New John the Ripper Cracks Passwords On FPGAs

Long-time Slashdot reader solardiz has long bring an advocate for bringing security to open environments. Wednesday he contacted Slashdot to share this update about a piece of software he's authored called John the Ripper: John the Ripper is the oldest still evolving password cracker program (and Open Source project), first released in 1996. John the Ripper 1.9.0-jumbo-1, which has just been announced with a lengthy list of changes, is the first release to include FPGA support (in addition to CPU, GPU, and Xeon Phi). This is a long-awaited (or long-delayed) major release, encompassing 4.5 years of development and 6000+ commits by 80+ contributors. From the announcement:

"Added FPGA support for 7 hash types for ZTEX 1.15y boards [...] we support: bcrypt, descrypt (including its bigcrypt extension), sha512crypt & Drupal7, sha256crypt, md5crypt (including its Apache apr1 and AIX smd5 variations) & phpass. As far as we're aware, several of these are implemented on FPGA for the very first time. For bcrypt, our ~119k c/s at cost 5 in ~27W greatly outperforms latest high-end GPUs per board, per dollar, and per Watt. [...] We also support multi-board clusters (tested [...] for up to 16 boards, thus 64 FPGAs, [...] on a Raspberry Pi 2 host)."

Long-time

[kaoshin]

Long-time Slashdot reader solardiz has long bring an advocate for bringing security to open environments.

Me long bring an advocate this editing long-time!

Re:

[TechnoGrl]

That's Yoda-phobic !

Re:

[dryriver]

You not make fun of kaoshin no good. Slashdot editors anywhere best are. All your base are belong to us! https://youtu.be/jQE66WA2s-A?t... [youtu.be]

Ob

[Hognoxious]

I didn't hear any mentions of blockchains or AI. For that reason I'm out.

Re:Ob

[solardiz]

I like to provide serious replies to jokes, so

In terms of blockchains, new with this JtR jumbo release is support for many additional cryptocurrency-related "formats", such as wallets and more. Please check out the full announcement [openwall.com] for a list of added formats. People tend to forget their passphrases, and JtR can help recover weak and partially-forgotten ones. (But not a fully forgotten strong passphrase.)

In terms of AI, even JtR 1.0 released in 1996 was trained on real passwords and used that training to try candidate passwords in order of decreasing estimated probability. That was one aspect distinguishing it from all other password cracker programs of the time. More recent JtR releases include training based on the RockYou leak, but all of them can easily be re-trained by the user on the user's passwords cracked so far, to target further passwords more efficiently (assuming they have greater similarity than RockYou's to those already cracked, and the number of already cracked passwords is large enough to provide meaningful statistics - ideally, millions, but a few thousand also works to some extent). During our tuning of the algorithms, we've also done proper out-of-sample testing (with different training and test sets), etc. - like you would with an AI project.

And this is good because?

[bitchtits]

I guess someone was going to try to exploit this password cracking ability. So why not develop the open source cracks? But it does make it super-convenient for black-hats.

Re: And this is good because?

[Anonymous Coward]

It also means we can test to make sure we are safe. We don't want only the bad guys to have the best tools!

Re:

[Highdude702]

This, If you've never tried brute forcing one of your own passwords you need to re-think your position as a nerd.

Re:

[UnknowingFool]

Almost all encryption can be brute force cracked regardless of what is used. That is not a secret. Effective encryption relies on the process taking so long that the information is useless by the time it is cracked. The best methods require end of univers amounts of time.

These programs do test whether or not those scenarios are true.

Re:And this is good because?

[UnknowingFool]

If that bullshit is how you justify strong crypto, then you're doing it wrong.

What part of my statement "justified" strong crypto. I was describing how crypto works. Does explaining something and presenting facts trigger you?

An actual effective encryption program relies on the key cracking process taking so long that the keys have changed before they are compromised.

That's idiotic. If it takes the end of the universe to crack something like AES 256, it doesn't matter that the owner has never changed the key. The owner is probably dead and any secrets it kept like a credit card number is useless.

If your encryption itself is broken and you're still using it, then you're really fucking doing it wrong.

This is also idiocy. There can be flaws in encryption. It does not mean the person using it "is doing it wrong".

And don't use data expiry as some dumbass justification. Rest assured that you will be deemed useless far before the data ever is.

Again, not what I said. What I said is that you can crack something like AES 256 using brute force, and everyone in the business knows that you can. But people who understand security know a brute force attack will take many times the end of the universe given today's computers. Please learn some security basics.

Re:

[UnknowingFool]

My ideals of protecting the key and ensuring key exchange happens often enough is the concept that will also help to protect your crypto tomorrow, because you cannot ASS-U-ME that brute force attacks will always take "many times the end of the universe."

I am not assuming. That is what the math says. I suggest you read about what the math behind crypto. Also I never said that it would "ALWAYS" take that time. I am saying given the computing power today and for the foreseeable future, it would take that amount of time.

People who actually understand security understand progress, and the value of thinking ahead when designing systems.

They have stronger encryption however people who design these systems also have to ensure practical encryption that can be used today. For example some smartphones have built-in AES-256 chips to handle the work. Replacing someone's current hard

Re:

[Highdude702]

2 sides of the same coin. you want it to take years, with say AWS power. The keys should be changed by then. Or data deleted.

Re:And this is good because?

[epine]

Almost all encryption can be brute force cracked regardless of what is used.

You have entirely failed to understand the core problem here.

Colin Percival on scrypt [tarsnap.com]

Providing that the number of iterations used is increased as computer systems get faster, this allows legitimate users to spend a constant amount of time on key derivation without losing ground to attackers' ever-increasing computing power — as long as attackers are limited to the same software implementations as legitimate users.

However, as Bernstein famously pointed out in the context of integer factorization, while parallelized hardware implementations may not change the number of operations performed compared to software implementations, this does not prevent them from dramatically changing the asymptotic cost, since in many contexts — including the embarrassingly parallel task of performing a brute-force search for a passphrase — dollar-seconds are the most appropriate units for measuring the cost of a computation. As semiconductor technology develops, circuits do not merely become faster; they also become smaller, allowing for a larger amount of parallelism at the same cost.

Consequently, using existing key derivation algorithms, even if the iteration count is increased such that the time taken to verify a password remains constant, the cost of finding a password by using a brute force attack implemented in hardware drops each year. This paper aims to reduce the advantage which attackers can gain by using custom-designed parallel circuits.

There's a table on page 14 if you are not equation or proof friendly.

Quad-Spartan 6 LX150 FPGA Board with USB 2.0 Microcontroller [www.ztex.de]

The FPGA Board is optimized for computations that do not require a much bandwidth and RAM.

In other words, it's completely useless to anyone who has read Colin's paper and taken appropriate memory-intensive countermeasures, which I'm guessing from the paper's bibliography was published circa 2010.

Re:

[UnknowingFool]

When was that paper written?

Estimated cost of hardware to crack a password in 1 year

MD5, 80-char test $1.5T . First that's just MD5. That seems extremely out of date.

Re:

[fustakrakich]

But it does make it super-convenient for black-hats.

Yeah, on both sides of the law :-)

Still, whatever levels the playing is a good thing.

Re:

[Anonymous Coward]

johntheripper is open source cracking software

https://www.openwall.com/john/k/john-1.9.0-jumbo-1.tar.xz

Re:Versions?

[solardiz]

You're right. I know how we got stuck with this versioning scheme so far, but that's not an excuse. I hope we'll have a 2.0 soon, likely to mark the planned merging of JtR jumbo and Johnny the GUI projects into one.

advocate for bringing security to open environment

[Fly Swatter]

and his contribution is a powerful, multi-platform password cracker.... Something doesn't seem right there.

Re: advocate for bringing security to open environ

[Anonymous Coward]

That just means you haven't thought it through far enough.

Re:

[solardiz]

Others have already explained some of the value of offensive security tools for defense, but FWIW I and others on our team also contributed purely defensive tools, including for password security, and more. Please feel free to check out our website: https://www.openwall.com/ [openwall.com]

Re:

[solardiz]

Theoretically. That way, anyone with an OpenCL project could claim FPGA support, but this tends not to work in practice, and would be extremely inefficient (except in terms of much lower development effort) if it worked. I am not aware of anyone having actually run hashcat on FPGA, are you? I know someone (on team hashcat) who tried and failed. JtR also supports OpenCL for many years, but we didn't claim FPGA support until we've introduced Verilog designs and communication framework for specific boards, and

Re:old board

[solardiz]

I agree this is a major problem. A reason why we targeted those boards (ZTEX 1.15y original and their US clones) is that most of them had been mining Bitcoin and were then resold for a fraction of the original price on eBay or such (original started at 999 EUR + VAT, resale prices were $50 to 250 EUR depending on seller and quantity) when Bitcoin went to ASIC-only mining a few years ago. We were hoping this secondary market would last longer, but unfortunately it's already hard to find those boards offered for sale. Perhaps some are still mining certain minor altcoins. I think best bet now is to ask in cryptocurrency forums where owners of those boards were previously discussing their usage.

ZTEX's series 2 boards are unfortunately "overpriced" (and are not resold for less because they were never used for mining much). They won't deliver the same, let alone better, performance per dollar as compared to the resale prices that existed for ZTEX 1.15y boards.

In the future, we might (but perhaps only if we receive funding for this) target the current altcoin mining boards of choice - VCU1525/BCU1525. They still cost a lot (about $4k each), but are really powerful and are also available on Amazon's AWS F1 instances (which are reasonably priced for occasional use). Our current introduction of FPGA support will then serve as a first step - we got to have started somewhere, and we now have these designs we could port over to newer devices (with a lot of effort, but less than starting from scratch without experience).

DIY WindsorGreen!

[GameboyRMH]

Very cool, a cluster of these is basically a homemade WindsorGreen-type brute-forcing machine!