Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
WHEN FILE ENCRYPTION HELPS PASSWORD CRACKING
PHDays V
Sylvain Pelissier, Roman Korkikian
May 26, 2015
IN BRIEF
Password hashing
Password cracking
eCryptfs presentation
eCryptfs salting problem
Correction
Questions
2
PASSWORD HASHING
3
PASSWORD CRACKING
From the hash recover the password value.
4
BRUTEFORCE
1. Get the hash file /etc/shadow
2. For all possible password, compute H(password) until a
match is found in the...
PRE-COMPUTED DICTIONNARY ATTACK
1. Create a database of all (password, H(password)).
2. To crack a given password hash, ch...
RAINBOW TABLE ATTACK
Trade-off between computation and memory.
7
SALTING
Compute H(salt||password) instead of H(password)
and store both salt and hash.
Make dictionary and rainbow table a...
PASSWORD CRACKING
Well studied problem.
Several optimized tools:
John the ripper (www.openwall.com/john).
hashcat (hashcat...
ECRYPTFS
File encryption software (ecryptfs.org).
Included in the Linux Kernel.
Used for user home folder encryption by
Ub...
ECRYPTFS UTILS
11
ECRYPTFS UTILS
1. During creation of the encrypted home folder, a
passphrase (16 bytes by default) is randomly generated.
...
KEY WRAPPING
13
KEY WRAPPING
14
KEY WRAPPING
15
KEY UNWRAPPING
16
ECRYPTFS DEFAULT SALT
1. eCryptfs uses a salt for the key wrapping process.
2. However, if not specified in the file ~/.ecry...
ECRYPTFS
For simplicity, in Ubuntu, the wrapping
password is directly the user password !
With the default salt, dictionar...
JOHN THE RIPPER
eCryptfs signature cracking has been already implemented
in John the ripper 1.8.0-jumbo:
$ecryptfs$0$1$001...
RESULTS
We computed a dictionary of key signatures of the
rockyou file (~14 millions passwords) for the default
salt.
It to...
CORRECTION
Default salt problem has been already
reported in bug #906550.
For our findings about Ubuntu, a new CVE
#2014-96...
CORRECTION
New file format for wrapped-passphrase file starts with
0x3a02.
Salt is generated from /etc/urandom/ and stored i...
CORRECTION
23
CONCLUSION
As soon as password is used for other
features it increases attack surface.
New key derivation functions could ...
25
JOHN THE RIPPER
eCryptfs:
$ ./john pass.txt
Loaded 1 password hash (eCryptfs [65536x SHA-512])
Will run 4 OpenMP threads
P...
JOHN THE RIPPER
Linux password:
$ ./john pass.txt
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 64/64
OpenSSL]...
Upcoming SlideShare
Loading in …5
×

WHEN FILE ENCRYPTION HELPS PASSWORD CRACKING

740 views

Published on

WHEN FILE ENCRYPTION HELPS PASSWORD CRACKING

Published in: Technology
  • Login to see the comments

WHEN FILE ENCRYPTION HELPS PASSWORD CRACKING

  1. 1. WHEN FILE ENCRYPTION HELPS PASSWORD CRACKING PHDays V Sylvain Pelissier, Roman Korkikian May 26, 2015
  2. 2. IN BRIEF Password hashing Password cracking eCryptfs presentation eCryptfs salting problem Correction Questions 2
  3. 3. PASSWORD HASHING 3
  4. 4. PASSWORD CRACKING From the hash recover the password value. 4
  5. 5. BRUTEFORCE 1. Get the hash file /etc/shadow 2. For all possible password, compute H(password) until a match is found in the file. 3. Output password 5
  6. 6. PRE-COMPUTED DICTIONNARY ATTACK 1. Create a database of all (password, H(password)). 2. To crack a given password hash, check if it is in the database. 3. Output the corresponding password 6
  7. 7. RAINBOW TABLE ATTACK Trade-off between computation and memory. 7
  8. 8. SALTING Compute H(salt||password) instead of H(password) and store both salt and hash. Make dictionary and rainbow table attacks much more difficult but not bruteforce attack. Salting is used in most modern systems i.e Linux uses 5000 iterations of SHA-512 with randomly generated salt. 8
  9. 9. PASSWORD CRACKING Well studied problem. Several optimized tools: John the ripper (www.openwall.com/john). hashcat (hashcat.net/oclhashcat). Password Hashing Competition (PHC) to select new password hashing algorithms (password-hashing.net). Hashrunner contest 9
  10. 10. ECRYPTFS File encryption software (ecryptfs.org). Included in the Linux Kernel. Used for user home folder encryption by Ubuntu. 10
  11. 11. ECRYPTFS UTILS 11
  12. 12. ECRYPTFS UTILS 1. During creation of the encrypted home folder, a passphrase (16 bytes by default) is randomly generated. 2. The passphrase is use for file encryption (AES by default). 3. The passphrase is stored encrypted in the file: /home/.ecrpytfs/$USER/.ecrpytfs/wrapped-passphrase 4. The process of passphrase encryption is called key wrapping. 12
  13. 13. KEY WRAPPING 13
  14. 14. KEY WRAPPING 14
  15. 15. KEY WRAPPING 15
  16. 16. KEY UNWRAPPING 16
  17. 17. ECRYPTFS DEFAULT SALT 1. eCryptfs uses a salt for the key wrapping process. 2. However, if not specified in the file ~/.ecryptfsrc, the salt has always the same value (0x0011223344556677) for every installations. 3. If the whole home folder is encrypted then it is not possible to use another salt value than default. 17
  18. 18. ECRYPTFS For simplicity, in Ubuntu, the wrapping password is directly the user password ! With the default salt, dictionary and rainbow table attacks against the user password are feasible with the wrapping key signature. 18
  19. 19. JOHN THE RIPPER eCryptfs signature cracking has been already implemented in John the ripper 1.8.0-jumbo: $ecryptfs$0$1$0011223344556677$21ff10301b5457e1 Python script ecryptfs2john.py exports the signature from the wrapped-passphrase file to John the ripper format. 19
  20. 20. RESULTS We computed a dictionary of key signatures of the rockyou file (~14 millions passwords) for the default salt. It took us one month on a standard computer. The dictionary can now be used to reverse a signature instantly. (Available at: https://github.com/kudelskisecurity) 20
  21. 21. CORRECTION Default salt problem has been already reported in bug #906550. For our findings about Ubuntu, a new CVE #2014-9687 was opened and quickly fixed by eCryptfs developers. 21
  22. 22. CORRECTION New file format for wrapped-passphrase file starts with 0x3a02. Salt is generated from /etc/urandom/ and stored in the same file by default Old version files are automatically converted after the update. Hashing speed makes it a less attractive target now for password cracking. JTR Python script updated to crack new file format. 22
  23. 23. CORRECTION 23
  24. 24. CONCLUSION As soon as password is used for other features it increases attack surface. New key derivation functions could be used in eCryptfs: PBKDF2 PHC candidates 24
  25. 25. 25
  26. 26. JOHN THE RIPPER eCryptfs: $ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort, almost any other key for status test (?) 1g 0:00:00:01 DONE 2/3 (2015-03-11 16:04) 0.6666g/s 149.3p/s 149.3c/s 149.3C/s lacrosse..topgun Use the "-show" option to display all of the cracked passwords reliably Session completed 26
  27. 27. JOHN THE RIPPER Linux password: $ ./john pass.txt Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 64/64 OpenSSL]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort, almost any other key for status 0g 0:00:00:03 2/3 0g/s 1771p/s 1771c/s 1771C/s Sandy..Mayday Session aborted 27

×