Professional Documents
Culture Documents
11 042) Guided By: Dr. D. C. Jinwala: Prepared By: Parth Patel (P CO
11 042) Guided By: Dr. D. C. Jinwala: Prepared By: Parth Patel (P CO
11 042) Guided By: Dr. D. C. Jinwala: Prepared By: Parth Patel (P CO
Introduction Exhaustive Search Dictionary of Hash Martin Hellman's Cryptanalytic TMTO Why Called TMTO? Problems with Hellmans TMTO Improvements Rainbow Table Schema Improved Rainbow Table Protection Existing Implementation Conclusion
Given Encryption function E. Plaintext P0 and corresponding cipher text C0. Recovering a key K N is equivalent to inverting one-way function.
C0 = EP0(K) EP0-1(C0) = K
If value column is ignored and 64-bit output of oneway function, the space required is 8*264 bytes (7 Exabyte).
In 1980 Hellman described an attack to inverse N values of a function[1] Needs N calculations before the attack Calculate N but store few to save storage Practically applicable when same Cryptanalysis have to be carried out many times.
aaaaaa --H--> 5AE419F8 --R--> eyiygsl --H--> AC4B68E2 --R--> sgfnyd . --R--> keiget
Generate multiple chains with this schema but different initial points. Only Store starting point and ending point.
aaaaaa --H--> 5AE419F8 --R--> eyiygsl --H--> AC4B68E2 --R--> sgfnyd . --R--> keiget
Generate multiple chains with this schema but different initial points. Only Store starting point and ending point.
Look up 7
h8
Not Found
Look up
10
R h7
Not Found
Look up
R h10
10
Re-compute chain starting with 4 until h8 is encountered At each step keep track of last used preimage
Table Lookup is Costly Slow IO The reduction function can give the same password for two different hashes merges Even if you find an end in the table, you may not find the password in the chain false alarms
Distinguished point Method suggested by L. Rivest.[2] Continue to compute chain until a point which satisfy some predefined condition.
Ex: first/last 20 bits of hash is zero
So when running online attack do not lookup table after each reduce operation but only when predefined condition satisfied. Variable length chain. Helps to identify Merging chains.
Avoine suggested a method to reduce checkpoints[3] It defines set of positions in the chains to be checkpoints. The value of checkpoint function G is calculated for each checkpoint of each chain as shown.
During online attack for each check point we re-calculate value for G. When matching chain is found in table all the generated checkpoint values are compared with the check point values stored in table. If they differ at least for one checkpoint it is declared as false alarm.
In 2003 Oechslin introduced new way of table generation. Instead of using one reduction function a set of reduction function {R1,R2,R3 ..} . After each application of one-way function a reduction function from this set is used. Significant improvement in merging chains. If N reduction function is used then after any collision there is only 1/N probability of merging chain.
In 2009, V. L. Thing and H. M. Ying introduced new table structure.[5] This table structure improves upon memory requirements
Key stretching
key = hash(password) for 1 to 65536 do key = hash(key + password)
Rtgen
Used to generate rainbow tables of various algo LM, NTLM, MD5, SHA, ORACLE Various implementation use this tables Sam Inside, Able & Cain
Ophcrack [13]
7.5 GB table size XP special (7.5GB) 96% Success Rate Used against LM hash Recover in less than 5 Minutes
DistrRTgen [8]
Distributed Table Generation Project. BOINC grid computing architecture. Tables can be downloaded free.
Brute force attack is not always practical as it takes too long table lookup attack usually takes too much amount of memory, sometimes beyond current technology reach. Time-Memory Trade-off attacks is another generic framework that can be applied to invert one-way function with opportunity to balance required time vs. memory.