Your search keyword '"Rainbow table"' showing total 64 results

1. Fast Decryption of Excel Document Encrypted by RC4 Algorithm

Author

Fei Yu, Lijun Zhang, and Cheng Tan

Subjects

Password, Key generation, business.industry, Computer science, 020206 networking & telecommunications, 02 engineering and technology, RC4, Encryption, Rainbow table, Brute-force attack, Personal computer, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), 020201 artificial intelligence & image processing, business, Algorithm

Abstract

In this paper, we give a fast decryption method of Excel document encrypted by RC4 algorithm. Through a detailed analysis of document storage structure and encryption process, we illustrate the inner principle of key generation and data encryption in the block by block manner. We present an efficient way of recovering the intermediate key by using rainbow table attack, which can be directly applied to decrypt the Excel document. The advantage of our method is that the decryption time of one document is no longer affected by the password length and complexity. In our practical test, it has achieved the decryption of Excel encrypted documents in an average of 3 minutes on a common personal computer, which greatly improves decryption efficiency of encrypted documents compared with the current dictionary and brute force attack methods of recovering document password.

Published

2020

2. An Experimental Evaluation on the Dependency between One-Way Hash Functions and Salt

Author

Urvesh Rathod, B. R. Chandavarkar, and Meghna Sonkar

Subjects

Password, Authentication, Dictionary attack, Alphanumeric, Computer science, Salt (cryptography), Hash function, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, 020204 information systems, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Cryptographic hash function, 010301 acoustics, computer

Abstract

Passwords are barriers that protect unauthorized users from accessing personal information in any application. Protecting passwords is one of the challenging tasks in today's world. Currently, a combination of Username/Password used for authentication for a large number of applications. Malicious users might try to steal/misuse the user's data for unethical purposes. To prevent passwords from stealing, developers prefer to use one-way hash functions. One-way hash functions are theoretically irreversible functions that take as an input variable size text and output fixed-sized text. In reality, hash functions are not collision-resistant. Therefore it is recommended to use passwords and randomly generated text called salt to generate hash values and prevent rainbow tables and dictionary attacks. Passwords are hashed at the client-side and sent across the public channel/network. A salt is a randomly generated alphanumeric text used to concatenate with a password to generate a random hash value. This paper demonstrates how the random generation of salt is dependent on passwords and how hash values are dependent on salt. Further, analysis of the behaviour of passwords and hash values using various tools like Wireshark, Ettercap, and Hydra are presented in the paper.

Published

2020

3. New Approach in the Rainbow Tables Method for Human-Like Passwords

Author

Georgii I. Borzunov, Konstantin Kogos, Anna Epishkina, and Mark A. Alpatskiy

Subjects

Password, Character (mathematics), Dependency (UML), Rainbow table, Computer science, Hash function, 0202 electrical engineering, electronic engineering, information engineering, Byte, 020206 networking & telecommunications, 020201 artificial intelligence & image processing, Reduction function, 02 engineering and technology, Arithmetic

Abstract

This paper represents a new approach to rainbow tables, a method of password recovery that was originally developed by Martin E. Hellman and then improved by P. Oechslin, so most of its implementations use Oechslin’s modification. An improvement represented in this work mostly lies in the reduction function, which uses character statistics to generate more "human-like" passwords. Though it generates passwords 5 to 10 times slower than reduction function, which uses direct dependency between hash bytes and the inserted characters, it significantly increases common efficiency in memory (8 to 30 times less memory needed to store these tables) and successful "human-like" passwords recovery probability, while these tables are generated by the same time as tables with the use of "random" reduction function.

Published

2020

4. Implementation of high speed rainbow table generation using Keccak hashing algorithm on GPU

Author

Keisuke Iwai, Thuong Nguyen Dat, Takashi Matsubara, and Takakazu Kurokawa

Subjects

Password, Search engine, CUDA, Rainbow table, Xeon, Computer science, Hash function, Rainbow, Thread (computing), Parallel computing, Software_PROGRAMMINGTECHNIQUES, ComputingMethodologies_COMPUTERGRAPHICS

Abstract

This paper proposes the implementation of high speed rainbow table generation using Keccak hashing algorithm with the integrated development environment CUDA for GPU in the heterogeneous GPU+CPU system. Utilizing the GPU’s powerful capacity, the algorithm greatly improves the performance of rainbow chain generation by dispatching the pre-computation of rainbow chain to each GPU thread. The table generation speed on GPU+CPU system and CPU was compared by the configuration of chain length and number of chains in this paper. In addition, the password coverage rate of table generated by the proposed reduction function was evaluated.The speed-up of pre-computation on GPU GeForce GTX 1080 outperforms that on CPU Xeon E5-1620 v4 3.5GHz by 239 times when the chain length is 200.

Published

2019

5. Cryptanalysis on the Head and Tail Technique for Hashing Passwords

Author

Ruji P. Medina, Ariel M. Sison, and Michael Angelo D. Brogada

Subjects

Password, 021110 strategic, defence & security studies, Dictionary attack, Computer science, business.industry, Hash function, 0211 other engineering and technologies, Cryptography, 02 engineering and technology, law.invention, MD5, Rainbow table, law, Lookup table, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Cryptanalysis, business, Algorithm

Abstract

Researchers and experts had developed numerous hash-based password authentication schemes. Inappropriately, most of them are susceptible to different attacks. This study centers on the process of performing cryptanalysis on the developed Head and Tail (HT) technique for hashing passwords. The research tested the HT technique in terms of its capacity to resist a dictionary attack, rainbow tables attack, and brute-force attack. To test the strength of the HT technique, HashCat, John the Ripper, RainbowCrack, and online cracking systems from crackstation.net and hashkiller.co.uk were used as tools for cracking. After the experiment, the result shows that the cracking tools failed to crack the HT technique. Further tests showed that generating a password-hash value pair or lookup table for MD5-HT and SHA1-HT is 16 times slower than standard MD5 and SHA1. Thus, the Head and Tail (HT) technique is a secured method for hashing passwords.

Published

2019

6. Modern Network Security Practices: Using Rainbow Tables to Solve Organizational Issues

Author

Christopher McMahon and Xiaowen Zhang

Subjects

Password, Rainbow table, Network security, business.industry, Computer science, Process (engineering), Hash function, Reduction function, Study analysis, business, Computer security, computer.software_genre, computer

Abstract

The purpose of this case study analysis is to examine a non-traditional method of identifying weak passwords within a large hospital organization. The process of using rainbow tables to crack passwords/ensure password compliance is discussed and specific examples are provided within this paper. This process emphasizes the notion that network security-related problems tend to be organization-specific and require creative approaches. The goal is to establish a practical use for rainbow tables within an organization as a means of enhancing network security.

Published

2018

7. Pristine PixCaptcha as Graphical Password for Secure eBanking Using Gaussian Elimination and Cleaves Algorithm

Author

K. Sathva and P. L. Chithra

Subjects

Password, Authentication, Dictionary attack, business.industry, Computer science, 05 social sciences, Password cracking, 020207 software engineering, 02 engineering and technology, Encryption, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, symbols.namesake, Rainbow table, Gaussian elimination, Strong cryptography, 0202 electrical engineering, electronic engineering, information engineering, symbols, 0501 psychology and cognitive sciences, business, Algorithm, 050107 human factors

Abstract

PixCaptcha as graphical password is done by cropping the image from the selected image according to the hints and paste it in the appropriate place. Even though the graphical passwords are the best replacement to overcome the limitations of the alpha numeric passwords, the encrypted graphical password's database is cracked by the hacker with the Rainbow table attack. Rainbow tables make password cracking much faster than earlier methods, such as brute-force cracking and dictionary attacks. Here a strong encryption algorithm is applied before storing the password in the database. Gaussian Elimination Technique is applied and Cleaves encryption is a new encryption scheme that provides strong resilience against Rainbow table attacks. This paper is presented with implementation of PixCaptcha as Graphical password, Gaussian Elimination Technique and Cleaves encryption algorithm which is applied to useful real-world scenario such as password protection. Further, it facilitates the high security by increasing the complexity of password guessing and cracking attacks.

Published

2018

8. Analysis on the Security and Use of Password Managers

Author

Khai Hirschi, Jyh-haw Yeh, Carlos Luevanos, and John Elizarraras

Subjects

Password, Password policy, business.industry, Computer science, Internet privacy, Computer security, computer.software_genre, Encryption, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Software, Rainbow table, Server, NIST, Meaning (existential), business, computer

Abstract

Cybersecurity has become one of the largest growing fields in computer science and the technology industry. Faulty security has cost the global economy immense losses. Oftentimes, the pitfall in such financial loss is due to the security of passwords. Companies and regular people alike do not do enough to enforce strict password guidelines like the NIST (National Institute of Standard Technology) recommends. When big security breaches happen, thousands to millions of passwords can be exposed and stored into files, meaning people are susceptible to dictionary and rainbow table attacks. Those are only two examples of attacks that are used to crack passwords. In this paper, we will be going over three open-source password managers, each chosen for their own uniqueness. Our results will conclude on the overall security of each password manager using a list of established attacks and development of new potential attacks on such software. Additionally, we will compare our research with the limited research already conducted on password managers. Finally, we will provide some general guidelines of how to develop a better and more secure password manager.

Published

2017

9. The Fuzzy Scheduling Algorithm for the Parallel Key Searching Problem on Cloud Environment

Author

Pimsiri Tubthong and Vasin Suttichaya

Subjects

Job shop scheduling, Computer science, Node (networking), 020206 networking & telecommunications, Multiprocessing, Plaintext, 02 engineering and technology, Rainbow table, CloudSim, Lookup table, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), 020201 artificial intelligence & image processing, Algorithm

Abstract

Rainbow table is the well-known cryptanalytic method for searching the encryption key or the plaintext. The user can precompute several lookup tables in order to increase the success probability. These tables can be distributed to multiprocessor or parallel machines for decreasing the makespan. Searching problem using the Rainbow table differs from the others traditional problem. The problem can only be solved on some node. However, if the problem can't be solved on current node, it must be re-executed on the other node. Thus, using FCFS algorithm is not the proper solution. We proposed the fuzzy scheduling for the parallel key searching problem, using Rainbow table. The algorithm is implemented and evaluated by Cloudsim. The result shows the proposed method reduces the makespan from the traditional FCFS.

Published

2017

10. Optimized Password Recovery for SHA-512 on GPUs

Author

Zheng Huang, Lingzhi Xu, Gong Zheng, Weidong Qiu, Jie Guo, Guozhen Liu, and Can Ge

Subjects

Password, Computer science, Hash function, 020207 software engineering, 02 engineering and technology, Parallel computing, Password strength, MD4, MD5, Rainbow table, SHA-2, 0202 electrical engineering, electronic engineering, information engineering, Cryptographic hash function, Double hashing

Abstract

One-way hash algorithms, including MD4, MD5 and SHA family, have been widely used in password protection. Focusing on brute force password recovery for one-way hash algorithm, the amount of computation depends on the complexity of the algorithm. This paper introduces an optimized brute force password recovery implementation for SHA-512 on GPU. By using several optimization methods, the performance reaches 1055M hash/second on double AMD R9 290 GPUs. Compared with Hashcat, our implementation is about 11% faster.

Published

2017

11. SPHINX: A Password Store that Perfectly Hides Passwords from Itself

Author

Maliheh Shirvanian, Stanislaw Jareckiy, Nitesh Saxena, and Hugo Krawczykz

Subjects

Zero-knowledge password proof, Dictionary attack, Salt (cryptography), Computer science, computer.internet_protocol, 0211 other engineering and technologies, Cryptography, 02 engineering and technology, Password management, Encryption, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, World Wide Web, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, Syskey, Password psychology, AKA, Password, 021110 strategic, defence & security studies, Password policy, Authentication, Cognitive password, business.industry, Password cracking, Plaintext, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, 020201 artificial intelligence & image processing, HMAC-based One-time Password Algorithm, business, computer

Abstract

Password managers (aka stores or vaults) allow a user to store and retrieve (usually high-entropy) passwords for her multiple password-protected services by interacting with a "device" serving the role of the manager (e.g., a smartphone or an online third-party service) on the basis of a single memorable (low-entropy) master password. Existing password managers work well to defeat offline dictionary attacks upon web service compromise, assuming the use of high-entropy passwords is enforced. However, they are vulnerable to leakage of all passwords in the event the device is compromised, due to the need to store the passwords encrypted under the master password and/or the need to input the master password to the device (as in smartphone managers). Evidence exists that password managers can be attractive attack targets. In this paper, we introduce a novel approach to password management, called SPHINX, which remains secure even when the password manager itself has been compromised. In SPHINX, the information stored on the device is information theoretically independent of the user's master password - an attacker breaking into the device learns no information about the master password or the user's site-specific passwords. Moreover, an attacker with full control of the device, even at the time the user interacts with it, learns nothing about the master password - the password is not entered into the device in plaintext form or in any other way that may leak information on it. Unlike existing managers, SPHINX produces strictly high-entropy passwords and makes it compulsory for the users to register these randomized passwords with the web services, hence fully defeating offline dictionary attack upon service compromise. The design and security of SPHINX is based on the device-enhanced PAKE model of Jarecki et al. that provides the theoretical basis for this construction and is backed by rigorous cryptographic proofs of security. While SPHINX is suitable for different device and online platforms, in this paper, we report on its concrete instantiation on smartphones given their popularity and trustworthiness as password managers (or even two-factor authentication). We present the design, implementation and performance evaluation of SPHINX, offering prototype browser plugins, smartphone apps and transparent device-client communication. Based on our inspection analysis, the overall user experience of SPHINX improves upon current managers. We also report on a lab-based usability study of SPHINX, which indicates that users' perception of SPHINX security and usability is high and satisfactory when compared to regular password-based authentication. Finally, we discuss how SPHINX may be extended to an online service for the purpose of back-up or as an independent password manager.

Published

2017

12. Statistical Optimal Hash-Based Longest Prefix Match

Author

Yi Wang, Bin Liu, Hao Wu, Kai Lei, Zhuyun Qi, and Huichen Dai

Subjects

Primary clustering, Computer science, Hash function, 020206 networking & telecommunications, 02 engineering and technology, Parallel computing, Rolling hash, Rainbow table, Hash list, Lookup table, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Perfect hash function, Double hashing

Abstract

Longest Prefix Match (LPM) is a basic and important function for current network devices. Hash-based approaches appear to be excellent candidate solutions for LPM with the capability of fast lookup speed and low latency. The number of hash table probes, i.e. the search path of a hash-based LPM algorithm, directly determines the lookup performance. In this paper, we propose Ω-LPM to improve the lookup performance by optimizing the search path of the hash-based LPM. Ω-LPM first reconstructs the forwarding table to support random search [19], then it applies a dynamic programming algorithm to find the shortest search path based on the statistics of the matching probabilities. Ω-LPM concretely reduces the number of hash table probes via searching most of the packets in optimal search paths. Even in the worst case, the upper bound of the average search path of Ω-LPM is 1 + log2(N), here N is the length of the longest prefix in the routing table. The case studies of the name lookup in Named Data Networking and the IP lookup in current Internet demonstrate that Ω-LPM can shorten 61.04% and 86.88% search paths compared with the basic hash-based methods of name lookup [22] and IP lookup [12], respectively, furthermore Ω-LPM reduces 32.3% probes of the name lookup and 73.55% probes of the IP lookup compared with the optimal linear search. The experimental results conducted on extensional name tables and IP tables also show that Ω-LPM has both low memory overhead and excellent scalability.

Published

2017

13. DePass: A secure hash-based authentication scheme

Author

Abdeslam El Fergougui, Abdelbaki Elbelrhiti Elalaoui, and Kamal Benzekki

Subjects

Password, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Computer science, Salt (cryptography), Hash chain, Cryptographic hash function, Computer security, computer.software_genre, computer, One-time password, Password strength, S/KEY

Abstract

Username/Password combination is currently the most commonly deployed authentication method for a large number of applications. The databases of stored credentials are a high-profile target for malicious attackers who are performing advanced attacks to break into servers for stealing and cracking password hashes. Consequently, relying on the classical authentication scheme may not be usually an effective way to protect users' accounts in the event of a security breach. In this article, we propose a novel secure authentication scheme named DePass to thwart dictionary, brute force and rainbow-table attacks that aim at inverting password hashes. Our scheme provides a novel way of hashing by segmenting and mixing a SHA-2 password hash with a random SHA-2 hash to produce a single apparent hash with delimiters. The apparent hash is stored in the server while the delimiters are sent to the user upon a registration phase. DePass authentication scheme is well-tailored to both user comfort and password security requirements.

Published

2017

14. A collision-mitigation hashing scheme utilizing empty slots of cuckoo hash table

Author

Jeong-dong Ryoo, JungBok Lee, and ChoongHee Cho

Subjects

Computer science, business.industry, Distributed computing, Dynamic perfect hashing, Hash function, 020206 networking & telecommunications, 02 engineering and technology, Linear hashing, 2-choice hashing, Hash table, Hopscotch hashing, Cuckoo hashing, Open addressing, Rainbow table, Lookup table, 0202 electrical engineering, electronic engineering, information engineering, business, Double hashing, Computer network

Abstract

In SDN and NFV technologies, performance of a virtual switch is important to provide network functionalities swiftly. Since the lookup operation of the virtual switch has been considered a major bottleneck of performance, we need to devise an efficient way to reduce the lookup time. To improve the lookup speed, previous research has suggested a compact lookup table in a fast memory, but the issue of collision in a hash table has not been addressed well enough. This paper proposes a new scheme that mitigates collisions by utilizing empty slots of the hash table. We propose to insert a new element that may collide to an empty slot instead of linking it with a pointer. According to an evaluation on our experiments, about 20% of elements that could have experienced collisions in the conventional scheme are inserted into empty slots in each bucket. Moreover, the access time of collided elements has halved by avoiding unnecessary memory accesses.

Published

2017

15. Enhanced password processing scheme based on visual cryptography and OCR

Author

Kijoon Chae, Dana Yang, and Inshil Doh

Subjects

Zero-knowledge password proof, Salt (cryptography), Computer science, Hash function, Crypt, 0211 other engineering and technologies, Cryptography, 02 engineering and technology, Encryption, computer.software_genre, One-time password, Visual cryptography, S/KEY, Password strength, Key stretching, Cryptographic hash function, Key derivation function, Hacker, Password, 021110 strategic, defence & security studies, Authentication, Cognitive password, business.industry, 05 social sciences, Pass the hash, Password cracking, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Operating system, Hash chain, 0509 other social sciences, 050904 information & library sciences, business, computer, Computer network

Abstract

Traditional password conversion scheme for user authentication is to transform the passwords into hash values. These hash-based password schemes are comparatively simple and fast because those are based on text and famed cryptography. However, those can be exposed to cyber-attacks utilizing password by cracking tool or hash-cracking online sites. Attackers can thoroughly figure out an original password from hash value when that is relatively simple and plain. As a result, many hacking accidents have been happened predominantly in systems adopting those hash-based schemes. In this work, we suggest enhanced password processing scheme based on image using visual cryptography (VC). Different from the traditional scheme based on hash and text, our scheme transforms a user ID of text type to two images encrypted by VC. The user should make two images consisted of subpixels by random function with SEED which includes personal information. The server only has user's ID and one of the images instead of password. When the user logs in and sends another image, the server can extract ID by utilizing OCR (Optical Character Recognition). As a result, it can authenticate user by comparing extracted ID with the saved one. Our proposal has lower computation, prevents cyber-attack aimed at hash-cracking, and supports authentication not to expose personal information such as ID to attackers.

Published

2017

16. Deterministic and Efficient Hash Table Lookup Using Discriminated Vectors

Author

Zheng Du, Junmao Li, and Dagang Li

Subjects

Primary clustering, Computer science, Hash function, Hash buster, 02 engineering and technology, Parallel computing, Linear hashing, Rolling hash, Pearson hashing, 0202 electrical engineering, electronic engineering, information engineering, Cryptographic hash function, HAT-trie, Dynamic perfect hashing, 020206 networking & telecommunications, Bloom filter, Hash table, Hash tree, Cuckoo hashing, Coalesced hashing, Rainbow table, Hash list, Lookup table, Hash chain, 020201 artificial intelligence & image processing, Hash filter, Perfect hash function, Double hashing

Abstract

Hash table is used in many areas of networking such as route lookup, packet classification, per-flow state management and network monitoring for its constant access time latency at moderate loads. However, collisions may become frequent at high loads in traditional hash tables, which may lead the access time complexity to be linear and intolerable to applications like high-speed route lookups. While some schemes were proposed to help resolve this problem and most of them may achieve O(1) average memory access per lookup, very few of them are able to cut down the access to a deterministic single one. In this paper, we design a structure called deterministic and efficient hash table (DEHT). In DEHT, a novel data structure on on-chip memory is built, with the help of which the off-chip memory access can be decreased to a single one at most per lookup even when the load of the hash table is very high. What's more, the on-chip data structure also plays a similar role as Bloom Filter to do membership screening, which can avoid most lookups of nonexistent items of the hash table visiting the off-chip memory. Through theoretical analysis and simulations, we show that our scheme is faster than other schemes in lookup operations; the usable load of the off-chip hash table, the memory efficiency and the false positive rate of the on-chip data structure are also favorable.

Published

2016

17. Decryption of Frequent Password Hashes in Rainbow Tables

Author

Noboru Kunihiro and Hwei-Ming Ying

Subjects

Password, 021110 strategic, defence & security studies, Theoretical computer science, Computer science, business.industry, Open problem, Hash function, 0211 other engineering and technologies, Probabilistic logic, Plaintext, 0102 computer and information sciences, 02 engineering and technology, One-way function, Encryption, 01 natural sciences, Rainbow table, 010201 computation theory & mathematics, business

Abstract

Time-memory trade-off methods provide means to invert one way functions. Such attacks offer a flexible trade-off between running time and memory cost in accordance to users' computational resources. In particular, they can be applied to hash values of passwords in order to recover the plaintext. They were introduced by Martin Hellman and later improved by Philippe Oechslin with the introduction of rainbow tables. The drawbacks of rainbow tables are that they do not always guarantee a successful inversion. We address this issue in this paper. In the context of passwords, it is pertinent that frequently used passwords are incorporated in the rainbow table. It has been known that up to 4 given passwords can be incorporated into a chain but it is an open problem if more than 4 passwords can be achieved. We solve this problem by showing that it is possible to incorporate more of such passwords along a chain. Furthermore, we prove that this results in faster recovery of such passwords during the online running phase as opposed to assigning them at the beginning of the chains. For large chain lengths, the average improvement translates to 3 times the speed increase during the online recovery time.

Published

2016

18. A Method for Cracking the Password of WPA2-PSK Based on SA and HMM

Author

Lianhai Wang, Liang Ge, and Lijuan Xu

Subjects

Password, Dictionary attack, Theoretical computer science, Computer science, business.industry, Password cracking, Markov process, 020207 software engineering, 02 engineering and technology, Markov model, Encryption, symbols.namesake, Rainbow table, 0202 electrical engineering, electronic engineering, information engineering, symbols, 020201 artificial intelligence & image processing, Hidden Markov model, business, Algorithm, Computer Science::Cryptography and Security

Abstract

Password recovery of WPA2-PSK is an important problem in digital forensics. Since the encryption mechanism of WPA-PSK is gradually enhanced, it is difficult to deal with this problem by the traditional methods such as brute force, rainbow table, Markov model, and so on. In this paper, we give a new method based on simulated annealing (SA) and hidden markov model (HMM). The main principle of this method is to create the hidden markov model of the known password based on the SA which could be used to generate the password candidates in the wireless network password recovery. It means that the passwords are given by a probability learning of the known password. The tests have shown that this approach could improve the effectiveness of password recovery for the wireless network, comparing with the Markov model which has been shown much more efficiently than the traditional methods such as brute force and dictionary attack.

Published

2016

19. STUMP - STalling offline password attacks Using pre-hash ManiPulations

Author

Robert Tarlecki, Anthony Nguyen, and Avinash Srinivasan

Subjects

Password, Authentication, Dictionary attack, business.industry, Computer science, Salt (cryptography), Hash function, Password cracking, Parallel computing, One-time password, S/KEY, Password strength, Brute-force attack, Rainbow table, Embedded system, Key stretching, business

Abstract

Offline password cracking has seen significant advances in recent years. This is mainly due to a dramatic increase in accessible computational speeds and the increased exploitation of GPUs for parallel processing. Cheaper and faster hardware, combined with new techniques, have allowed inexpensive GPUs to crack passwords at rates which only supercomputers could achieve previously. One inexpensive mitigation technique that we have uncovered is built on the core idea of pre-hash password manipulations. Our technique is named STUMP. Through rigorous empirical analysis, we demonstrate that STUMP can prevent offline parallel attacks m including pre-computed attacks utilizing rainbow tables m from cracking 99.718% of passwords that are

Published

2015

20. Improved GPU Implementation of RainbowCrack

Author

Yuki Tabata, Keisuke Iwai, Hidema Tanaka, and Takakazu Kurokawa

Subjects

Password, Rainbow table, business.industry, Computer science, Precomputation, Hash function, Password cracking, Sorting, Table (database), Cryptography, ComputingMethodologies_GENERAL, Parallel computing, business

Abstract

Rainbow table is one of the techniques to crack passwords from hash values by precomputation table. However, password cracking takes much time in the case of long password. Accelerators such as GPGPUs will reduce time spent on cracking for long passwords. Rainbow Crack is a password cracking software program which implements rainbow table. Rainbow Crack uses reduction function, table compression and GPU implementation. This paper proposes a new reduction function, a table compression technique and their GPU implementation on GeForce GTX 670. As a result, it becomes 17.6% faster than RainbowCrack, and memory size of precomputation table can be decreased by 23.0%.

Published

2015

21. Dynamic Salt Generating Scheme Using Seeds Warehouse Table Coordinates

Author

Jieling Zhang and Sirapat Boonkrong

Subjects

Password, Dictionary attack, Computer science, business.industry, Usability, Computer security, computer.software_genre, Encryption, S/KEY, Rainbow table, Amortizing loan, Challenge–response authentication, business, computer

Abstract

The expectancy in authentications that trump vagaries of cracking techniques have surfaced two blurred lines. One lays between low-entropy password adoption and commensurate encryption competence. The other is interposed between anonymizing authentication requisites and providing cookbooks for adversaries. The cutting-edge technologies are tailored to gain an edge, which nevertheless get bogged down in striking a balance, sometimes leading users astray. The bullish assumptions are being replaced by bearish ones. In need of compensating for the inadequacies, this paper puts forth a novel dynamic salt generating scheme of great expansibility, future adoptability, and easy usability, at the same time, guarantees appreciable improvements on the aggregate security level of password storage. Contrary to the conventional means, this scheme subtly generates salt values in the course of each authentication rather than retaining a storage. The whole scheme gets further enhanced by resonating with the innovative Seeds Warehouse Table. Apart from preserving the advantages while amortizing no extra cost across users, it is comparatively preferable owing to the provable boost in resistance to both hash collision and dictionary attacks.

Published

2015

22. Differential Power Analysis on Dynamic Password Token Based on SM3 Algorithm, and Countermeasures

Author

Peng Luo, Guo Limin, Wang Lihui, Yu Jun, and Qing Li

Subjects

Password, Authentication, Salt (cryptography), Computer science, Hash function, Security token, One-time password, S/KEY, Password strength, Power analysis, Suzuki-Kasami algorithm, Rainbow table, Cryptographic hash function, Hash chain, Side channel attack, Algorithm

Abstract

Dynamic password technology is widely utilized for identity authentication, which depends on using hash functions, such as SM3. And SM3 hash algorithm is based on the mixing of different group operations, such as XOR and addition modulo 232. In this paper, we present two original first-order differential power analysis attacks on dynamic password token based on SM3 algorithm. The two proposed DPA attacks are against XOR and addition modulo 232 operation respectively. Experimental results show that dynamic password token based on SM3 algorithm is vulnerable to side channel attacks, no matter implemented in software or hardware. We also provide a masked implementation of the algorithm, which is designed to avoid those proposed attacks.

Published

2015

23. Enhanced Virtual Password Authentication Scheme Resistant to Shoulder Surfing

Author

P. W. C. Prasad, Abeer Alsadoon, Biswas Gurung, and Amr Elchouemi

Subjects

Challenge-Handshake Authentication Protocol, Zero-knowledge password proof, Salt (cryptography), computer.internet_protocol, Computer science, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Shoulder surfing, Key stretching, Syskey, Key derivation function, Password authentication protocol, Password psychology, Password, Authentication, Password policy, Cognitive password, Password cracking, Multi-factor authentication, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, HMAC-based One-time Password Algorithm, Challenge–response authentication, computer

Abstract

A username and password based login mechanism is commonly used for authenticating a user in online environments. It is a popular scheme because it helps to balance the usability and security traits of the system. However, online environments and pervasive computing may bring many risks through adversaries. Shoulder-surfing attack is one of the risks where attacker observes the authentication process and captures the password of victims. This paper proposes a hybrid-based authentication scheme termed "Enhanced Virtual Password Authentication (EVPA)". EVPA is designed to implement a virtual password mechanism to resist the shoulder surfing attacks. The virtual password mechanism requires a string part of password and a mathematical functional value to secure user passwords. The mathematical functional value keeps changing for each login session. This method uses a system generated random value and secret mathematical operation against the pre-selected secret number to obtain a mathematical functional value. Several experiments were conducted and the results demonstrate that systems are resilient to password attacks and usable for day to day purposes.

Published

2015

24. An Overview of Study of Passowrd Cracking

Author

Fei Yu and Yulei Huang

Subjects

Authentication, Computer science, Password cracking, Markov process, Supercomputer, Markov model, computer.software_genre, Password strength, Reliability engineering, Cracking, symbols.namesake, Rainbow table, symbols, Operating system, ComputingMethodologies_GENERAL, computer

Abstract

This paper studies the current status and advance of study of password cracking. First, we give a classification for password cracking from different dimensions. We studies brute-force cracking, dictionary cracking and rainbow table cracking. We found some new techniques such as brute-force cracking based on probability method, Markov models and data mining. High performance computing in password cracking is also studied, we found that more and more password cracking system using GPU platform or FPGA platform. We indicate that the password cracking techniques will develop with the growth of computing technology. The integration of various methods will increase the speed and success probability of password cracking.

Published

2015

25. A Blocked Rainbow Table Time-Memory Trade-Off Method

Author

Hongwei Lu, Xiaoheng Zhu, and Zaobin Gan

Subjects

Password, Rainbow table, Computer science, law, Hash function, Password cracking, Rainbow, Parallel computing, Cryptanalysis, Algorithm, Merge (version control), law.invention

Abstract

The rainbow table algorithm has been widely applied to password recovery. However, it faces the issue of too much time or space consumption. Thus in this paper, a blocked rainbow table time-memory trade-off (BRT3) is proposed along with practical implementations. In the new method, the position of each starting point is stored instead of the starting point to reduce the storage consumption. Multiple rainbow blocks are used to reduce the merge probability of chains and improve the success rate of password cracking. A blocked memory structure is adopted to reduce the cryptanalysis time. We also analyze the existing time-memory trade-off methods and carry out comparison experiments to evaluate the performance. The experimental results show that the cryptanalysis time of the BRT3 method is no more than 2 minutes when cracking 200 MS-Windows LM password hashes on a general desktop machine with 2GB memory. What's more, the BRT3 method can also achieve up to a 50% reduction in the storage requirement and acquire an 11% increase in the success rate.

Published

2015

26. A review towards enhancing authentication scheme using Image Fusion and multishared Cryptography

Author

A.S. Alvi and V.B. Gadicha

Subjects

Zero-knowledge password proof, Software_OPERATINGSYSTEMS, computer.internet_protocol, Salt (cryptography), Computer science, Cryptography, Shared secret, Computer security, computer.software_genre, One-time password, PBKDF2, Password strength, S/KEY, Key stretching, Syskey, Key derivation function, Password psychology, Password, Password policy, Authentication, Cognitive password, business.industry, Password cracking, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Key (cryptography), HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer

Abstract

Passwords are used for user authentication, validation, and verification in various software applications (may be Commercial, or Research based). All the existing schemes which are used to generate the password will always provide enough scope for the Intruder (Cracker) to crack or guess the password. All the existing schemes of password generation works on a basic assumption that the resultant password should be easy to remember for a user. This ultimately brings the downfall of the scheme. Therefore, a Password Generator Scheme is proposed here which will restrict the Intruders to crack the password or a scheme should exist which will cause sufficient delay in cracking of a password so that the Generator of the password will change the previous password. Here a strong password generator scheme is proposed by using Image Fusion & Visual key Cryptography.

Published

2015

27. An efficient implementation of PBKDF2 with RIPEMD-160 on multiple FPGAs

Author

Rian Voss, Lars Wienbrandt, Manfred Schimmler, and Ayman Abbas

Subjects

Password, Dictionary attack, business.industry, Computer science, RIPEMD, Hash function, Cryptography, Parallel computing, Encryption, Hash-based message authentication code, PBKDF2, Disk encryption theory, Rainbow table, Hash chain, Key derivation function, business

Abstract

A weakness of many security systems is the strength of the chosen password or key derivation function. We show how FPGA technology can be used to effectively attack cryptographic applications with a password dictionary. We have implemented two independent PBKDF2 cores each using four HMAC cores with pipelines calculating a RIPEMD-160 hash to derive encryption keys together with one resource optimized AES-256 XTS core for direct decryption on a Xilinx Spartan6-LX150 FPGA. Our design targets TRUECRYPT containers, but may be applied to similar encryption tools with little adaption. In order to save resources and maximize speed, we have further optimized the RIPEMD-160 hash function for this purpose. Our design executed on the multi-FPGA system RIVYERA S6-LX150 containing 128 S6-LX150 FPGAs, finally reaches a peak performance of about 245,000 passwords per second.

Published

2014

28. High-speed implementation of bcrypt password search using special-purpose hardware

Author

Friedrich Wiemer and Ralf Zimmermann

Subjects

Password, Computer science, business.industry, scrypt, computer.software_genre, One-time password, PBKDF2, Password strength, S/KEY, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Embedded system, Server, Operating system, business, computer

Abstract

Using passwords for user authentication is still the most common method for many internet services and attacks on the password databases pose a severe threat. To reduce this risk, servers store password hashes, which were generated using special password-hashing functions, to slow down guessing attacks. The most frequently used functions of this type are PBKDF2, bcrypt and scrypt. In this paper, we present a novel, flexible, high-speed implementation of a bcrypt password search system on a low-power Xilinx Zynq 7020 FPGA. The design consists of 40 parallel bcrypt cores running at 100 MHz. Our implementation outperforms all currently available implementations and improves password attacks on the same platform by at least 42%, computing 6,511 passwords per second for a cost parameter of 5.

Published

2014

29. Rainbow table TMTO attack optimization considering online sequential search time

Author

Mohammad Moeini Jahromi, Mohammad Hadi, and Hamid Reza Rezaiy

Subjects

Memory management, Rainbow table, business.industry, Computer science, Online search, Cryptography, Sample (statistics), Minification, Focus (optics), business, Algorithm, Selection (genetic algorithm)

Abstract

In this paper, we propose an optimized parameter selection procedure for rainbow table Time Memory Trade-Off (TMTO) attack with sequential online search. Unlike previous works that mainly deal with minimizing required memory in the rainbow table TMTO attack we simultaneously focus on the required memory and online search time. Our parameter selection technique is optimized regarding the minimization of the required memory subject to a certain success probability and a maximum online search time. Obtained results are two compact mathematical expressions for determining rainbow table TMTO attack parameters, number and length of chains. The application of our optimized parameter selection procedure is also shown in a sample example.

Published

2014

30. Security analysis of mobile QQ

Author

Xinyu Zhao, Qingbing Ji, Fei Yu, and Lijun Zhang

Subjects

Password, Security analysis, business.industry, Computer science, Mobile computing, Information security, Encryption, Computer security, computer.software_genre, One-time password, Rainbow table, business, Communications protocol, computer

Abstract

Mobile QQ is the smartphone version of the most popular IM software QQ in China. This paper studies the encipher system and communication protocol of mobile QQ and analyzes its security flaws. We found some security risks of mobile QQ and some of which are fatal especially in a weak wireless environment: Any attacker who could access the communication channel could easily recover the encrypted message packet during the communication without the knowledge of the user's password; the user's password is vulnerable by brute-force attack or rainbow table attack in the protocol; the complicated encryp tion mode of TEA used in mobile QQ could be bypassed. Keywords-mobile QQ; information security; privacy

Published

2014

31. HMAC based one tıme password generator

Author

A. Bedri Ozer and Selman Yakut

Subjects

Zero-knowledge password proof, Theoretical computer science, computer.internet_protocol, Computer science, Hash function, Cryptography, One-time password, Password strength, PBKDF2, S/KEY, SHA-2, SAFER, Cryptographic hash function, Message authentication code, Key derivation function, Password, Secure Hash Algorithm, Authentication, business.industry, Pass the hash, Hash-based message authentication code, Rainbow table, Hash chain, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer

Abstract

One Time Password which is fixed length strings to perform authentication in electronic media is used as a one-time. In this paper, One Time Password production methods which based on hash functions were investigated. Keccak digest algorithm was used for the production of One Time Password. This algorithm has been selected as the latest standards for hash algorithm in October 2012 by National Instute of Standards and Technology. This algorithm is preferred because it is faster and safer than the others. One Time Password production methods based on hash functions is called Hashing-Based Message Authentication Code structure. In these structures, the key value is using with the hash function to generate the Hashing-Based Message Authentication Code value. Produced One Time Password value is based on the This value. In this application, the length of the value One Time Password was the eight characters to be useful in practice.

Published

2014

32. Enhace the security of password by fuzzy controller

Author

Hussein Soltani, Madihe Sadat Yazdani, and Seyed Hasan Mortazavi Zarch

Subjects

Password, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Zero-knowledge password proof, Theoretical computer science, Rainbow table, Computer science, Salt (cryptography), Key derivation function, One-time password, S/KEY, Password strength

Abstract

In this paper we use fuzzy controller for enhancing the security of password. In our results, also we use fuzzy controller for preventing of dictionary attack. In this attack when eavesdropping want to find one password, regardless of the user ID, if the password is 6 digits, before eavesdropping want to creates a list of 6 digit number (000000 to 999999) and then apply the hash function to every number, it must pass from fuzzy controller because digits or data should convert to fuzzy data and eavesdropping cannot create a list of six digits (depending on the password length) and cannot apply the hash function to every number and also is not able to convert fuzzy data to digits or real data. The result of this procedure is raising password security.

Published

2014

33. Access LUT without CAM - Improved Pearson hashing for collision reduction

Author

Chung-Ping Hung and Paul S. Min

Subjects

Computer science, Dynamic perfect hashing, Hash function, Parallel computing, Linear hashing, 2-choice hashing, Hash table, Hopscotch hashing, Cuckoo hashing, Open addressing, Content addressable network, Pearson hashing, Rainbow table, Lookup table, Arithmetic

Abstract

While lookup table (LUT) is widely used in virtually every kind of computing devices, to achieve low access latency with low cost is always challenging. Although Content-Addressable Memory (CAM) can be used to implement LUT, it is not very cost-effective to add such an expensive device dedicated for LUT in most cases. On the other hand, using hash functions to implement LUT, which can achieve O(1) fast lookup in most cases without special hardware, is more preferable. The performance of a hash table based LUT depends on the collision rate. In this paper, we propose a hash function based on Pearson hashing which can effectively reduce the collision rate and thus improve the performance of LUT by adding a dynamically generated permutation table. We demonstrate the LUT performance can be significantly improved from very low additional cost.

Published

2013

34. Usage of botnets for high speed MD5 hash cracking

Author

Jega Anish Dev

Subjects

Collision attack, Rainbow table, SHA-2, Computer science, Distributed computing, Hash function, Hash chain, Cryptographic hash function, MDC-2, Parallel computing, Merkle tree

Abstract

Cryptographic Hash functions find ubiquitous use in various applications like digital signatures, message authentication codes and other forms of digital security. Their associated vulnerabilities therefore make them a prevalent target for cyber criminals. Cracking a hash involves brute force which is generally extremely time or computing power intensive. Recent times have seen usage of GPUs for brute forcing hashes thus significantly accelerating the rate of hash generation during brute force. This has further been extended to simultaneous usage of multiple GPUs over multiple machines or building GPU clusters having multiple GPUs on a single machine. Attackers use these methods to crack hashes within practical durations of time, to the tune of hours or days, depending on the strength of the password. This paper quantifies the advantage of using the CPU simultaneously with the GPU for hash cracking and describes how a potential attacker, with respect to the size of the botnet used, could come to possess capabilities of hash rates of at least greater than 11 times the rate of the world's fastest GPU cluster based MD5 brute forcing machine with no investment.

Published

2013

35. SAFE: Shoulder-surfing attack filibustered with ease

Author

Prasanna Venkatesh Ravi, Srinivas Avireddy, Raghav Babu Subramanian, Sruthi Prabhu, and Narayan Gowraj

Subjects

Password, Password policy, Plain text, business.industry, Computer science, Internet privacy, Password cracking, computer.file_format, Computer security, computer.software_genre, S/KEY, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Message authentication code, Challenge–response authentication, business, computer

Abstract

Websites have become an integral part of everyones life. The most important vulnerable issue in websites which has to be subjected to uncompromising security is user authentication. There is a good level of security when we use the conventional textual based password but memorizing these passwords is difficult when they are too long. Hence, users tend to keep password that are simple and short which compromises security and makes it vulnerable to many password cracking attacks. Users may also tend to write them down or store them inside the computer in the form of sticky notes which makes it even more vulnerable. This issue has motivated users towards an alternative solution which is the Graphical User Authentication (GUA) which makes use of images, patterns instead of plain text. However, one big issue incurred with the GUA is that it is very vulnerable to shoulder-surfing and spyware attacks. In this paper we propose a system called SAFE (Shoulder-Surfing Attacks Filibustered with Ease) that could restrict or filibuster shoulder-surfing and spyware attacks. This system uses an algorithm called as RALUT-G (Randomized Lookup Table-Generator) that generates a randomized look-up table with dynamic content for the user authentication based on its working module. We have also evaluated the efficiency and the effectiveness of our system using comprehensive experimental analysis.

Published

2013

36. Rainbow table to crack password using MD5 hashing algorithm

Author

Praveen Kumar, Sudhanshu Kumar, Sunil Kumar Singh, Dhananjay Kumar, Ajay Kumar, Himanshu Kumar, and Remya Joseph

Subjects

Password, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Theoretical computer science, Rainbow table, Computer science, Salt (cryptography), Dynamic perfect hashing, Hash function, Password cracking, Double hashing, Password strength

Abstract

Rainbow tables are basically huge tables filled with hash values and are used to find required password. Rainbow Table is used by the hackers to find the password by reversing the hashing function. Hashing the plaintext or password is a 1-way function which implies that hash can't be decrypted to find the required password[10]. To authenticate the user a system takes the hash value generated by the hash function on user's computer and it is compared with the hash value stored in the table on the server machine. If the hash matches, then the user is authenticated and can access the system. Rainbow tables are used to crack the password in short amount of time as compared to brute force technique, but it takes a lot of storage to hold rainbow table itself[1]. It is the most efficient methods for cracking passwords. This paper presents the implementation of Rainbow tables for cracking passwords of operating systems such as Windows7 and application which uses Message Digest v5(MD5) and Simple Hash Algorithmv1(SHA1) as their password hashing mechanism. It discusses the functionality of Rainbow Tables and its advantages over conventional brute-force approach and the usage of rainbow table to crack windows password.

Published

2013

37. A Scheme for the Generation of Strong ICMetrics Based Session Key Pairs for Secure Embedded System Applications

Author

Huosheng Hu, Dongbing Gu, Gareth Howells, Ruhma Tahir, and Klaus D. McDonald-Maier

Subjects

Authentication, Theoretical computer science, business.industry, Computer science, Session ID, Public-key cryptography, Brute-force attack, Rainbow table, Embedded system, Key (cryptography), Key stretching, Session key, Key (lock), Key derivation function, business, Computer network

Abstract

This paper presents a scheme for the generation of strong session based ICMetrics key pairs for security critical embedded system applications. ICMetrics generates the security attributes of the sensor node based on measurable hardware and software characteristics of the integrated circuit. In the proposed scheme a random session ID is assigned by a trusted party to each participating network entity, which remains valid for a communication session. Our work is based on the design of a key derivation function that uses an ICMetrics secret key and a session token assigned by the trusted party to derive strong cryptographic key pairs for each entity. These session tokens also serve the purpose of identification/authentication between the trusted parties and the respective nodes in each network. The main strength of our proposed scheme rests on the randomness feature incorporated via the random session ID's, which makes the generated strong private/public key pair highly resistant against exhaustive search and rainbow table attacks. Our proposed approach makes use of key stretching using random session tokens via SHA-2 and performs multiple iterations of the proposed key derivation function to generate strong high entropy session key pairs of sufficient length. The randomness of the assigned ID's and the session based communication hinders the attacker's ability to launch various sorts of cryptanalytic attacks, thereby making the generated keys very high in entropy. The randomness feature has also been very carefully tuned according to the construction principles of ICMetrics, so that it doesn't affect the original ICMetrics data. The second part of the proposed scheme generates a corresponding public session key by computing the Hermite Normal Form of the high entropy private session key.

Published

2013

38. Resilience against brute force and rainbow table attacks using strong ICMetrics session key pairs

Author

Ruhma Tahir, Dongbing Gu, Klaus D. McDonald-Maier, Huosheng Hu, and Gareth Howells

Subjects

Key generation, Cryptographic primitive, Computer science, business.industry, Strong key, Key space, Key distribution, Cryptography, Computer security, computer.software_genre, Public-key cryptography, Brute-force attack, Rainbow table, Key (cryptography), Static key, Session key, business, computer

Abstract

Cryptography has become an essential for providing security in embedded system applications. The employed cryptographic primitives should provide strong protection such that the security of the system is not compromised at any point in the lifecycle of a secure operation. This particularly includes the secure generation and maintenance of cryptographic keys. In general this assumption is difficult to accomplish, since there are attacks that come under this umbrella ranging from brute force attacks on the key to capturing the node to extract the key. In this paper we investigate and analyze ICMetrics and its counterpart scheme referred to as the scheme for the generation of strong high entropy ICMetrics session key pairs. ICMetrics is a key technology that computes the secret key based on hardware/ software properties of a device, thereby providing resilience against node capture attacks, while high entropy key pair generation scheme is employed to strengthen the generated ICMetrics basis number, so as to safeguard the generated strong key pairs from brute force and rainbow table attacks.

Published

2013

39. Security Analysis of salt||password Hashes

Author

Praveen Gauravaram

Subjects

Password, Salt (cryptography), Computer science, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, Computer security, computer.software_genre, One-time password, GeneralLiterature_MISCELLANEOUS, Password strength, S/KEY, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Data_FILES, Hash chain, Cryptographic hash function, computer

Abstract

Protection of passwords used to authenticate computer systems and networks is one of the most important application of cryptographic hash functions. Due to the application of precomputed memory look up attacks such as birthday and dictionary attacks on the hash values of passwords to find passwords, it is usually recommended to apply hash function to the combination of both the salt and password, denoted salt||password, to prevent these attacks. In this paper, we present the first security analysis of salt||password hashing application. We show that when hash functions based on the compression functions with easily found fixed points are used to compute the salt||password hashes, these hashes are susceptible to precomputed offline birthday attacks. For example, this attack is applicable to the salt||password hashes computed using the standard hash functions such as MD5, SHA-1, SHA-256 and SHA-512 that are based on the popular Davies-Meyer compression function. This attack exposes a subtle property of this application that although the provision of salt prevents an attacker from finding passwords, salts prefixed to the passwords do not prevent an attacker from doing a precomputed birthday attack to forge an unknown password. In this forgery attack, we demonstrate the possibility of building multiple passwords for an unknown password for the same hash value and salt. Interestingly, password||salt (i.e. salts suffixed to the passwords) hashes computed using Davies-Meyer hash functions are not susceptible to this attack, showing the first security gap between the prefix-salt and suffix-salt methods of hashing passwords.

Published

2012

40. A parctical approach to secure WLANs for SOHO and enterprises

Author

Sarder Ferdous Sadique, Monalisha Mishu, and Abdul Quader Munshi

Subjects

Engineering, Dictionary attack, business.industry, Network packet, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Telecommunication security, Computer security, computer.software_genre, Rainbow table, Wireless lan, Key (cryptography), business, computer, Hacker, Computer network

Abstract

Though several security solutions for WLAN are available in the market and we can mix them together to strengthen the security more, but as data packets are transmitted in the air, it is always insecure. In case of a most secured SOHO setup that is proposed here, the worst case can be: A hacker have to intercept the packets to break the WPA2/WPA key first. In this case, he needs to use the dictionary attack using rainbow table and selecting a complex key pass-phrase will make the hacker to give a lot of effort. A proper selection of pass-phrase may even lead the hacker to use a server grade processing setup to break the key. After the successful breaking of the key, still the hacker will have to scan for a valid MAC that is associated with that AP and will have to change his MAC with the newly collected one. In a low user/traffic concentrated WLAN, collecting of around 50,000 IVs will become very time consuming for the hacker.

Published

2012

41. Evaluating Cryptanalytical Strength of Lightweight Cipher PRESENT on Reconfigurable Hardware

Author

Jan Pospiil and Martin Novotny

Subjects

Triple DES, Computer science, business.industry, Cryptography, Reconfigurable computing, law.invention, Cipher, Rainbow table, law, Embedded system, Cryptanalysis, Field-programmable gate array, business, Block cipher

Abstract

The PRESENT cipher is a symmetric block cipher with 64 bits of data block and 80 (or 128) bits of key. It is based on Substitution-permutation network and consists of 31 rounds. PRESENT is intended to be implemented in small embedded and contactless systems, thus its design needs only small amount of chip area and consumes low power. In this work we evaluate the resistance of PRESENT against time-memory trade-off attack. Specifically Rainbow Tables method is used. We determine the computational demand of this type of attack conducted on special parallel reconfigurable hardware COPACOBANA consisting of array of FPGA chips with custom design.

Published

2012

42. A General Way to Break Hash-based Challenge-and-Response

Author

Yuan Dong, Fanbao Liu, and Yasha Chen

Subjects

Password, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Computer science, SHA-2, Pass the hash, Hash function, Hash chain, Cryptographic hash function, Computer security, computer.software_genre, computer, Double hashing

Abstract

Hash-based challenge-and-response protocols are widely used as an authentication scheme in network applications. The authenticator sends a random string as a challenge to the peer, the peer generates a response with a hash function on a pre-shared password combined the received challenge. In this paper, we propose a general and efficient way to break some prevalent hash-based challenge- and-response protocols in use. These protocols are vulnerable to the chosen challenge attack launched by a malicious user, who impersonates the server. We first generate a rainbow table containing hash values of all possible passwords, which is produced by hashing a pre-chosen challenge concatenated with all possible password candidates. Second, we impersonate the authenticator and send the pre-chosen challenge to the peer. Finally, we look up in the rainbow table for the received response from the peer to crack the password. With this tactic, we can do the cost consuming pre-computation once, and then we can always use it to recover all of the peer's passwords with only one additional on-line query.

Published

2012

43. SQLIMW: A New Mechanism against SQL-injection

Author

Chang-Ming Xu, Gao Jiao, and Jing Mao-hua

Subjects

Collision attack, Rainbow table, Computer science, SHA-2, Hash function, Pass the hash, Hash chain, Cryptographic hash function, Challenge–response authentication, Computer security, computer.software_genre, computer

Abstract

SQL-Injection is an attack for Web applications which are based on database system, and it is one of the most serious security threats for Web application. This paper proposes a new middle-ware-based prevention mechanism: SQLIMW. The SQLIMW avoids SQL-Injection attack from the programmer to the server, and use HASH function to replace encryption. Furthermore, it protects username, password and private key of SQLIMW together by XOR operation and HASH. The proposal provides better security and efficiency.

Published

2012

44. LightFlow: Speeding up GPU-based flow switching and facilitating maintenance of flow table

Author

Michiaki Hayashi and Nobutaka Matsumoto

Subjects

Rainbow table, Computer science, Wildcard, Lookup table, Hash function, Wildcard character, Parallel computing, computer.file_format, computer, Hash table, Linear search, Database index

Abstract

Flow-based switching is increasingly important in accordance with the growing demand for in-network processing for cloud applications. Flow switching performance tends to be degraded in proportion to the number of flow entries. To reduce the number of flow entries, they can be aggregated by applying wildcard fields. Meanwhile, the existence of the wildcard entry adversely affects the use of a hash-based lookup on a flow table, and thus a linear search is inherent in flow switching. However, the linear search is currently the primary cause of performance limitation. To date, two flow tables, one for hash-based lookup and the other for a wildcard-enabled linear search, have been used for flow switching. While hash-based table lookup is much faster than linear search, it needs to be manually updated for every exact match entry. Maintaining a hash-based table of all the flow switches is not feasible from a network operator viewpoint. In this paper, LightFlow, a mechanism to accelerate software flow switching processing and relieve the burden of maintaining the flow table is proposed. In LightFlow, two-dimensional parallelization of a linear search is introduced to accelerate lookup of the wildcard-enabled flow entries. It also introduces a mechanism that allows updating of the hash table to be performed automatically based on the result of wildcardaware table lookup. LightFlow satisfies both the need for fast table lookup and feasibility of flow table management which needs to allow a large number of wildcard entries. Experimental results show that LightFlow can increase the speed of lookup of a wildcard-aware flow table three-fold or more compared to the current GPU-based wildcard search mechanisms.

Published

2012

45. A Reliable Dynamic User-Remote Password Authentication Scheme over Insecure Network

Author

Dai-Lun Chiang, Tzu-Ching Lin, Yu-Fang Chung, Zhen-Yu Wu, and Tzer-Shyong Chen

Subjects

Zero-knowledge password proof, Otway–Rees protocol, Computer science, computer.internet_protocol, Salt (cryptography), Data_MISCELLANEOUS, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Key stretching, Syskey, Password authentication protocol, Key derivation function, Password psychology, Replay attack, Password, Authentication, Password policy, User authentication, Cognitive password, business.industry, Password cracking, Cryptographic protocol, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, HMAC-based One-time Password Algorithm, Smart card, Challenge–response authentication, business, computer

Abstract

Protocols of user authentication are able to ensure the security of data transmission and usersi¦ communication over insecure networks. Among various authenticated mechanisms run currently, the password-based user authentication, because of its efficiency, is the most widely employed in different areas, such as computer networks, wireless networks, remote login, operation systems, and database management systems. Even as password is endowed with the property of simple and human memorable, for which causes such an attack of brute force, for example, the previous works often suffer off-line password guessing attack. Therefore, an ameliorative password-based authentication scheme is proposed in this paper, achieving to resist off-line password guessing attacks, replay attacks, on-line password guessing attacks, and ID-theft attacks. In light of security, the proposed scheme is provided with good practicability, even over insecure network.

Published

2012

46. A universal distributed model for password cracking

Author

Dong-Dai Lin, Guo-Cui Mi, and Jing Zou

Subjects

Password, Theoretical computer science, business.industry, Computer science, Distributed computing, Hash function, Password cracking, Cryptography, Encryption, Password strength, Rainbow table, Brute-force attack, Key stretching, business, Computer Science::Cryptography and Security

Abstract

Due to the parallel nature of brute force attack, it is well suited to use parallel or distributed computing to recover passwords encrypted by one-way hash functions. When distributing the password cracking task between threads or nodes, it is necessary to divide the search space into several subspaces. It is ideal that the size of these subspaces is the same for a load balanced solution. However, increasing the length of passwords will raise the number of combinations exponentially. This will raises issues for the search space uniform partition. This paper presents a universal distributed model for password cracking capable of dividing the search space evenly. For this, the paper addresses the definition of a base-n-like number, and discusses operations on it and relations with base-n number. The model is data independent, easily implemented and needs a few of communications. Experimental results are then shown.

Published

2011

47. Password based authentication: Philosophical survey

Author

Vibha Ojha, Ramesh Chandra Belwal, Gaurav Agarwal, and Anand Sharma

Subjects

Zero-knowledge password proof, Software_OPERATINGSYSTEMS, Computer science, computer.internet_protocol, Salt (cryptography), Cryptography, Encryption, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, Secrecy, Key stretching, Microsoft Office password protection, Syskey, Key derivation function, Password psychology, Password, Password policy, User authentication, Authentication, Cognitive password, business.industry, Password cracking, Authorization, Passphrase, Multi-factor authentication, Adversary, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer

Abstract

The security of many computer systems hinges on the secrecy of a single word - if an adversary obtains knowledge of a password, they will gain access to the resources controlled by this password. For the vast majority of computer systems, passwords are the method of choice for authenticating users. The most widely and commonly used authentication is traditional “Username” and “Password”. Among the various means of available resource protection including biometrics, password based system is most simple, user friendly, cost effective and commonly used. But this method having high sensitivity with attacks. Most of the advanced methods for authentication based on password encrypt the contents of password before storing or transmitting in physical domain. In this paper we are giving such authentication credential to various techniques which is used in password based authentication and giving the techniques for prevention of password attacks.

Published

2010

48. Enabling Use of Single Password over Multiple Servers in Two-Server Model

Author

Yanjiang Yang and Feng Bao

Subjects

Password, Password policy, Zero-knowledge password proof, Authentication, Network security, business.industry, Salt (cryptography), computer.internet_protocol, Computer science, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Public-key cryptography, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Key stretching, Syskey, HMAC-based One-time Password Algorithm, Password authentication protocol, Challenge–response authentication, business, computer, Computer network

Abstract

The two-server model is quite promising for password based authentication, well suited for the setting of federated enterprises. However, none of the existing two-server password based authentication schemes enables a user to use the same password over multiple service servers, which is deemed an important feature of the two-server model. In this paper, we propose a new scheme, enabling this prominent functionality. Our proposed scheme is password-only, and slightly more efficient than the latest two-server password based authentication scheme.

Published

2010

49. The Design and Implementation of Password Authentication System Based on Chaos

Author

Nan Jiang, Xiang-dong Liu, and Ri-jing Yang

Subjects

Password, Theoretical computer science, Computer science, Hash function, Computer security, computer.software_genre, One-time password, S/KEY, Nonlinear Sciences::Chaotic Dynamics, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, ComputerSystemsOrganization_MISCELLANEOUS, Computer Science::Multimedia, Hash chain, Cryptographic hash function, Challenge–response authentication, computer, Computer Science::Cryptography and Security

Abstract

This paper proposed the construction algorithm of chaotic Hash function based on Henon-like mapping, and designed one password authentication scheme on basis of chaotic scramble sort algorithm and chaotic Hash function; it also resolved the insecurity problems that can’t resist little numbers attack, the iteration times of plaintext transmission and the attack of fraud server in the scheme. It finally implemented the one time password authentication system based on chaotic scramble sort table and chaotic Hash function.

Published

2009

50. A hash-based scalable IP lookup using Bloom and fingerprint filters

Author

Rabi N. Mahapatra, Heeyeol Yu, and Laxmi N. Bhuyan

Subjects

Hash tree, Rainbow table, SHA-2, Computer science, business.industry, Hash list, Hash function, Hash chain, Parallel computing, business, Perfect hash function, Double hashing, Computer network

Abstract

Several challenges in the IP lookup architecture must be addressed for a high-speed forwarding in a large scale routing table: power, memory, and lookup complexity. Hash-based architectures have lookup schemes that are recognized for being both power and memory efficient due to their O(1) lookup, in contrast to other contemporary architectures. In this paper, we propose a novel hash architecture to address these issues by using pipelined Bloom and fingerprint filters for a binary searching in keys. The proposed hash scheme encodes keys' indexes to an on-chip fingerprint table, approximately returns a few indexes in a key query without pointer overhead, and makes a perfect match in an off-chip key table. Due to a memory banking system in pipeline stages, we can achieve O(1) pipelined throughput complexity of insertion, deletion, and query operations. For the IP lookup, a Lulea bitmap with our hash scheme supports a prefix lookup without inflating the numbers of prefixes and next-hops, so that our scalable hash-based scheme can achieve the worst case O(1) IP lookup. The simulation with large scale routing tables shows that our IP lookup scheme offers 4.5 and 50.1 times memory and power efficiencies than other contemporary hash and TCAM schemes, respectively.

Published

2009