Attacking the hash (WAS: Private Key Generation from Passwords/phrases)

Allen netsecurity at sound-by-design.com
Wed Jan 24 15:01:07 EST 2007 

Hi gang,

As an outsider, sort of, looking in I had an interesting thought 
about this. Since insider threats are the biggest problem, what 
vector could an insider use against password hashes to gain root 
password access?

The problem with Rainbow tables is that they would be too massive 
when the salt was 4096 to be practical unless you had the power 
of NSA or an equivalent supporting your efforts.

However, what about attacking the salt? How good is the PRNG for 
the salt? Is it at all predictable?

Here is one approach that might work. Keep entering the same 
password(s) and collecting the resultant hashes until you get 
several duplicates. Then analyze the results to see if there is a 
pattern to the repetition that would allow for a birthday attack 
against the salt that would allow an attack against the root 
password hash or other administrative rights password hashes that 
could be collected.

I suspect this would be somewhat difficult to code but once done 
almost the entire attack could be done off-line on a machine that 
uses the same password hash creation mechanism so you wouldn't 
trigger an IDS or similar audit process on the network under attack.

Given the long history of industrial espionage in the corporate 
world I'm sure that there are probably small teams working to 
collect information that have somewhat more resources than an 
individual or outsider group might have, making the effort 
required feasible.

Thoughts?

Best,

Allen

Leichter, Jerry wrote:
> | ...One sometimes sees claims that increasing the salt size is important.
> | That's very far from clear to me.  A collision in the salt between
> | two entries in the password file lets you try each guess against two
> | users' entries.  Since calculating the guess is the hard part,
> | that's a savings for the attacker.  With 4K possible salts, you'd need a

[snipped]

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list