Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Encryption IT

Cracking PGP In the Cloud 167

pariax writes "So you wanna build your own massively distributed password cracking infrastructure? Electric Alchemy has published a writeup detailing their experiences cracking PGP ZIP archives using brute force computing power provided by Amazon EC2 and a distributed password cracker from Elcomsoft."
This discussion has been archived. No new comments can be posted.

Cracking PGP In the Cloud

Comments Filter:
  • by Anonymous Coward on Tuesday November 03, 2009 @05:24AM (#29961528)

    If only they'd thought of using distributed computing for the first post, instead of password cracking!

  • Pointless (Score:3, Interesting)

    by Kjella ( 173770 ) on Tuesday November 03, 2009 @05:32AM (#29961588) Homepage

    Yes obviously cracking passwords scales linearly, we've known that for a long time. Oh, you could get 100 machines brute forcing instead of one, but what good is that? Either the password is crap and you crack is easily, or it's helluva complex and scaling it up 100x won't do a damn thing. In this case it looks like they just picked some random range and said "Hey, this is unfeasible on a single machine and doable on a cloud, let's do that" but they haven't produced any credible evidence it is in this range. Not unless semi-complex password possibility matches their corporate password policy or whatever.

    • Re: (Score:3, Interesting)

      by Marcika ( 1003625 )

      Yes obviously cracking passwords scales linearly, we've known that for a long time. Oh, you could get 100 machines brute forcing instead of one, but what good is that? Either the password is crap and you crack is easily, or it's helluva complex and scaling it up 100x won't do a damn thing. In this case it looks like they just picked some random range and said "Hey, this is unfeasible on a single machine and doable on a cloud, let's do that" but they haven't produced any credible evidence it is in this range. Not unless semi-complex password possibility matches their corporate password policy or whatever.

      It is significant because the lone hacker in his basement or the IT department of your unethical competitor might not have a spare server farm with 200 CPUs lying around. They show just how effortless it has become to do brute-force if you have a couple of minutes to set it up and a few spare bucks for the computing power... (And I bet that very few corporations have a password policy that mandates anything exceeding 8-char alphanumeric - which can be cracked for 45 bucks, as they show...)

      • by TheLink ( 130905 )
        It can only be cracked for 45 bucks if the attempt can be parallelized. Which is not always the case.

        For example if the password is used for logging into a server, the admins will probably notice 100 amazon machines making brute force attempts, and if it takes seconds per try, that slows things down a lot. More so if the target server "falls over" or crashes in the process ;).
        • by wisty ( 1335733 )

          Yes, but what if they recover a hash of the password? It better be well salted ...

          In reality, it wouldn't cost 45 bucks. A big botnet would do the heavy lifting, and crack millions of passwords at the same time. Ouch.

          • Re: (Score:3, Insightful)

            every hacker worth ther salt [has|knows how to download] precomputed rainbow tables for so easy things, and it does not
            • I wonder if you can dump your rainbow tables to amazons simpleDB service? If I remember correctly, bandwidth between simpleDB and their virtual servers is free..

          • Re: (Score:3, Interesting)

            by gweihir ( 88907 )

            Yes, but what if they recover a hash of the password? It better be well salted ...

            Actually salting does not help against brute-force. It only helps against dictionary attacks.

            However other things help, for example instead of running your password/phrase through a crypto-hash once, do it a million times or, say, for 100ms (store the number or iterations). This increases effort proportionally.

            Example: SHA-256 does around 100MB/sec on a single modern CPU. That is roughly 3 million hashes/sec. Doing this for 0.

            • Re: (Score:3, Informative)

              by blincoln ( 592401 )

              Actually salting does not help against brute-force. It only helps against dictionary attacks.

              It also helps against rainbow table attacks, which I believe the GP was referring to. Salting the hashes makes it much less feasible for someone to develop a rainbow table database, unless they are specifically targeting your system as opposed to every Windows instance on the planet.

            • by tepples ( 727027 )

              Example: SHA-256 does around 100MB/sec on a single modern CPU. That is roughly 3 million hashes/sec. Doing this for 0.1s gives no noticeable interactive delay

              That depends on how many users expect to be able to start a session on your server at once, especially at the start of a work day or the start of home Internet prime time.

            • How much does it cost if I distribute the SHA256 generation to free workers running the BOINC client, and having the results pushed into SimpleDB with Amazon? Much cheaper.
          • by TheLink ( 130905 )
            Normally if they can get the hash, they're in already... Cheaper ways of getting the actual password once you get to that point.

            And the machine will join the botnet too ;).
      • by Kjella ( 173770 )

        It is significant because the lone hacker in his basement or the IT department of your unethical competitor might not have a spare server farm with 200 CPUs lying around.

        No, they have a botnet with 10000...

    • Even TFA story say to cover 50% of the keyspace for a length 12 password you're looking at $1.2M in EC2 fees.

    • Either the password is crap and you crack is easily, or it's helluva complex and scaling it up 100x won't do a damn thing

      Or maybe the password is apparently complex to the average user, but actually not so much. How would you classify "Hello123" or "Hottie69" ?

      I am sure that there is plenty of money to be made with people who think that they are safe...

    • It isn't always true.

      For a long time, Windows allowed pretty long samba passwords. Except it didn't make a hash from the whole password supplied, but sequenced it into 8-char pieces which it then hashed and concatenated the hashes.

      In most cases, a 9-char password is some 96 times (number of printable characters) harder than an 8-char password, and 10-char password is 96 times harder than 9-char password and so on. In their case, a 16-char password was twice as hard as 8-char password, and a 10-char password

      • Re: (Score:3, Insightful)

        In most cases, a 9-char password is some 96 times (number of printable characters) harder than an 8-char password,

        I'd believe 30 -40, but not 96. Most people are going to use letters and a small number of punctuation, and I'd wager that testing half of that will get you 90% of the possible choices. If it's just english words, I'll go with 16 as the multiplier, just given the info content of most english.

  • They will want to be careful or else they just might get arrested. [slashdot.org]

  • In a word (Score:5, Funny)

    by LizardKing ( 5245 ) on Tuesday November 03, 2009 @05:39AM (#29961628)

    So you wanna build your own massively distributed password cracking infrastructure?

    No

  • by Frans Faase ( 648933 ) on Tuesday November 03, 2009 @05:57AM (#29961704) Homepage

    One of the adversized features of ElcomSoft Distributed Password Recovery is that all network communications between password recovery clients and the server are securely encrypted. How is that possible, I wonder.

    • Re: (Score:3, Informative)

      by slim ( 1652 )

      One of the adversized features of ElcomSoft Distributed Password Recovery is that all network communications between password recovery clients and the server are securely encrypted. How is that possible, I wonder.

      SSL would do. There's no real magic going on in that network conversation. "Try passwords 'alphabet' through to 'backgammon' and tell me when you're done".

      • But SSL is based on the same kind of encryption methods that the system is aimed at breaking. Hence the word 'secure' no longer applies.
        • Re: (Score:3, Informative)

          by Abcd1234 ( 188840 )

          Noooo... their system is built to brute-force passwords. That has basically nothing at all to do with cracking an SSL session.

          See, SSL uses asymmetric encryption to generate a large-ish session key between two parties, which can then be used in conjunction with a symmetric cipher to protect the session. So, while brute-forcing passwords is really just a matter of throwing hardware at the problem, brute-forcing an SSL session key likely requires more energy than is available in the known universe, which me

  • by Constantin ( 765902 ) on Tuesday November 03, 2009 @05:58AM (#29961714)

    First of all, the article is a very nice summary of the issues involved with setting up a cloud to crack passwords - the nuts and bolts, if you will. I liked that the authors took the time to look into the economics of trying to crack passwords, how much money it would cost vs. how long it would take. Password cracking is one example of massively scalable computing, which is presumably why the NSA allegedly has had to keep upgrading the electrical infrastructure at their headquarters. Elcomsoft certainly made a splash with their PGP-cracking software and managing to harness the power of cheap GPU cards (which are set up for parallel processing) was a bit of genius. That said, even massive horsepower runs into a brick wall once the passphrases become long and the encryption algorithm is good.

    On page 2 of the article, the authors nicely summarize the cost of cracking longer and longer passwords. Once passwords start incorporating special characters (per SPEC), the cost shoots sky high even for relatively short passwords (i.e. $10MM+ for a 9 character password, $1BN for a 10-character password, the US national debt for a 12-character password). The article so clearly lays out why the various law enforcement agencies have been focusing on being able to force folk to disclose their encryption keys. The cost of cracking a well-executed encryption scheme combined with a good password is simply too high. So, go ahead and use those special characters, upper and lowercase, etc. to make life interesting for would-be snoops. But realize that unless trends in privacy rights swing the other way, law enforcement will simply compel key disclosure, as they have for years in the UK, for example.

    Lastly, the article underscores the value of keychain-type schemes that allow many long passphrases to be stored in a accessible format. Make it easy to have long, complex passphrases and it becomes more likely that people will actually use them.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Passwords are protected in the US by the fifth amendment, for now...

      The UK is a different story, though you can always claim to have forgotten your password.

      Perhaps an interesting set up would be having 2 computers on separate power supplies running full disk encryption. Each can only boot by requesting a keyfile from the other.

      Hence you can shut one down, but when both go down, the two systems become unbootable.

      In a police seizure, they will likely disconnect both computers, and unbeknownst to them, comple

    • by dissy ( 172727 )

      Password cracking is one example of massively scalable computing, which is presumably why the NSA allegedly has had to keep upgrading the electrical infrastructure at their headquarters.

      Naa, the current state of the art is in Rainbow tables [wikipedia.org], which lets you do the brute force method once ahead of time, then reuse those generated tables to crack literally any password covered by that table in seconds.

      If your system only allows ASCII characters (255 different values per character) and lets say 256 characters max in your password, you can setup and generate a rainbow table that matches using the same hashing method.

      At that point, throwing any hash (any hash that will allow one to actually logi

      • Re: (Score:3, Informative)

        by zindorsky ( 710179 )

        Wrong. Dead wrong.
        Reason 1: Rainbow tables only work when the cryptosystem doesn't use salt (or uses it incorrectly). These days everyone uses salt. It's not a big secret.
        Reason 2: Even if salt wasn't used, Rainbow tables aren't feasible against long passwords. Rainbow tables are essentially just saving the results of one attack and using them on subsequent attacks. If the password in question is long enough, even the "one attack" (table precomputations) will never get to that password.

        So, educate yourself.

    • Comment removed based on user account deletion
    • How many CPUs are in the latest botnet? Their Elcomsoft license was limited to 100 hosts. If they had 500,000, then it would take...<insert quick, shoddy math: 122days/500000hosts*24hours*60minutes*60seconds>...about 20 seconds for their 8 character mixed up password?
  • What chore that they need to use Windows. For a brute force password guesser, most Slashdotters could write it in 10 lines of perl.

  • I have an idea : how about a self destructing key? There would be a physical USB key that would have your passphrases on it. The passphrases would be quite lengthy strings of randomly generated characters, effectively un-forcable unless there's a massive weakness in the encryption algorithm.

    The key would have a small CPU and lithium ion battery. All the components would be potted in epoxy, and you would be able to put an outer shell around the key resembling a common brand of USB stick.

    In order to use th

    • Re:Hmm (Score:5, Interesting)

      by jonwil ( 467024 ) on Tuesday November 03, 2009 @07:33AM (#29962208)

      The best solution (if you are dealing with a desktop system) is to have the pass-phrase and keys but also have a small GPS module. If the usb key is not close to where it should be (with a fairly big margin for the fact that cheap GPS modules arent exactly accurate) it would erase the pass-phrase

      If they try to force you to hand over your password (e.g. UK RIP act), you just hand it over (to the guys who seized your computer and are now trying to use it somewhere else other than the required GPS location) and boom, the data is gone forever.

      If you need to move house, just log in from the old house and reset the GPS then when you get to the new house, log in and put in the new coordinates.

      • falsifying the coordinates wouldn't be hard. serial port + null modem => fake GPS data and the password still works.
        • Re: (Score:3, Interesting)

          by jonwil ( 467024 )

          The best answer of all is "physical seganography" i.e. 802.11 NAS built into something that the cops are unlikely to seize (yet which has a legitimate need to be plugged in and doing what it does)

      • by jwdb ( 526327 )

        Unfortunately, GPS receivers don't work very well indoors...
        Or in a valley...
        Or under tree cover...
        Or in many other places where you'd still need it to work for this scheme. No signal has to equal bad signal, because otherwise it's trivial to subvert.

        I think the idea of a self destructing key is a good one, though. Maybe two sticks, both containing keys, both of which self destruct if separated by more than 10 m. Or maybe a usb key and something distinctly not-computer-related (fountain pen?), so that you c

    • It seems like every time someone comes up with a new "unbreakable security scheme" on slashdot their pitch always starts with something to the effect of "so we start with this USB key...". Such measures are more about physical security, than crypto security. All you are really saying is "good long keys are more secure", which everyone already knows.

      I might as well say, "Well if I light my computer on fire (and use longer keys) then ninjas won't be able to steal it".

  • by julesh ( 229690 ) on Tuesday November 03, 2009 @07:48AM (#29962280)

    I looked at EC2 for raw processing power earlier this year (my company needs to train a lot of neural nets) and it just isn't worth it, unless you only need the power short term. A high-performance EC2 node gives you 8 cores running at (very roughly) the equivalent of a 2GHz P4, and costs $0.68/hr == about $460 per month, which is only a little less than what an equivalent box (probably a 2.83GHz Core 2 Quad or similar) would cost you. Put power to run that box down at about $0.05 per hour and you can build your own local cluster of equivalent performance for around the same amount of money as you'll save in your first month and a half of operation.

    • by gweihir ( 88907 ) on Tuesday November 03, 2009 @08:53AM (#29962768)

      I looked at EC2 for raw processing power earlier this year (my company needs to train a lot of neural nets) and it just isn't worth it, unless you only need the power short term. A high-performance EC2 node gives you 8 cores running at (very roughly) the equivalent of a 2GHz P4, and costs $0.68/hr == about $460 per month, which is only a little less than what an equivalent box (probably a 2.83GHz Core 2 Quad or similar) would cost you. Put power to run that box down at about $0.05 per hour and you can build your own local cluster of equivalent performance for around the same amount of money as you'll save in your first month and a half of operation.

      Indeed. EC2 is rather expensive for most applications. It really only pays off if you may need a lot of power on short notice (but usually need none). The article describes one of the very few general applications. There is also the problem that even EC2 only scales so far. You would probably not get the cores to do a 12 char password in parallel. In addition, EC2 has problems like confidentiality and data transfer also costs money. And you have no control over how reliable and available the resources are.

      Having done a (small) bit of high-performance computing myself, I believe the most cost effective way is to get some bright people that do understand current computer hardware and your problem, and then have them get the hardware they think does the job best, preferably of the white box variant. I went so far to get components, because having a student assemble them got me something like 20% more cores for the same money and exactly the hardware I wanted. Never had serious issues in several years with the resulting infrastructure.

      • by Slashdot Parent ( 995749 ) on Tuesday November 03, 2009 @10:42AM (#29963988)

        EC2 is rather expensive for most applications. It really only pays off if you may need a lot of power on short notice (but usually need none). The article describes one of the very few general applications.

        I think most people don't realize just how often they need a lot (or even a little) computing power on short notice. Once you get used to that way of thinking, it's a little addictive. By way of example:

        I host one of my company's websites on Dreamhost. Am I insane? Dreamhost experiences an outage every few months or so. Incompatible with a business application, right?

        Wrong. I have an EC2 bundle with a startup script that automatically configures the instance and fails the IP address over. If my company's website is ever down for more than 2 minutes, a failover is triggered. The website on EC2 takes about 2 minutes to come up, so my maximum downtime is 5 minutes or so. That's an acceptable amount of downtime for my application, a brochureware site that displays vacant apartments and accepts rental applications (several hours, naturally, would be unacceptable).

        EC2 as a cold spare saves me money. If I had to use a reliable webhost, it would cost me, what, $50/mo? Dreamhost costs $5, and I probably use about $5-$10/yr in EC2 charges for the cost spare. Based on the above assumptions (I have no idea what a reliable webhost costs these days), EC2 saves me roughly $530/yr.

        What another example? A client of mine has a deployment process where they first deploy to a staging environment before production. Because the production environment has a clustered DB and clustered app server, their staging environment has 2 DB nodes and 2 web nodes. That's 4 machines that see roughly 50 hours of use per year. Not efficient at all.

        We considered VMware, but they didn't have the admin expertise in-house, and I forget what the license cost was, but that was an issue, too. In addition, they could not do load testing because they didn't have enough boxes to replicate the production system architecture. Enter EC2.

        Now, they spin up as many EC2 instances as they need for whatever testing scenario they need. 4 instances for application staging, and 15 for load testing, at a cost of a fraction of one of their staging boxes that sat idle 99.9% of the time.

        Like I said, the concept that you can have a virtual box whenever you need it and then throw it away when you're done is very addicting. I find it to be extremely convenient.

    • by Slashdot Parent ( 995749 ) on Tuesday November 03, 2009 @10:18AM (#29963676)

      Don't forget other cosets: cooling, system administration, datacenter space, backups, racks, switches, KVMs, UPSs, network administration, maintenance, etc.

      No question EC2 is expensive if you plan on fully-utilizing that hardware. But that's why it's called the Elastic Compute Cloud, not the Static Compute Cloud. If your computational needs are static, EC2 is most definitely the wrong tool for the job.

    • by b0bby ( 201198 )

      it just isn't worth it, unless you only need the power short term

      But as they said, they only needed it short term. It was more effective to just rent the 100 instances to get the cracking done reasonably quickly, since the client had no need for extra machines once the job was done.

    • Re: (Score:3, Interesting)

      by Peter Mork ( 951443 )
      When building your own system, you need to purchase enough hardware to cover your peak load. As a result, you have to buy more hardware than you usually need. Since I'm on the road, I don't have my paper archives accessible, but I think that average utilization tends to run at around 10%. When you use EC2, you only need to pay for peak hardware when you need the peak hardware. Thus, in our studies, EC2 tends to be cheaper for small/medium organizations (unless your workload is extremely stable). (I thi
  • But did it work (Score:2, Interesting)

    by Anonymous Coward

    FTA, they mention that Amazon didn't allow them to create more than 9 instances, so they couldn't crack the passwords in less than 122 days. (a request to get suitable amounts of computing power was made, but takes time, is not enabled by default, and wasn't available at the time of writing?)

    Dear Sir,Thank you for submitting your request to increase your Amazon EC2 limit. It is our intention to meet your needs. We will review your case and contact you within 3 - 5 business days.

An adequate bootstrap is a contradiction in terms.

Working...