A German security researcher who used a new kind of hosted offering on Amazon’s EC2 to decipher password data encrypted using the SHA1 algorithm said that cloud computing is likely to upset long held assumptions about security: putting the tools required to crack encrypted passwords and data into the hands of the masses.
Thomas Roth, a consultant working in security and software engineering at Lanworks AG, wrote last week about the outcome of a recent experiment in which he used a single Clsuter GPU instance, Amazon’s latest addition to its EC2 cloud service, to decipher password hash values generated using the Secure Hash Algorithm (SHA1) encryption algorithm.
Roth was able to decipher the 14 passwords in 49 minutes, paying just $2.10 for an hour of compute time using 2 NVIDIA Tesla “Fermi” M2050 GPUs.
GPUs – or Grpahics Processing Units – are processors designed to handle complex calculations used by graphics-intensive applications, such as computer games. But scientists and mathematicians have latched onto the processors and adapted them to perform more general purpose applications. Amazon’s new hosted clustered GPU offering, unveiled this month, allows developers to rent the services of the high performance, multi core processors just for specific jobs, rather than buying and deploying the same equipment themselves.
“I think that cloud-based cracking really has a future,” said Roth, who paid just $2.10 for the cluster he used to crack the SHA1 protected hashes. Renting more GPU clusters from Amazon would have cut down the time necessary to crack the passwords even further, he said.
“The great thing is that you can create a 100 node cluster of Fermi workstations with just a few clicks and without having to invest into (your) own infrastructure,” Roth wrote Threatpost. “And as you split the task of cracking a hash perfectly onto multiple instances, you can divide the time you actually need to crack the has by the number of instances you rent – without having more costs.”
Roth isn’t the first to realize the potential of cloud based resources for doing the heavy lifting necessary to break encryption. WPACracker.com is a cloud-based cracking service that can be used to break Wi-fi Protected Access (WPA) and WPA-PSK (WPA Pre-shared Key mode) protected networks.
The site offers a 400 CPU cluster that can run captured, encrypted traffic against a 135 or 284 million word WPA dictionary of passwords. The site promises to be able to crack WPA passwords in an average of just 20 minutes for a cost of $17. The service is advertised as a tool for pen testers and auditors.
SHA-1, which was developed by the NSA, has been known to be vulnerable to cracking since 2005 and scientists have been working steadily to lower the bar necessary to decipher SHA-1 encrypted values. A stronger version of the algorithm, SHA-2, is already in use. Roth said that firms who are still using SHA1 to hash their passwords have to update to PBKDF2 (Password-Based Key Derivation Function) or similar key derivation functions to avoid exposing their passwords to cracking.
But larger changes are also needed, Roth warned, as the ease, efficiency and affordability of cloud based cracking upends long-held assumptions about the economics of trying to brute force strong encryption, he said.
“It’s not only the companies who have to change the way they are working with passwords. The biggest problem is still the user: People don’t understand why they have to use complex passwords and why they have to use different passwords on each site,” he wrote Threatpost.
“I hope that the easiness of cracking that comes with the cloud helps people to overthink the way they are using their passwords.”
Image via mansikka‘s Flickr’s photostream.
