/29/2019 TMTO


Re-compute chain starting with “4” until “h8”is encountered

At each step keep track of last used pre-image

7/29/2019 TMTO


Success Rate (Perfect table):

m = Chain Lengthn = Number Of ChainsN = Total number of possible hash

7/29/2019 TMTO


Table Lookup is Costly Slow IO The reduction function can give the same

password for two different hashes merges Even if you find an end in the table, you may not

find the password in the chain false alarms

7/29/2019 TMTO


Distinguished point Method suggested by L.Rivest.[2]

Continue to compute chain until a pointwhich satisfy some predefined condition. Ex: first/last 20 bits of hash is zero

So when running online attack do not lookup

table after each reduce operation but onlywhen predefined condition satisfied. Variable length chain. Helps to identify Merging chains.

7/29/2019 TMTO


Avoine suggested a method to reducecheckpoints[3]

It defines set of positions in the chains to becheckpoints. The value of checkpoint function G is

calculated for each checkpoint of each chainas shown.

7/29/2019 TMTO


During online attack for each check point were-calculate value for G.

When matching chain is found in table all thegenerated checkpoint values are comparedwith the check point values stored in table.

If they differ at least for one checkpoint it isdeclared as false alarm.

7/29/2019 TMTO


In 2003 Oechslin introduced new way of tablegeneration.

Instead of using one reduction function a setof reduction function {R1,R2,R3 …..} .

After each application of one-way function areduction function from this set is used.

Significant improvement in merging chains. If N reduction function is used then after any

collision there is only 1/N probability of merging chain.

7/29/2019 TMTO


Source: Rainbow table - Wikipedia

7/29/2019 TMTO


7/29/2019 TMTO


Source: Rainbow table - Wikipedia

7/29/2019 TMTO


In 2009, V. L. Thing and H. M. Ying introduced new

table structure.[5]

This table structure improves upon memory

requirements

7/29/2019 TMTO


Do not hash password directly. Use Salted Hash

saltedhash(password) = hash(password + salt) saltedhash(password) =hash(hash(password) + salt)

Key stretchingkey = hash(password)

for 1 to 65536 dokey = hash(key + password)

7/29/2019 TMTO


Rtgen Used to generate rainbow tables of various algo

LM, NTLM, MD5, SHA, ORACLE

Various implementation use this tables

Sam Inside, Able & Cain Ophcrack [13] 7.5 GB table size XP special (7.5GB)

96% Success Rate

Used against LM hash

Recover in less than 5 Minutes

7/29/2019 TMTO


DistrRTgen [8] Distributed Table Generation Project.

BOINC grid computing architecture.

Tables can be downloaded free. Security Research Lab [10] GSM call Interception A5/1 encryption Algorithm.

2 TB of Hybrid Table. Elcomsoft : Thunder tables 4 GB table.

Used to crack RC4 algorithm in Office Files.

7/29/2019 TMTO


Brute force attack is not always practical as ittakes too long

table lookup attack usually takes too muchamount of memory, sometimes beyondcurrent technology reach.

Time-Memory Trade-off attacks is anothergeneric framework that can be applied toinvert one-way function with opportunity tobalance required time vs. memory.

7/29/2019 TMTO


tmto

Documents