Showing papers on "Rainbow table published in 2010"

Securing passwords with captcha based hash when used over the web

Abstract: A password security system, hosted by a server, sends a web page over a network to a client, that includes a CAPTCHA challenge, a request for a CAPTCHA answer, a graphical user interface for receiving a user identifier and a password, and a security script. The security script is to be executed by the client to generate a client hash value from password data and a CAPTCHA answer that is received from a user. The system receives the client hash value and computes a server hash value for password data for the user and a CAPTCHA answer that is stored in a data store that is coupled to the server. The system determines whether the server hash value matches the client hash value, and grants data access to the user when the values match and denies data access to the user when the values do not match.

Authentication using a weak hash of user credentials

Abstract: Methods and apparatus for logging into a computer are disclosed. The computer receives a username and password. The computer determines whether a user with the username is authorized to access the computer. If so, the computer retrieves a weak cryptographic hash of the user's password and compares it to a weak cryptographic hash of the received password. The computer grants access if the weak cryptographic hashes are identical, and sends the username and password to a server. The server determines whether a user with the username has a server account. If so, the server retrieves a strong cryptographic hash of the user's password and compares it to a strong cryptographic hash of the received password. The server grants the user access to an account or service if the strong cryptographic hashes are identical.

Hashing with hardware-based reorder using duplicate values

Abstract: A hash table controller may include a hash calculator configured to receive a key and to determine, based thereon, a first entry in a first bank of a hash table for a value associated with the key and determine a second entry in a second bank of the hash table for the value. The hash table controller also may include a table operations manager configured to determine that the first entry and the second entry are empty, and to store the value and a duplicate of the value at both the first entry and the second entry, respectively.

Interlocking plain text passwords to data encryption keys

Abstract: Described embodiments provide for authenticating a user request for access to at least a portion of an encrypted storage device. First, the request for access to at least a portion of the encrypted storage device is received. The request includes a plaintext password. A hash module generates a hashed version of the received plaintext password based on an authentication hash key. A hashed value of the generated plaintext password is retrieved from a key storage. A hash comparator compares the hashed version of the received plaintext password with the retrieved hashed value of the generated plaintext password. If the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, the user is authenticated for access to at least a portion of the encrypted storage device. Otherwise, the user is denied access to the encrypted storage device.

Implementing Rainbow Tables in High-End FPGAs for Super-Fast Password Cracking

Abstract: One of the most efficient methods for cracking passwords, which are hashed based on different cryptographic algorithms, is the one based on “Rainbow Tables”. Those lookup tables offer an almost optimal time-memory tradeoff in the process of recovering the plaintext password from a password hash, generated by a cryptographic hash function. In this paper, the first known such generic system is demonstrated. It is implemented in a state-of-the-art reconfigurable device that cracks passwords, which are encrypted with a number of different cryptographic algorithms. The proposed FPGA-based system is up to 1000 times faster than the corresponding software approach. This is achieved by using a highly parallel architecture employing a fine-grained pipeline.

The cost of false alarms in Hellman and rainbow tradeoffs

Abstract: Cryptanalytic time memory tradeoff algorithms are generic one-way function inversion techniques that utilize pre-computation. Even though the online time complexity is known up to a small multiplicative factor for any tradeoff algorithm, false alarms pose a major obstacle in its accurate assessment. In this work, we study the expected pre-image size for an iteration of functions and use the result to analyze the cost incurred by false alarms. We are able to present the expected online time complexities for the Hellman tradeoff and the rainbow table method in a manner that takes false alarms into account. We also analyze the effects of the checkpoint method in reducing false alarm costs. The ability to accurately compute the online time complexities will allow one to choose their tradeoff parameters more optimally, before starting the expensive pre-computation process.

One-Time Password System with Infinite Nested Hash Chains

Abstract: Hash chains have been used as OTP generators. Lamport hashes have an intensive computation cost and a chain length restriction. A solution for signature chains addressed this by involving public key techniques, which increased the average computation cost. Although a later idea reduced the user computation by sharing it with the host, it couldn’t overcome the length limitation. The scheme proposed by Chefranov to eliminate the length restriction had a deficiency in the communication cost overhead. We here present an algorithm that overcomes all of these shortcomings by involving two different nested hash chains: one dedicated to seed updating and the other used for OTP production. Our algorithm provides forward and non-restricted OTP generation. We propose a random challenge–response operation mode. We analyze our proposal from the viewpoint of security and performance compared with the other algorithms.

Method of authentication at time of update of software embedded in information terminal, system for same and program for same

Abstract: A load on a server or a network is suppressed at a minimum, the authentication server is not necessary, and download of falsified software is prevented. A server creates a time-limited authentication key, computes a hash value of a file included in update software for each file to create a hash table in which hash values of a file are listed, and encrypts the hash table using the authentication key. A unit obtains the encrypted hash table and the authentication key from a server. An information terminal obtains the encrypted hash table from the unit, obtains the authentication key from the unit, determines whether or not a time limit of the authentication key is valid, obtains the encrypted hash table from the server if the time limit is determined to be valid as a result of the determination, decrypts the tables using the authentication key, compares the tables after decryption, and initiates download of the update software if both the tables are identical to each other.

Enabling Use of Single Password over Multiple Servers in Two-Server Model

Abstract: The two-server model is quite promising for password based authentication, well suited for the setting of federated enterprises. However, none of the existing two-server password based authentication schemes enables a user to use the same password over multiple service servers, which is deemed an important feature of the two-server model. In this paper, we propose a new scheme, enabling this prominent functionality. Our proposed scheme is password-only, and slightly more efficient than the latest two-server password based authentication scheme.

Password based authentication: Philosophical survey

Abstract: The security of many computer systems hinges on the secrecy of a single word - if an adversary obtains knowledge of a password, they will gain access to the resources controlled by this password. For the vast majority of computer systems, passwords are the method of choice for authenticating users. The most widely and commonly used authentication is traditional “Username” and “Password”. Among the various means of available resource protection including biometrics, password based system is most simple, user friendly, cost effective and commonly used. But this method having high sensitivity with attacks. Most of the advanced methods for authentication based on password encrypt the contents of password before storing or transmitting in physical domain. In this paper we are giving such authentication credential to various techniques which is used in password based authentication and giving the techniques for prevention of password attacks.

Method and device for setting graph password of communication terminal

Abstract: A method and apparatus for setting a graph password of a communication terminal are disclosed to solve the problem that the security of the traditional character password is lower. The method includes the following steps: in a case when a setting graph password instruction of a user is received and it is judged that no character password is set before, generating a graph interface with a plurality of loaded pictures, wherein, each loaded picture is randomly filled in a corresponding grid of a two-dimensional lattice of the graph interface; obtaining a picture identification (ID) and a coordinate value for setting a graph password by selecting at least one loaded picture in the graph interface as the picture corresponding to the graph password; converting the picture ID and the coordinate value for setting the graph password into a character password and storing the character password, finishing setting the graph password. In the application, the picture ID and coordinate value of the grid where the picture is located are used as the password, which increases the complexity of the password and ensures the security of using the password.

Heuristic Attacks Against Graphical Password Generators

Abstract: In this paper we explore heuristic attacks against graphical password generators. A new trend is emerging to use user clickable pictures to generate passwords. This technique of authentication can be successfully used for - for example - operating system authentication. We report on the development of a generic tool for password generation using such a graphical click-driven interface. This stand-alone tool can be used for generating passwords on the fly. We describe the approach and the usability of such a project. The project is available as an open-source project. Next we investigate heuristic attacks against such generated passwords. By using a classifier methodology it is possible to develop specific attack-scenarios based on the category. Specific heuristic attacks are used to reduce the key-space such that brute-force cracking approaches become feasible. We report on these heuristic attacks and their success. Lastly we give criteria for images that should be used in such password generation applications to avoid these types of heuristic attacks.

Password recovery for encrypted ZIP archives using GPUs

Abstract: Protecting data by passwords in documents such as DOC, PDF or RAR, ZIP archives has been demonstrated to be weak under dictionary attacks. Time for recovering the passwords of such documents mainly depends on two factors: the size of the password search space and the computing power of the underline system. In this paper, we present an approach using modern multi-core graphic processing units (GPUs) as computing devices for finding lost passwords of ZIP archives. The combination of GPU's extremely high computing power and the state-of-the-art password structure analysis methods would bring us a feasible solution for recovering ZIP file password. We first apply password generation rules[9] in generating a reasonable password space, and then use GPUs for exhaustively verifying every password in the space. The experimental results have shown that the password verification speed increases about from 48 to 170 times (depends on the number of GPUs) compared to sequential execution on the Intel Core 2 Quad Q8400 2.66 Ghz. These results have demonstrated the potential applicability of GPUs in this cryptanalysis field.

Cryptanalysis of Hash Functions Using Advanced Multiprocessing

Abstract: Every time it is more often to audit the communications in companies to verify their right operation and to check that there is no illegal activity. The main problem is that the tools of audit are inefficient when communications are encrypted.

Virtual Expansion of Rainbow Tables

Abstract: Password recovery tools are often used in digital forensic investigations to obtain the passwords that are used by suspects to encrypt potential evidentiary data. This paper presents a new method for deterministically generating and efficiently storing password recovery tables. The method, which involves the virtual expansion of rainbow tables, achieves improvements of 16.92% to 28.15% in the password recovery success rate compared with the original rainbow table method. Experimental results indicate that the improvements are achieved with the same computational complexity and storage requirements as the original rainbow table method.

A Comparison of Cryptanalytic Tradeoff Algorithms.

Abstract: T hree time memory tradeoff algorithms are compared in this paper. Specifically, the classical tradeoff algorithm by Hellman, the distinguished point tradeoff method, and the rainbow table method, in their non-perfect table versions, are treated. We show that, under parameters and assumptions that are typically considered in theo- retic discussions of the tradeoff algorithms, Hellman and distinguished point tradeoffs per- form very close to each other and that the rainbow table method performs somewhat better than the other two algorithms. Our method of comparison can easily be applied to other situations, where the conclusions could be different. The analysis of tradeoff efficiency presented in this paper does not ignore the effects of false alarms and also covers techniques for reducing storage, such as ending point trun- cations and index tables. Our comparison of algorithms takes the success probabilities and pre-computation efforts fully into account.

IPv6 routing lookup algorithm based on hierarchical Hash

Abstract: With the combination of hash table and multibit trie after sufficient and thorough analysis of the now available IPv4 routing algorithm,especially simple and efficient LFT(level forwarding table),the characteristics of IPv6 address and the prefix particularity of real live IPv6 backbone routing table,a hierarchical hash routing lookup algorithm for IPv6 is proposed which using the 32bits prefix as the lookup starting point to achieve faster search just need one memory access.This proposed scheme uses simple data structure,per-forms faster and supports update easily,and improve the IPv6 backbone network forwarding speed to meet the development demand for IPv6.

Provable Secured Hash Password Authentication

Abstract: techniques such as secured socket layer (SSL) with client- side certificates are well known in the security research community, most commercial web sites rely on a relatively weak form of password authentication, the browser simply sends a user"s plaintext password to a remote web server, often using SSL. Even when used over an encrypted connection, this form of password authentication is vulnerable to attack. In common password attacks, hackers exploit the fact that web users often use the same password at many different sites. This allows hackers to break into a low security site that simply stores username/passwords in the clear and use the retrieved passwords at a high security site. While password authentication could be abandoned in favor of hardware tokens or client certificates, both options are difficult to adopt because of the cost and inconvenience of hardware tokens and the overhead of managing client certificates. Recently, some collisions have been exposed for a variety of cryptographic hash functions including some of the most widely used today. Many other hash functions using similar constructions can however still be considered secure. Nevertheless, this has drawn attention on the need for new hash function designs. This work developed an improved secure hash function, whose security is directly related to the syndrome decoding problem from the theory of error-correcting codes. The proposal design and develop a user interface, and implementation of a browser extension, password hash, that strengthens web password authentication. Providing customized passwords, can reduce the threat of password attacks with no server changes and little or no change to the user experience. The proposed techniques are designed to transparently provide novice users with the benefits of password practices that are otherwise only feasible for security experts. Experimentation are done with Internet Explorer and Fire fox implementations and report the result of initial user. The hash is implemented using a Pseudo Random Function keyed by the password. Since the hash output is tailored to meet server password requirements, the resulting hashed password is handled normally at the server with no server modifications are required. This technique deters password phishing since the password received at a phishing site is not useful at any other domain. The cryptographic hash makes it difficult to compute hash(pwd,dom2) from hash(pwd,dom1) for any domain dom2 distinct from dom1. For the same reason, passwords gathered by breaking into a low security site are not useful at any other site. The hash attack is always exponential in terms of the length of the hash value. We also study the work-factor of this attack, along with other attacks from coding theory, for non asymptotic range, i.e. for practical values. Accordingly, we propose a few sets of parameters giving a good security and either a faster hashing or a shorter description for the function.

Password searching method and system in multi-node parallel-processing environment

Abstract: Provided are a method and a system for decrypting a password in multi-node parallel-processing environment including a master node and a plurality of work nodes. The master node receives information on encrypted file selection from a user. The master node generates password candidate information generation information and transmits the password candidate to the plurality of work nodes together with a password decryption command. The password candidate generation information allows the plurality of work nodes to have different password candidate ranges using password decryption information comprising a maximum password length, a minimum password length, and a string set constituting the password. The work node decrypts the password using the password candidate generation information. The work node transmits the password decryption result to the master node.

Cryptanalysis of Two MD5-Based Authentication Protocols: APOP and NMAC

Abstract: Many hash-based authentication protocols have been proposed, and proven secure assuming that underlying hash functions are secure. On the other hand, if a hash function compromises, the security of authentication protocols based on this hash function becomes unclear. Therefore, it is significantly important to verify the security of hash-based protocols when a hash function is broken.In this paper, we will re-evaluate the security of two MD5-based authentication protocols based on a fact that MD5 cannot satisfy a required fundamental property named collision resistance. The target protocols are APOP (Authenticated Post Office Protocol) and NMAC (Nested Message Authentication Code), since they or their variants are widely used in real world. For security evaluation of APOP, we will propose a modified password recovery attack procedure, which is twice as fast as previous attacks. Moreover, our attack is more realistic, as the probability of being detected is lower than that of previous attacks. For security evaluation of MD5-based NMAC, we will propose a new key-recovery attack procedure, which has a complexity lower than that of previous attack. The complexity of our attack is 276, while that of previous attack is 2100.**Moreover, our attack has another interesting point. NMAC has two keys: the inner key and the outer key. Our attack can recover the outer key partially without the knowledge of the inner key.

Method and device for increasing complexity of password of communication terminal by setting character password through pictures

Abstract: A method and apparatus for setting a graph password of a communication terminal are disclosed to solve the problem that the security of the traditional character password is lower. The method includes the following steps: in a case when a setting graph password instruction of a user is received and it is judged that no character password is set before, generating a graph interface with a plurality of loaded pictures, wherein, each loaded picture is randomly filled in a corresponding grid of a two-dimensional lattice of the graph interface; obtaining a picture identification (ID) and a coordinate value for setting a graph password by selecting at least one loaded picture in the graph interface as the picture corresponding to the graph password; converting the picture ID and the coordinate value for setting the graph password into a character password and storing the character password, finishing setting the graph password.

Efficient Batch Update of Unique Identifiers in a Distributed Hash Table for Resources in a Mobile Host

Abstract: Resources in a cloud can be identified using identifiers based on random numbers. When using a distributed hash table to resolve such identifiers to network locations, the straightforward approach is to store the network location directly in the hash table entry associated with an identifier. When a mobile host contains a large number of resources, this requires that all of the associated hash table entries must be updated when its network address changes. We propose an alternative approach where we store a host identifier in the entry associated with a resource identifier and the actual network address of the host in a separate host entry. This can drastically reduce the time required for updating the distributed hash table when a mobile host changes its network address. We also investigate under which circumstances our approach should or should not be used. We evaluate and confirm the usefulness of our approach with experiments run on top of OpenDHT.

Provably secured two server hash password authentication

Abstract: The techniques of secured socket layer (SSL) with client-side certificates for commercial web sites rely on a relatively weak form of password authentication. Browser sends a user’s plaintext password to a remote web server using SSL is vulnerable to attack. In common password attacks, hackers exploit the fact that web users often use the same password at many different sites. This has drawn attention on the need for new hash function designs. In addition the authentication systems which uses passwords stored in a central server is easily prone to attack. To overcome the problem of single server password attacks, the multi-server systems were proposed in which user communicates in parallel with several or all of the servers. Such system requires a large communication bandwidth, complex deployment, needs for synchronization at the user and quite expensive. Optimized two server system is proposed in our work. The proposal of our work presents a user interface, browser extension password hash, strengthens web password in a two server authentication system. The hash is implemented using a Pseudo Random Function keyed by the password. Since the hash output is tailored to meet server password requirements, the resulting hashed password is handled normally at the server with no server modifications. The two server authentication system is interfaced with client supported hash passwords with server session keys. The two server system contains, the front end service server interacts directly to the user and the back end control server visible to the service server. The users contact only the service server but these two servers are responsible for the authentication of the user. The user has a password which is transformed into two long secrets which are held by service server and control server.

Generalized Elliptic Curve Digital Signature Chain Based Authentication and Key Agreement Scheme

Abstract: Recently, several one time password authentication schemes have been proposed. However, most one-time password authentication schemes have security flaws. In this paper, a novel one-time password authentication and key agreement scheme (EAKAS) based on elliptic curve digital signature chain is developed. The proposed scheme has the following merits password or verification table is not required in the server; users can choose or change password; it can resist off-line dictionary attacks and achieves mutual authentication; it has no system clock synchronization and no constraint of transmission delay; it can resist replay attacks, man-in-the-middle attack and insider attack; it is sensitive to password error and strong in security restoration; the session keys in proposed scheme have the feature of freshness, confidentiality, known key security and forward security. Compared with the related schemes, our proposed scheme has better security and well suited to scenarios requiring a high level security.

Securing Password File Using Bezier Curves

Abstract: Password security has emerged as a promising field in the Computer science and technology. The innovative strategies are found to be costly and also require expertise to use them. The widely used methods of password security are pass-faces and biometrics password authentication schemes. Though they serve their purpose but are found to be cost ineffective.This paper looks at the new concepts of password security based on text-based authentication, ensuring the security from dictionary attacks. It is based on the principle of conversion of the characters of password in some control points, an unrecognizable form for intruders.

Practical Password Recovery Attacks on MD4 Based Prefix and Hybrid Authentication Protocols

Abstract: In this paper, we present practical password recovery attacks against two challenge and response authentication protocols using MD4. For attacks on protocols, the number of queries is one of the most important factors because the opportunity where an attacker can ask queries is very limited in real protocols. When responses are computed as MD4(Password||Challenge), which is called prefix approach, previous work needs to ask 237 queries to recover a password. Asking 237 queries in real protocols is almost impossible. In our attack, to recover up to 8-octet passwords, we only need 1 time the amount of eavesdropping, 17 queries, and 234 MD4 off-line computations. To recover up to 12-octet passwords, we only need 210 times the amount of eavesdropping, 210 queries, and 241 off-line MD4 computations. When responses are computed as MD4(Password||Challenge||Password), which is called hybrid approach, previous work needs to ask 263 queries, while in our attack, up to 8-octet passwords are practically recovered by 28 times the amount of eavesdropping, 28 queries, and 239 off-line MD4 computations. Our idea is guessing a part of passwords so that we can simulate values of intermediate chaining variables from observed hash values. This enables us to use a short local collision that occurs with a very high probability, and thus the number of queries becomes practical.