The technique, described in a 1980 paper, A Cryptanalytic Time - Memory Trade-Off, involves pre-generating a massive "rainbow table" of passwords and their corresponding hashes - the encrypted strings of numbers computers use to verify passwords.
Until now, the terabytes of storage needed to write the tables haven't been available. But cheap storage means rainbow tables are in vogue in the IT security industry. "Take a look at hard-drive storage. I buy terabytes like I used to buy megabytes," says Christian Stankevitz, the laboratory manager for Chicago-based IT security consultancy Neohapsis.
In the past, passwords were cracked by randomly guessing at the correct string of characters in what's known as a "brute force" attack. In these assaults, the encrypted form of the password - the hash - is extracted from the target file or computer. A randomly generated password is encrypted and its encrypted form is compared to the extracted hash. If it doesn't match, the process is repeated until a match is found - it's a long and tedious process.
With rainbow tables, the encrypted form of most possible passwords are pre-computed and stored alongside the actual, clear-text password. Users can simply look up virtually any hash in the massive index and match it to the corresponding password in seconds.
The tables can break password protection in many common file formats, including versions of Adobe's PDF format (the current version is immune to the attack), the default encryption on protected Microsoft Office documents (40 bit) and even Windows password files.
Time taken to crack password:
No. | Total Combination | by human | by 1MIPS Comp |
1 | 36 | 3 minutes | .000018s |
2 | 1300 | 2 hours | .00065s |
3 | 47000 | 3 days | .02s |
4 | 1700000 | 3 months | 1 s |
5 | 60000000 | 10 years | 30s |
10 | 37x1014 | 580 Million y | 59years |
No comments:
Post a Comment