The Cloud Makes Short Work Of Strong Encryption

A German security researcher who used a new kind of hosted offering on Amazon’s EC2 to decipher password data encrypted using the SHA1 algorithm said that cloud computing is likely to upset long held assumptions about security: putting the tools required to crack encrypted passwords and data into the hands of the masses.

Cloud computingA German security researcher who used a new kind of hosted offering on Amazon’s EC2 to decipher password data encrypted using the SHA1 algorithm said that cloud computing is likely to upset long held assumptions about security: putting the tools required to crack encrypted passwords and data into the hands of the masses.

Thomas Roth, a consultant working in security and software engineering at Lanworks AG, wrote last week about the outcome of a recent experiment in which he used a single Clsuter GPU instance, Amazon’s latest addition to its EC2 cloud service, to decipher password hash values generated using the Secure Hash Algorithm (SHA1) encryption algorithm.
 
Roth was able to decipher the 14 passwords in 49 minutes, paying just $2.10 for an hour of compute time using 2 NVIDIA Tesla “Fermi” M2050 GPUs.

GPUs – or Grpahics Processing Units – are processors designed to handle complex calculations used by graphics-intensive applications, such as computer games. But scientists and mathematicians have latched onto the processors and adapted them to perform more general purpose applications. Amazon’s new hosted clustered GPU offering, unveiled this month, allows developers to rent the services of the high performance, multi core processors just for specific jobs, rather than buying and deploying the same equipment themselves.

“I think that cloud-based cracking really has a future,” said Roth, who paid just $2.10 for the cluster he used to crack the SHA1 protected hashes. Renting more GPU clusters from Amazon would have cut down the time necessary to crack the passwords even further, he said.

“The great thing is that you can create a 100 node cluster of Fermi workstations with just a few clicks and without having to invest into (your) own infrastructure,” Roth wrote Threatpost. “And as you split the task of cracking a hash perfectly onto multiple instances, you can divide the time you actually need to crack the has by the number of instances you rent – without having more costs.”

Roth isn’t the first to realize  the potential of cloud based resources for doing the heavy lifting necessary to break encryption. WPACracker.com is a cloud-based cracking service that can be used to break Wi-fi Protected Access (WPA) and WPA-PSK (WPA Pre-shared Key mode) protected networks.

The site offers a 400 CPU cluster that can run captured, encrypted traffic against a 135 or 284 million word WPA dictionary of passwords. The site promises to be able to crack WPA passwords in an average of just 20 minutes for a cost of $17. The service is advertised as a tool for pen testers and auditors.

SHA-1, which was developed by the NSA, has been known to be vulnerable to cracking since 2005 and scientists have been working steadily to lower the bar necessary to decipher SHA-1 encrypted values. A stronger version of the algorithm, SHA-2, is already in use. Roth said that firms who are still using SHA1 to hash their passwords have to update to PBKDF2 (Password-Based Key Derivation Function) or similar key derivation functions to avoid exposing their passwords to cracking.

But larger changes are also needed, Roth warned, as the ease, efficiency and affordability of cloud based cracking upends long-held assumptions about the economics of trying to brute force strong encryption, he said.

“It’s not only the companies who have to change the way they are working with passwords. The biggest problem is still the user: People don’t understand why they have to use complex passwords and why they have to use different passwords on each site,” he wrote Threatpost.

“I hope that the easiness of cracking that comes with the cloud helps people to overthink the way they are using their passwords.”

Image via mansikka‘s Flickr’s photostream.

Suggested articles

Discussion

  • Pedant on

    SHA1 is not an encryption algorithm.  Thanks.

  • Janice Taylor-Gaines on

    GREAT article highlighting the need for everyone to have a much higher computer/data security awareness.  I am wary about cloud computing, but not against it.  Just recognize that whenever data or process go outside your four walls, you lose control of security:  And you'd better be very, very sure someone is picking it up.  Google to a (free) blog that has great security (and other) info, “The Business-Technology Weave” – catch the post, “Cloud Computing and Security:  Forecast Cloudy?”  Also, check a book we use at work, "I.T. WARS" (you can Google to it, a good part of it is available online at Google Books; Amazon too).  It has a great Security chapter, and others that treat security, content management, policy, etc.  Highly recommended.  Great stuff.

  • Anonymous on

    SHA is a hash, not encryption. You can't decrypt SHA.

  • Anonymous on

    Maybe I don't get the point of this... He was able to brute force weak passwords... Is that scalable to 7, even 8 character passwords? What would SHA2 help? Wouldn't this be defeated by something like password + salt, assuming the salt is unknown? This seems like a lot of hype for something that doesn't seem like a big deal... Maybe I'm missing the bigger point though...

  • Craig Herberg on

    Indeed, it is frightening how quickly previously strong encryption and less-than-strong passwords become fair game for cybercriminals.  What's terrifying, though, is the fact that many institutions don't allow special characters, and some even max out at eight characters!  A truly good complex passphrase of twenty characters encrypted with current-generation encryption is well beyond the capability of today's 284 million word dictionary, and probably a challenge for any of today's arrays to randomly guess in several years!

  • Anonymous on

     A truly good complex passphrase of twenty characters... LOL!  When was the last time anyone saw that?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.