Educause Security Discussion mailing list archives

Re: Rainbow Tables and Authentication Alternatives

From: Alan Amesbury <amesbury () OITSEC UMN EDU>
Date: Tue, 18 Jul 2006 19:11:49 -0500

Anthony Maszeroski wrote:

There are online rainbow tables/crackers for several other hashes,
including PIX, MD2, MD4, MD5, NTLM, MySQL, RIPEMD160, SHA1, etc. Many of
them support greater than 8 character passwords. Check out these sites
for more information :

http://md5.rednoize.com/
http://gdataonline.com/
http://www.milw0rm.com/md5/
http://passcracking.ru/
http://passcrack.spb.ru/
http://www.rainbowcrack-online.com/
http://www.antsight.com/zsl/rainbowcrack/
http://rainbowcrack.com/
http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/
http://www.md5lookup.com/?category=main&page=search
http://md5.crysm.net/


This is where hashing algorithms that use salts come in very handy.  The
ones used with WinDOS (to the best of my knowledge) do NOT, i.e., for
every possible password there is (assuming a hashing algorithm with no
collisions) exactly one possible hash.  However, for algorithms that use
a salt (a random value used to perturb the hashing algorithm), the same
input value can have multiple output values.  So, using the traditional
Unix crypt() function, the input "password" can yield the hash values
"OEkufURo0wtpk" and "DJaFvL4Hpt6P2" as outputs.

When attacking an unsalted algorithm (like those used with WinDOS),
Rainbow tables work pretty well.  An attacker only has to precompute the
hash value.  For a salted algorithm, the attacker has to precompute the
hash value *FOR EACH* possible salt.  crypt() has something like 4K
possible salts, so in that respect it's somewhat weak... but it still
takes 4K times more possible computations.  Newer hashing algorithms
(like the salted MD5 hashing algorithm used for the past several years
in some Unix and Unix-like OSes) use salts around eight characters in
length.  Assuming they use the same sized character set for salts as
traditional crypt(), that gives them something like 2E14 possible salts,
which somewhat increases the amount of space needed to store precomputed
tables.

There's other concerns, though, when talking about password hashes.  In
WinDOS, I think the hash can actually be used as a password equivalent,
or so I've heard from some Samba types.  Of course, if the Bad Guy[tm]
has gotten to the point where they can actually read your password
hashes in the first place, the game's mostly over anyway.


--
Alan Amesbury
University of Minnesota

Current thread:

Rainbow Tables and Authentication Alternatives James H Moore (Jul 10)
- <Possible follow-ups>
- Re: Rainbow Tables and Authentication Alternatives Hull, Dave (Jul 10)
- Re: Rainbow Tables and Authentication Alternatives Anthony Maszeroski (Jul 11)
- Re: Rainbow Tables and Authentication Alternatives Alan Amesbury (Jul 18)