SlideShare a Scribd company logo
1 of 20
Download to read offline
EXPLOITING A SHA1
WEAKNESS IN
PASSWORD CRACKING
About me
2



       Name: Jens Steube
       Nick: atom
       Coding Projects:
           hashcat / oclHashcat
       Security Research:
           Searching for exploitable security holes in OSS and non-OSS Software
           Reported and worked together with the developers to fix them
           See Bugtraq / Debian Security Advisory
       Work Status: Employed as Coder, but not crypto- or security-relevant
       Weakness found in 1st quarter of 2011
What we should know about SHA1
3



       SHA1 is processed sequentially
           Each block of input data that is processed has a fixed size of 512 bit
           This block is represented as an array of sixteen 32-bit words
           We will call this array W[]

       The input data is expanded by another 2048 bits of data
           This expanded data is generated out of the input data
           We call this phase “Word-expansion”

       Both input and expanded data is used within 80 steps of SHA1 functions
           These steps and their inclusion of SHA1 specific function is the major part of SHA1
           We will not focus on them



                            Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
S H A 1 Tr a n s f o r m p e r I n s t r u c t i o n s
4



    Word-Expansion                              Instruction count                                             t
    XOR                                                                         3                       16 – 79
    ROTATE                                                                      1                       16 – 79

    SHA1 Steps                                  Instruction count                                             t
    SHA1 Step F1                                                                1                        0 – 19
    SHA1 Step F2                                                                2                       20 – 39
    SHA1 Step F3                                                                2                       40 – 59
    SHA1 Step F4                                                                2                       60 – 79

    Final Steps                                 Instruction count                                             t
    ADD                                                                         4                           80


                     Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
Word-Expansion
5



       Word-Expansion is a phase of the SHA1 transformation
       Its purpose is to generate a bigger volume of data out of the input data
       This is where the weakness is located in SHA1
       Input data is mixed up using the following set of logical instructions:
                W[t] = R((W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]), 1)
       W[0] .. W[15] is filled with the input data
       By iterating t from 16 to 79, 2048 additional bits are generated




                        Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
Word-Expansion, unrolled view
6


    W[16] = R((W[13] ^ W[ 8] ^ W[ 2] ^ W[ 0]), 1)                     W[30] = R((W[27] ^ W[22] ^ W[16] ^ W[14]), 1)
    W[17] = R((W[14] ^ W[ 9] ^ W[ 3] ^ W[ 1]), 1)                     W[31] = R((W[28] ^ W[23] ^ W[17] ^ W[15]), 1)
    W[18] = R((W[15] ^ W[10] ^ W[ 4] ^ W[ 2]), 1)                     W[32] = R((W[29] ^ W[24] ^ W[18] ^ W[16]), 1)
    W[19] = R((W[16] ^ W[11] ^ W[ 5] ^ W[ 3]), 1)                     W[33] = R((W[30] ^ W[25] ^ W[19] ^ W[17]), 1)

    W[20] = R((W[17] ^ W[12] ^ W[ 6] ^ W[ 4]), 1)                     W[34] = R((W[31] ^ W[26] ^ W[20] ^ W[18]), 1)

    W[21] = R((W[18] ^ W[13] ^ W[ 7] ^ W[ 5]), 1)                     W[35] = R((W[32] ^ W[27] ^ W[21] ^ W[19]), 1)

    W[22] = R((W[19] ^ W[14] ^ W[ 8] ^ W[ 6]), 1)                     W[36] = R((W[33] ^ W[28] ^ W[22] ^ W[20]), 1)

    W[23] = R((W[20] ^ W[15] ^ W[ 9] ^ W[ 7]), 1)                     W[37] = R((W[34] ^ W[29] ^ W[23] ^ W[21]), 1)

    W[24] = R((W[21] ^ W[16] ^ W[10] ^ W[ 8]), 1)                     W[38] = R((W[35] ^ W[30] ^ W[24] ^ W[22]), 1)

    W[25] = R((W[22] ^ W[17] ^ W[11] ^ W[ 9]), 1)                     W[39] = R((W[36] ^ W[31] ^ W[25] ^ W[23]), 1)

    W[26] = R((W[23] ^ W[18] ^ W[12] ^ W[10]), 1)                     W[40] = R((W[37] ^ W[32] ^ W[26] ^ W[24]), 1)

    W[27] = R((W[24] ^ W[19] ^ W[13] ^ W[11]), 1)                     W[41] = R((W[38] ^ W[33] ^ W[27] ^ W[25]), 1)

    W[28] = R((W[25] ^ W[20] ^ W[14] ^ W[12]), 1)                     …
    W[29] = R((W[26] ^ W[21] ^ W[15] ^ W[13]), 1)                     W[79] = R((W[76] ^ W[71] ^ W[65] ^ W[63]), 1)



                                Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
How to exploit this
7



       The password candidate generator needs to hold W[1]..W[15] fixed
       Outside the loop precompute W[16]..W[79] ignoring the unknown W[0]
           We call this precomputed buffer PW[]

       Inside the loop W[0] is changed
           Since the Word-Expansion process is using XOR, we can apply W[0] to the
            precomputed buffer at a later stage
           Using XOR is the root of the problem
           Logical instructions cannot overflow, but arithmetic ones can
           If the Word-Expansion had used ADD, it would have been impossible to exploit it
       When iterating W[0] changes is finished, W[1]..W[15] can be changed
       Restart the process with the next precomputed value of W[16]..W[79]

                           Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
PW[16]..PW[79] in the outer loop
8


    PW[16] = R(( W[13] ^   W[ 8] ^   W[ 2] ^    W[ 0]), 1)             PW[30] = R((PW[27] ^ PW[22] ^ PW[16] ^       W[14]), 1)
    PW[17] = R(( W[14] ^   W[ 9] ^   W[ 3] ^    W[ 1]), 1)             PW[31] = R((PW[28] ^ PW[23] ^ PW[17] ^       W[15]), 1)
    PW[18] = R(( W[15] ^   W[10] ^   W[ 4] ^    W[ 2]), 1)             PW[32] = R((PW[29] ^ PW[24] ^ PW[18] ^ PW[16]), 1)
    PW[19] = R((PW[16] ^   W[11] ^   W[ 5] ^    W[ 3]), 1)             PW[33] = R((PW[30] ^ PW[25] ^ PW[19] ^ PW[17]), 1)

    PW[20] = R((PW[17] ^   W[12] ^   W[ 6] ^    W[ 4]), 1)             PW[34] = R((PW[31] ^ PW[26] ^ PW[20] ^ PW[18]), 1)

    PW[21] = R((PW[18] ^   W[13] ^   W[ 7] ^    W[ 5]), 1)             PW[35] = R((PW[32] ^ PW[27] ^ PW[21] ^ PW[19]), 1)

    PW[22] = R((PW[19] ^   W[14] ^   W[ 8] ^    W[ 6]), 1)             PW[36] = R((PW[33] ^ PW[28] ^ PW[22] ^ PW[20]), 1)

    PW[23] = R((PW[20] ^   W[15] ^   W[ 9] ^    W[ 7]), 1)             PW[37] = R((PW[34] ^ PW[29] ^ PW[23] ^ PW[21]), 1)

    PW[24] = R((PW[21] ^ PW[16] ^    W[10] ^    W[ 8]), 1)             PW[38] = R((PW[35] ^ PW[30] ^ PW[24] ^ PW[22]), 1)

    PW[25] = R((PW[22] ^ PW[17] ^    W[11] ^    W[ 9]), 1)             PW[39] = R((PW[36] ^ PW[31] ^ PW[25] ^ PW[23]), 1)

    PW[26] = R((PW[23] ^ PW[18] ^    W[12] ^    W[10]), 1)             PW[40] = R((PW[37] ^ PW[32] ^ PW[26] ^ PW[24]), 1)

    PW[27] = R((PW[24] ^ PW[19] ^    W[13] ^    W[11]), 1)             PW[41] = R((PW[38] ^ PW[33] ^ PW[27] ^ PW[25]), 1)

    PW[28] = R((PW[25] ^ PW[20] ^    W[14] ^    W[12]), 1)             …
    PW[29] = R((PW[26] ^ PW[21] ^    W[15] ^    W[13]), 1)             PW[79] = R((PW[76] ^ PW[71] ^ PW[65] ^ PW[63]), 1)



                                 Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
W[0] in the inner loop
9


    W0_1 = R(W[0],   1)

    W0_2 = R(W[0],   2)
    …                                             For 1..20 compute R(W[0], i)
    W020 = R(W[0], 2 0)


    W[16] = R((W[13] ^ W[ 8] ^ W[ 2] ^ W[ 0]), 1) = PW[16] ^ W0_1

    W[17] = R((W[14] ^ W[ 9] ^ W[ 3] ^ W[ 1]), 1) = PW[17]
    W[18] = R((W[15] ^ W[10] ^ W[ 4] ^ W[ 2]), 1) = PW[18]
    W[19] = R((W[16] ^ W[11] ^ W[ 5] ^ W[ 3]), 1) = PW[19] ^ W0_2
    W[20] = R((W[17] ^ W[12] ^ W[ 6] ^ W[ 4]), 1) = PW[20]

    W[21] = R((W[18] ^ W[13] ^ W[ 7] ^ W[ 5]), 1) = PW[21]
    W[22] = R((W[19] ^ W[14] ^ W[ 8] ^ W[ 6]), 1) = PW[22] ^ W0_3
    W[23] = R((W[20] ^ W[15] ^ W[ 9] ^ W[ 7]), 1) = PW[23]
    W[24] = R((W[21] ^ W[16] ^ W[10] ^ W[ 8]), 1) = PW[24] ^ W0_2

    W[25] = R((W[22] ^ W[17] ^ W[11] ^ W[ 9]), 1) = PW[25] ^ W0_4

    W[26] = R((W[23] ^ W[18] ^ W[12] ^ W[10]), 1) = PW[26]



                                   Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
Word-Expansion using precompute
10


     …                                W[34] = PW[34] ^ W0_7
                                                                                                  < 4 operations
     W[30] = PW[30] ^ W0_4            W[35] = PW[35] ^ W0_4                                       = 4 operations
                    ^ W0_4                                ^ W0_3                                  > 4 operations
                    ^ W0_4                                ^ W0_4

                    ^ W0_2                                ^ W0_4                                 Number of Operations:
     W[31] = PW[31] ^ W0_6                                ^ W0_3

     W[32] = PW[32] ^ W0_3            W[36] = PW[36] ^ W0_4                                      W[16] = 1
                    ^ W0_2                                ^ W0_4                                 W[17] = 0
     W[33] = PW[33] ^ W0_5                                ^ W0_6                                 …
                    ^ W0_5                                ^ W0_6                                 W[33] = 6
                    ^ W0_5                                ^ W0_6                                 …
                    ^ W0_3                                ^ W0_6
                                                                                                 W[43] = 308
                    ^ W0_5                                ^ W0_6
                                                                                                 …
                    ^ W0_3                                ^ W0_4
                                                                                                 W[75] = 4703
                                                                                                 …

                             Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
What we should know about XOR
11




        XORing a value to itself, results in 0
        XORing a value with 0, results in the same value

     Conclusion:

        We can ignore many XOR operations in order to optimize the procedure
        We can do this if the sum of a specific value is even



     A Perl script to automate this process can be found in the link section


                         Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
Word-Expansion / XOR zeros
12



     W[41] = R((W[38]       ^    W[33]        ^     W[27]       ^      W[25]), 1)                                   W[41]   =
                                                                                                                   PW[41]   ^
                                                                                                                    W0_4    ^
               W[38]    =        W[33]    =        W[27] =           W[25] =                                        W0_4    ^
              PW[38]    ^       PW[33]    ^       PW[27] ^          PW[25] ^                                        W0_4    ^
               W0_5     ^        W0_5     ^        W0_3 ^            W0_4                                           W0_4    ^
               W0_5     ^        W0_5     ^        W0_3                                                             W0_4    ^
               W0_5     ^        W0_5     ^                                                         +1              W0_4    ^
               W0_4     ^        W0_3     ^                                                                         W0_5    ^
               W0_4     ^        W0_5     ^                                                                         W0_5    ^
               W0_5     ^        W0_3                                                                               W0_5    ^
               W0_5     ^                                                                                           W0_5    ^
               W0_5     ^                                                                                           W0_6    ^
               W0_3     ^                                                                                           W0_6    ^
               W0_3     ^                                                                                           W0_6    ^
               W0_4                                                                                                 W0_6    ^
                                                                                                                    W0_6    ^
                                                                                                                    W0_6    ^
                                                                                                                    W0_6    ^
                            W[41] = PW[41]
                                                                                                                    W0_6    ^
                                                                                                                    W0_6    ^
                                Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
                                                                                                                    W0_6
Word-Expansion / XOR groups
13



     …
     W[36] = PW[36] ^ W0_6 ^ W0_4
     W[51] = PW[51] ^ W0_6 ^ W0_4
     W[62] = PW[62] ^ W0_6 ^ W0_4 ^ W012 ^ W0_8
     …



     const int W0_6___W0_4 = W0_6 ^ W0_4



     …
     W[36] = PW[36] ^ W0_6___W0_4
     W[51] = PW[51] ^ W0_6___W0_4
     W[62] = PW[62] ^ W0_6___W0_4 ^ W012 ^ W0_8
     …


                         Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
Final optimized Word-Expansion
14




     Reference Impl.                                                                Optimized Impl.
     W[16] = R((W[13] ^ W[ 8] ^ W[ 2] ^ W[ 0]), 1)                                  W[16] = PW[16] ^ W0_1
     W[17] = R((W[14] ^ W[ 9] ^ W[ 3] ^ W[ 1]), 1)                                  W[17] = PW[17]
     W[18] = R((W[15] ^ W[10] ^ W[ 4] ^ W[ 2]), 1)                                  W[18] = PW[18]
     W[19] = R((W[16] ^ W[11] ^ W[ 5] ^ W[ 3]), 1)                                  W[19] = PW[19] ^ W0_2
     W[20] = R((W[17] ^ W[12] ^ W[ 6] ^ W[ 4]), 1)                                  W[20] = PW[20]
     W[21] = R((W[18] ^ W[13] ^ W[ 7] ^ W[ 5]), 1)                                  W[21] = PW[21]
     W[22] = R((W[19] ^ W[14] ^ W[ 8] ^ W[ 6]), 1)                                  W[22] = PW[22] ^ W0_3
     W[23] = R((W[20] ^ W[15] ^ W[ 9] ^ W[ 7]), 1)                                  W[23] = PW[23]

     W[24] = R((W[21] ^ W[16] ^ W[10] ^ W[ 8]), 1)                                  W[24] = PW[24] ^ W0_2
     W[25] = R((W[22] ^ W[17] ^ W[11] ^ W[ 9]), 1)                                  W[25] = PW[25] ^ W0_4
     W[26] = R((W[23] ^ W[18] ^ W[12] ^ W[10]), 1)                                  W[26] = PW[26]
     W[27] = R((W[24] ^ W[19] ^ W[13] ^ W[11]), 1)                                  W[27] = PW[27]
     W[28] = R((W[25] ^ W[20] ^ W[14] ^ W[12]), 1)                                  W[28] = PW[28] ^ W0_5
     W[29] = R((W[26] ^ W[21] ^ W[15] ^ W[13]), 1)                                  W[29] = PW[29]
     W[30] = R((W[27] ^ W[22] ^ W[16] ^ W[14]), 1)                                  W[30] = PW[30] ^ W0_4 ^ W0_2




                                        Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
SHA1 instruction count;
     Unoptimized
15



     Section                                    Instruction count                                              t
     Word-Expansion                                                         256                          16 – 79
     SHA1 Step F1                                                           140                           0 – 19
     SHA1 Step F2                                                           160                          20 – 39
     SHA1 Step F3                                                           160                          40 – 59
     SHA1 Step F4                                                           160                          60 – 79
     Final Add                                                                  4                            80




     Total                                                                 880



                      Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
SHA1 instruction count;
     Known optimizations
16



     Section                                    Instruction count                                              t
     Word-Expansion                                                         240                          16 – 75
     SHA1 Step F1                                                           140                           0 – 19
     SHA1 Step F2                                                           160                          20 – 39
     SHA1 Step F3                                                           160                          40 – 59
     SHA1 Step F4                                                           128                          60 – 75




     Total                                                                 828



                      Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
SHA1 instruction count;
     Exploiting SHA1‘s XOR weakness
17



     Section                                    Instruction count                                              t
     Word-Expansion                                                         106                          16 – 75
     SHA1 Step F1                                                           140                           0 – 19
     SHA1 Step F2                                                           160                          20 – 39
     SHA1 Step F3                                                           160                          40 – 59
     SHA1 Step F4                                                           128                          60 – 75




     Total                                                                 694



                      Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
Final comparision
18



     Section                                       Instruction count                                        Optimization
     Unoptimized                                                               880                                  0%
     - Known optimizations                                                     828                                 5.1 %
     - This weakness, exploited                                                694
                                                                                                            21.1 %




                         Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking   4. De c 2012
Files for download
19



     Download here: https://hashcat.net/p12/


           This presentation
           XORzero generator Perl script
           Full code results from slides
Questions?
20



     Feel free to contact me!


           via Twitter: @hashcat
           via Hashcat Forum: https://hashcat.net/forum/
           via IRC: Freenode #hashcat
           via Email: atom at hashcat.net

More Related Content

What's hot

Shuwang Li Moving Interface Modeling and Computation
Shuwang Li Moving Interface Modeling and ComputationShuwang Li Moving Interface Modeling and Computation
Shuwang Li Moving Interface Modeling and ComputationSciCompIIT
 
linear transfermation.pptx
linear transfermation.pptxlinear transfermation.pptx
linear transfermation.pptxUmme habiba
 
19 prim,kruskal alg. in data structure
19 prim,kruskal alg. in data structure19 prim,kruskal alg. in data structure
19 prim,kruskal alg. in data structureEMEY GUJJAR
 
Gwt presen alsip-20111201
Gwt presen alsip-20111201Gwt presen alsip-20111201
Gwt presen alsip-20111201Yasuo Tabei
 
Day 3 vectors worked
Day 3   vectors workedDay 3   vectors worked
Day 3 vectors workedJonna Ramsey
 
Bellman-Ford-Moore Algorithm and Dijkstra’s Algorithm
Bellman-Ford-Moore Algorithm and Dijkstra’s AlgorithmBellman-Ford-Moore Algorithm and Dijkstra’s Algorithm
Bellman-Ford-Moore Algorithm and Dijkstra’s AlgorithmFulvio Corno
 
PR 113: The Perception Distortion Tradeoff
PR 113: The Perception Distortion TradeoffPR 113: The Perception Distortion Tradeoff
PR 113: The Perception Distortion TradeoffTaeoh Kim
 
The LCA problem revisited
The LCA problem revisitedThe LCA problem revisited
The LCA problem revisitedMinsung Hong
 
Laplace transforms and problems
Laplace transforms and problemsLaplace transforms and problems
Laplace transforms and problemsVishnu V
 
linear transformation and rank nullity theorem
linear transformation and rank nullity theorem linear transformation and rank nullity theorem
linear transformation and rank nullity theorem Manthan Chavda
 
Linear transformation.ppt
Linear transformation.pptLinear transformation.ppt
Linear transformation.pptRaj Parekh
 
Vcla.ppt COMPOSITION OF LINEAR TRANSFORMATION KERNEL AND RANGE OF LINEAR TR...
Vcla.ppt COMPOSITION OF LINEAR TRANSFORMATION   KERNEL AND RANGE OF LINEAR TR...Vcla.ppt COMPOSITION OF LINEAR TRANSFORMATION   KERNEL AND RANGE OF LINEAR TR...
Vcla.ppt COMPOSITION OF LINEAR TRANSFORMATION KERNEL AND RANGE OF LINEAR TR...Sukhvinder Singh
 
linear tranformation- VC&LA
linear tranformation- VC&LAlinear tranformation- VC&LA
linear tranformation- VC&LAKaushal Patel
 
2.4 mst prim &kruskal demo
2.4 mst  prim &kruskal demo2.4 mst  prim &kruskal demo
2.4 mst prim &kruskal demoKrish_ver2
 

What's hot (20)

MA1001 NTU Tutorial Solutions
MA1001 NTU Tutorial SolutionsMA1001 NTU Tutorial Solutions
MA1001 NTU Tutorial Solutions
 
Data Structure Sorting
Data Structure SortingData Structure Sorting
Data Structure Sorting
 
Shuwang Li Moving Interface Modeling and Computation
Shuwang Li Moving Interface Modeling and ComputationShuwang Li Moving Interface Modeling and Computation
Shuwang Li Moving Interface Modeling and Computation
 
6.queue
6.queue6.queue
6.queue
 
Vcla 1
Vcla 1Vcla 1
Vcla 1
 
19 primkruskal
19 primkruskal19 primkruskal
19 primkruskal
 
linear transfermation.pptx
linear transfermation.pptxlinear transfermation.pptx
linear transfermation.pptx
 
19 prim,kruskal alg. in data structure
19 prim,kruskal alg. in data structure19 prim,kruskal alg. in data structure
19 prim,kruskal alg. in data structure
 
Gwt presen alsip-20111201
Gwt presen alsip-20111201Gwt presen alsip-20111201
Gwt presen alsip-20111201
 
Day 3 vectors worked
Day 3   vectors workedDay 3   vectors worked
Day 3 vectors worked
 
Bellman-Ford-Moore Algorithm and Dijkstra’s Algorithm
Bellman-Ford-Moore Algorithm and Dijkstra’s AlgorithmBellman-Ford-Moore Algorithm and Dijkstra’s Algorithm
Bellman-Ford-Moore Algorithm and Dijkstra’s Algorithm
 
PR 113: The Perception Distortion Tradeoff
PR 113: The Perception Distortion TradeoffPR 113: The Perception Distortion Tradeoff
PR 113: The Perception Distortion Tradeoff
 
The LCA problem revisited
The LCA problem revisitedThe LCA problem revisited
The LCA problem revisited
 
Laplace transforms and problems
Laplace transforms and problemsLaplace transforms and problems
Laplace transforms and problems
 
linear transformation and rank nullity theorem
linear transformation and rank nullity theorem linear transformation and rank nullity theorem
linear transformation and rank nullity theorem
 
Linear transformation.ppt
Linear transformation.pptLinear transformation.ppt
Linear transformation.ppt
 
Vcla.ppt COMPOSITION OF LINEAR TRANSFORMATION KERNEL AND RANGE OF LINEAR TR...
Vcla.ppt COMPOSITION OF LINEAR TRANSFORMATION   KERNEL AND RANGE OF LINEAR TR...Vcla.ppt COMPOSITION OF LINEAR TRANSFORMATION   KERNEL AND RANGE OF LINEAR TR...
Vcla.ppt COMPOSITION OF LINEAR TRANSFORMATION KERNEL AND RANGE OF LINEAR TR...
 
linear tranformation- VC&LA
linear tranformation- VC&LAlinear tranformation- VC&LA
linear tranformation- VC&LA
 
Laplace transformation
Laplace transformationLaplace transformation
Laplace transformation
 
2.4 mst prim &kruskal demo
2.4 mst  prim &kruskal demo2.4 mst  prim &kruskal demo
2.4 mst prim &kruskal demo
 

Viewers also liked

SHA Spring 1 2010
SHA Spring 1 2010SHA Spring 1 2010
SHA Spring 1 2010sihamilton
 
SHA-1 OFFICIAL DEAD: Authenticity Challenge in Electronic Evidence Cases
SHA-1 OFFICIAL DEAD: Authenticity Challenge in Electronic Evidence CasesSHA-1 OFFICIAL DEAD: Authenticity Challenge in Electronic Evidence Cases
SHA-1 OFFICIAL DEAD: Authenticity Challenge in Electronic Evidence CasesNeeraj Aarora
 
Pixel Presentation
Pixel PresentationPixel Presentation
Pixel PresentationTodd Gregory
 

Viewers also liked (6)

sh[1]
sh[1]sh[1]
sh[1]
 
SHA Spring 1 2010
SHA Spring 1 2010SHA Spring 1 2010
SHA Spring 1 2010
 
SHA-1 OFFICIAL DEAD: Authenticity Challenge in Electronic Evidence Cases
SHA-1 OFFICIAL DEAD: Authenticity Challenge in Electronic Evidence CasesSHA-1 OFFICIAL DEAD: Authenticity Challenge in Electronic Evidence Cases
SHA-1 OFFICIAL DEAD: Authenticity Challenge in Electronic Evidence Cases
 
Pixel Presentation
Pixel PresentationPixel Presentation
Pixel Presentation
 
Sha-1 Collision
Sha-1 CollisionSha-1 Collision
Sha-1 Collision
 
Secure Hash Algorithm
Secure Hash AlgorithmSecure Hash Algorithm
Secure Hash Algorithm
 

Similar to SHA1 weakness

MMAC presentation 16_09_20_20_41.pptx
MMAC presentation 16_09_20_20_41.pptxMMAC presentation 16_09_20_20_41.pptx
MMAC presentation 16_09_20_20_41.pptxJuber33
 
Presentation1 yash maths
Presentation1 yash mathsPresentation1 yash maths
Presentation1 yash mathsyash bhathawala
 
Mat 223_Ch4-VectorSpaces.ppt
Mat 223_Ch4-VectorSpaces.pptMat 223_Ch4-VectorSpaces.ppt
Mat 223_Ch4-VectorSpaces.pptabidraufv
 
Hawkinrad a source_notes ii _secured
Hawkinrad a source_notes ii _securedHawkinrad a source_notes ii _secured
Hawkinrad a source_notes ii _securedfoxtrot jp R
 
X10658(ma8352)
X10658(ma8352)X10658(ma8352)
X10658(ma8352)Raj Kumar
 
linear-transformations-2017-03-19-14-38-49.pdf
linear-transformations-2017-03-19-14-38-49.pdflinear-transformations-2017-03-19-14-38-49.pdf
linear-transformations-2017-03-19-14-38-49.pdfBinitAgarwala3
 
SIAM SEAS Talk Slides
SIAM SEAS Talk SlidesSIAM SEAS Talk Slides
SIAM SEAS Talk SlidesRyan White
 
Data Structure and Algorithms Graphs
Data Structure and Algorithms GraphsData Structure and Algorithms Graphs
Data Structure and Algorithms GraphsManishPrajapati78
 
It elective-4-buendia lagua
It elective-4-buendia laguaIt elective-4-buendia lagua
It elective-4-buendia laguaJohn Mark Lagua
 
8 Continuous-Time Fourier Transform Solutions To Recommended Problems
8 Continuous-Time Fourier Transform Solutions To Recommended Problems8 Continuous-Time Fourier Transform Solutions To Recommended Problems
8 Continuous-Time Fourier Transform Solutions To Recommended ProblemsSara Alvarez
 
L 32(nkd)(et) ((ee)nptel)
L 32(nkd)(et) ((ee)nptel)L 32(nkd)(et) ((ee)nptel)
L 32(nkd)(et) ((ee)nptel)sairoopareddy
 

Similar to SHA1 weakness (20)

Lob management
Lob managementLob management
Lob management
 
Vector space
Vector spaceVector space
Vector space
 
14 mecv14 dvd
14 mecv14 dvd14 mecv14 dvd
14 mecv14 dvd
 
MMAC presentation 16_09_20_20_41.pptx
MMAC presentation 16_09_20_20_41.pptxMMAC presentation 16_09_20_20_41.pptx
MMAC presentation 16_09_20_20_41.pptx
 
Presentation1 yash maths
Presentation1 yash mathsPresentation1 yash maths
Presentation1 yash maths
 
Laplace transforms
Laplace transformsLaplace transforms
Laplace transforms
 
Mat 223_Ch4-VectorSpaces.ppt
Mat 223_Ch4-VectorSpaces.pptMat 223_Ch4-VectorSpaces.ppt
Mat 223_Ch4-VectorSpaces.ppt
 
Hawkinrad a source_notes ii _secured
Hawkinrad a source_notes ii _securedHawkinrad a source_notes ii _secured
Hawkinrad a source_notes ii _secured
 
Ch4
Ch4Ch4
Ch4
 
X10658(ma8352)
X10658(ma8352)X10658(ma8352)
X10658(ma8352)
 
linear-transformations-2017-03-19-14-38-49.pdf
linear-transformations-2017-03-19-14-38-49.pdflinear-transformations-2017-03-19-14-38-49.pdf
linear-transformations-2017-03-19-14-38-49.pdf
 
multiple intrigral lit
multiple intrigral litmultiple intrigral lit
multiple intrigral lit
 
SIAM SEAS Talk Slides
SIAM SEAS Talk SlidesSIAM SEAS Talk Slides
SIAM SEAS Talk Slides
 
Data Structure and Algorithms Graphs
Data Structure and Algorithms GraphsData Structure and Algorithms Graphs
Data Structure and Algorithms Graphs
 
It elective-4-buendia lagua
It elective-4-buendia laguaIt elective-4-buendia lagua
It elective-4-buendia lagua
 
Direct current machine
Direct current machineDirect current machine
Direct current machine
 
Laplace_1.ppt
Laplace_1.pptLaplace_1.ppt
Laplace_1.ppt
 
8 Continuous-Time Fourier Transform Solutions To Recommended Problems
8 Continuous-Time Fourier Transform Solutions To Recommended Problems8 Continuous-Time Fourier Transform Solutions To Recommended Problems
8 Continuous-Time Fourier Transform Solutions To Recommended Problems
 
L 32(nkd)(et) ((ee)nptel)
L 32(nkd)(et) ((ee)nptel)L 32(nkd)(et) ((ee)nptel)
L 32(nkd)(et) ((ee)nptel)
 
space-time diagram(final)
space-time diagram(final)space-time diagram(final)
space-time diagram(final)
 

More from cnpo

защита виртуальных сред с помощью сдз Rev01 (short)
защита виртуальных сред с помощью сдз Rev01 (short)защита виртуальных сред с помощью сдз Rev01 (short)
защита виртуальных сред с помощью сдз Rev01 (short)cnpo
 
титов российские Siem системы миф или реальность v03
титов российские Siem системы миф или реальность v03титов российские Siem системы миф или реальность v03
титов российские Siem системы миф или реальность v03cnpo
 
Net graph
Net graphNet graph
Net graphcnpo
 
Net topology
Net topology Net topology
Net topology cnpo
 
Russian information security market
Russian information security marketRussian information security market
Russian information security marketcnpo
 
Certification
CertificationCertification
Certificationcnpo
 
Politics
PoliticsPolitics
Politicscnpo
 
Siem
SiemSiem
Siemcnpo
 
Licensing
LicensingLicensing
Licensingcnpo
 
Certification
CertificationCertification
Certificationcnpo
 
P dn docs
P dn docsP dn docs
P dn docscnpo
 
Social engineering
Social engineeringSocial engineering
Social engineeringcnpo
 
Audit intro
Audit introAudit intro
Audit introcnpo
 
Rubicon
RubiconRubicon
Rubiconcnpo
 
Вопросы комплексной защиты информации от программно-аппаратных воздействий в ...
Вопросы комплексной защиты информации от программно-аппаратных воздействий в ...Вопросы комплексной защиты информации от программно-аппаратных воздействий в ...
Вопросы комплексной защиты информации от программно-аппаратных воздействий в ...cnpo
 
Фундамент открытого кода: построение защищенных систем и аудит их безопасности
Фундамент открытого кода: построение защищенных систем и аудит их безопасностиФундамент открытого кода: построение защищенных систем и аудит их безопасности
Фундамент открытого кода: построение защищенных систем и аудит их безопасностиcnpo
 
Сканер-ВС. Сертифицированный инструмент для этичного хакера
Сканер-ВС. Сертифицированный инструмент для этичного хакераСканер-ВС. Сертифицированный инструмент для этичного хакера
Сканер-ВС. Сертифицированный инструмент для этичного хакераcnpo
 
МЭ и СОВ Рубикон
МЭ и СОВ РубиконМЭ и СОВ Рубикон
МЭ и СОВ Рубиконcnpo
 
Почему нужна лицензия
Почему нужна лицензияПочему нужна лицензия
Почему нужна лицензияcnpo
 
Политики ИБ
Политики ИБПолитики ИБ
Политики ИБcnpo
 

More from cnpo (20)

защита виртуальных сред с помощью сдз Rev01 (short)
защита виртуальных сред с помощью сдз Rev01 (short)защита виртуальных сред с помощью сдз Rev01 (short)
защита виртуальных сред с помощью сдз Rev01 (short)
 
титов российские Siem системы миф или реальность v03
титов российские Siem системы миф или реальность v03титов российские Siem системы миф или реальность v03
титов российские Siem системы миф или реальность v03
 
Net graph
Net graphNet graph
Net graph
 
Net topology
Net topology Net topology
Net topology
 
Russian information security market
Russian information security marketRussian information security market
Russian information security market
 
Certification
CertificationCertification
Certification
 
Politics
PoliticsPolitics
Politics
 
Siem
SiemSiem
Siem
 
Licensing
LicensingLicensing
Licensing
 
Certification
CertificationCertification
Certification
 
P dn docs
P dn docsP dn docs
P dn docs
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Audit intro
Audit introAudit intro
Audit intro
 
Rubicon
RubiconRubicon
Rubicon
 
Вопросы комплексной защиты информации от программно-аппаратных воздействий в ...
Вопросы комплексной защиты информации от программно-аппаратных воздействий в ...Вопросы комплексной защиты информации от программно-аппаратных воздействий в ...
Вопросы комплексной защиты информации от программно-аппаратных воздействий в ...
 
Фундамент открытого кода: построение защищенных систем и аудит их безопасности
Фундамент открытого кода: построение защищенных систем и аудит их безопасностиФундамент открытого кода: построение защищенных систем и аудит их безопасности
Фундамент открытого кода: построение защищенных систем и аудит их безопасности
 
Сканер-ВС. Сертифицированный инструмент для этичного хакера
Сканер-ВС. Сертифицированный инструмент для этичного хакераСканер-ВС. Сертифицированный инструмент для этичного хакера
Сканер-ВС. Сертифицированный инструмент для этичного хакера
 
МЭ и СОВ Рубикон
МЭ и СОВ РубиконМЭ и СОВ Рубикон
МЭ и СОВ Рубикон
 
Почему нужна лицензия
Почему нужна лицензияПочему нужна лицензия
Почему нужна лицензия
 
Политики ИБ
Политики ИБПолитики ИБ
Политики ИБ
 

Recently uploaded

KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...M56BOOKSTORE PRODUCT/SERVICE
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...jaredbarbolino94
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitolTechU
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions  for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions  for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxJiesonDelaCerna
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 

Recently uploaded (20)

KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdf
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptx
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions  for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions  for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 

SHA1 weakness

  • 1. EXPLOITING A SHA1 WEAKNESS IN PASSWORD CRACKING
  • 2. About me 2  Name: Jens Steube  Nick: atom  Coding Projects:  hashcat / oclHashcat  Security Research:  Searching for exploitable security holes in OSS and non-OSS Software  Reported and worked together with the developers to fix them  See Bugtraq / Debian Security Advisory  Work Status: Employed as Coder, but not crypto- or security-relevant  Weakness found in 1st quarter of 2011
  • 3. What we should know about SHA1 3  SHA1 is processed sequentially  Each block of input data that is processed has a fixed size of 512 bit  This block is represented as an array of sixteen 32-bit words  We will call this array W[]  The input data is expanded by another 2048 bits of data  This expanded data is generated out of the input data  We call this phase “Word-expansion”  Both input and expanded data is used within 80 steps of SHA1 functions  These steps and their inclusion of SHA1 specific function is the major part of SHA1  We will not focus on them Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 4. S H A 1 Tr a n s f o r m p e r I n s t r u c t i o n s 4 Word-Expansion Instruction count t XOR 3 16 – 79 ROTATE 1 16 – 79 SHA1 Steps Instruction count t SHA1 Step F1 1 0 – 19 SHA1 Step F2 2 20 – 39 SHA1 Step F3 2 40 – 59 SHA1 Step F4 2 60 – 79 Final Steps Instruction count t ADD 4 80 Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 5. Word-Expansion 5  Word-Expansion is a phase of the SHA1 transformation  Its purpose is to generate a bigger volume of data out of the input data  This is where the weakness is located in SHA1  Input data is mixed up using the following set of logical instructions: W[t] = R((W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]), 1)  W[0] .. W[15] is filled with the input data  By iterating t from 16 to 79, 2048 additional bits are generated Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 6. Word-Expansion, unrolled view 6 W[16] = R((W[13] ^ W[ 8] ^ W[ 2] ^ W[ 0]), 1) W[30] = R((W[27] ^ W[22] ^ W[16] ^ W[14]), 1) W[17] = R((W[14] ^ W[ 9] ^ W[ 3] ^ W[ 1]), 1) W[31] = R((W[28] ^ W[23] ^ W[17] ^ W[15]), 1) W[18] = R((W[15] ^ W[10] ^ W[ 4] ^ W[ 2]), 1) W[32] = R((W[29] ^ W[24] ^ W[18] ^ W[16]), 1) W[19] = R((W[16] ^ W[11] ^ W[ 5] ^ W[ 3]), 1) W[33] = R((W[30] ^ W[25] ^ W[19] ^ W[17]), 1) W[20] = R((W[17] ^ W[12] ^ W[ 6] ^ W[ 4]), 1) W[34] = R((W[31] ^ W[26] ^ W[20] ^ W[18]), 1) W[21] = R((W[18] ^ W[13] ^ W[ 7] ^ W[ 5]), 1) W[35] = R((W[32] ^ W[27] ^ W[21] ^ W[19]), 1) W[22] = R((W[19] ^ W[14] ^ W[ 8] ^ W[ 6]), 1) W[36] = R((W[33] ^ W[28] ^ W[22] ^ W[20]), 1) W[23] = R((W[20] ^ W[15] ^ W[ 9] ^ W[ 7]), 1) W[37] = R((W[34] ^ W[29] ^ W[23] ^ W[21]), 1) W[24] = R((W[21] ^ W[16] ^ W[10] ^ W[ 8]), 1) W[38] = R((W[35] ^ W[30] ^ W[24] ^ W[22]), 1) W[25] = R((W[22] ^ W[17] ^ W[11] ^ W[ 9]), 1) W[39] = R((W[36] ^ W[31] ^ W[25] ^ W[23]), 1) W[26] = R((W[23] ^ W[18] ^ W[12] ^ W[10]), 1) W[40] = R((W[37] ^ W[32] ^ W[26] ^ W[24]), 1) W[27] = R((W[24] ^ W[19] ^ W[13] ^ W[11]), 1) W[41] = R((W[38] ^ W[33] ^ W[27] ^ W[25]), 1) W[28] = R((W[25] ^ W[20] ^ W[14] ^ W[12]), 1) … W[29] = R((W[26] ^ W[21] ^ W[15] ^ W[13]), 1) W[79] = R((W[76] ^ W[71] ^ W[65] ^ W[63]), 1) Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 7. How to exploit this 7  The password candidate generator needs to hold W[1]..W[15] fixed  Outside the loop precompute W[16]..W[79] ignoring the unknown W[0]  We call this precomputed buffer PW[]  Inside the loop W[0] is changed  Since the Word-Expansion process is using XOR, we can apply W[0] to the precomputed buffer at a later stage  Using XOR is the root of the problem  Logical instructions cannot overflow, but arithmetic ones can  If the Word-Expansion had used ADD, it would have been impossible to exploit it  When iterating W[0] changes is finished, W[1]..W[15] can be changed  Restart the process with the next precomputed value of W[16]..W[79] Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 8. PW[16]..PW[79] in the outer loop 8 PW[16] = R(( W[13] ^ W[ 8] ^ W[ 2] ^ W[ 0]), 1) PW[30] = R((PW[27] ^ PW[22] ^ PW[16] ^ W[14]), 1) PW[17] = R(( W[14] ^ W[ 9] ^ W[ 3] ^ W[ 1]), 1) PW[31] = R((PW[28] ^ PW[23] ^ PW[17] ^ W[15]), 1) PW[18] = R(( W[15] ^ W[10] ^ W[ 4] ^ W[ 2]), 1) PW[32] = R((PW[29] ^ PW[24] ^ PW[18] ^ PW[16]), 1) PW[19] = R((PW[16] ^ W[11] ^ W[ 5] ^ W[ 3]), 1) PW[33] = R((PW[30] ^ PW[25] ^ PW[19] ^ PW[17]), 1) PW[20] = R((PW[17] ^ W[12] ^ W[ 6] ^ W[ 4]), 1) PW[34] = R((PW[31] ^ PW[26] ^ PW[20] ^ PW[18]), 1) PW[21] = R((PW[18] ^ W[13] ^ W[ 7] ^ W[ 5]), 1) PW[35] = R((PW[32] ^ PW[27] ^ PW[21] ^ PW[19]), 1) PW[22] = R((PW[19] ^ W[14] ^ W[ 8] ^ W[ 6]), 1) PW[36] = R((PW[33] ^ PW[28] ^ PW[22] ^ PW[20]), 1) PW[23] = R((PW[20] ^ W[15] ^ W[ 9] ^ W[ 7]), 1) PW[37] = R((PW[34] ^ PW[29] ^ PW[23] ^ PW[21]), 1) PW[24] = R((PW[21] ^ PW[16] ^ W[10] ^ W[ 8]), 1) PW[38] = R((PW[35] ^ PW[30] ^ PW[24] ^ PW[22]), 1) PW[25] = R((PW[22] ^ PW[17] ^ W[11] ^ W[ 9]), 1) PW[39] = R((PW[36] ^ PW[31] ^ PW[25] ^ PW[23]), 1) PW[26] = R((PW[23] ^ PW[18] ^ W[12] ^ W[10]), 1) PW[40] = R((PW[37] ^ PW[32] ^ PW[26] ^ PW[24]), 1) PW[27] = R((PW[24] ^ PW[19] ^ W[13] ^ W[11]), 1) PW[41] = R((PW[38] ^ PW[33] ^ PW[27] ^ PW[25]), 1) PW[28] = R((PW[25] ^ PW[20] ^ W[14] ^ W[12]), 1) … PW[29] = R((PW[26] ^ PW[21] ^ W[15] ^ W[13]), 1) PW[79] = R((PW[76] ^ PW[71] ^ PW[65] ^ PW[63]), 1) Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 9. W[0] in the inner loop 9 W0_1 = R(W[0], 1) W0_2 = R(W[0], 2) … For 1..20 compute R(W[0], i) W020 = R(W[0], 2 0) W[16] = R((W[13] ^ W[ 8] ^ W[ 2] ^ W[ 0]), 1) = PW[16] ^ W0_1 W[17] = R((W[14] ^ W[ 9] ^ W[ 3] ^ W[ 1]), 1) = PW[17] W[18] = R((W[15] ^ W[10] ^ W[ 4] ^ W[ 2]), 1) = PW[18] W[19] = R((W[16] ^ W[11] ^ W[ 5] ^ W[ 3]), 1) = PW[19] ^ W0_2 W[20] = R((W[17] ^ W[12] ^ W[ 6] ^ W[ 4]), 1) = PW[20] W[21] = R((W[18] ^ W[13] ^ W[ 7] ^ W[ 5]), 1) = PW[21] W[22] = R((W[19] ^ W[14] ^ W[ 8] ^ W[ 6]), 1) = PW[22] ^ W0_3 W[23] = R((W[20] ^ W[15] ^ W[ 9] ^ W[ 7]), 1) = PW[23] W[24] = R((W[21] ^ W[16] ^ W[10] ^ W[ 8]), 1) = PW[24] ^ W0_2 W[25] = R((W[22] ^ W[17] ^ W[11] ^ W[ 9]), 1) = PW[25] ^ W0_4 W[26] = R((W[23] ^ W[18] ^ W[12] ^ W[10]), 1) = PW[26] Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 10. Word-Expansion using precompute 10 … W[34] = PW[34] ^ W0_7 < 4 operations W[30] = PW[30] ^ W0_4 W[35] = PW[35] ^ W0_4 = 4 operations ^ W0_4 ^ W0_3 > 4 operations ^ W0_4 ^ W0_4 ^ W0_2 ^ W0_4 Number of Operations: W[31] = PW[31] ^ W0_6 ^ W0_3 W[32] = PW[32] ^ W0_3 W[36] = PW[36] ^ W0_4 W[16] = 1 ^ W0_2 ^ W0_4 W[17] = 0 W[33] = PW[33] ^ W0_5 ^ W0_6 … ^ W0_5 ^ W0_6 W[33] = 6 ^ W0_5 ^ W0_6 … ^ W0_3 ^ W0_6 W[43] = 308 ^ W0_5 ^ W0_6 … ^ W0_3 ^ W0_4 W[75] = 4703 … Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 11. What we should know about XOR 11  XORing a value to itself, results in 0  XORing a value with 0, results in the same value Conclusion:  We can ignore many XOR operations in order to optimize the procedure  We can do this if the sum of a specific value is even A Perl script to automate this process can be found in the link section Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 12. Word-Expansion / XOR zeros 12 W[41] = R((W[38] ^ W[33] ^ W[27] ^ W[25]), 1) W[41] = PW[41] ^ W0_4 ^ W[38] = W[33] = W[27] = W[25] = W0_4 ^ PW[38] ^ PW[33] ^ PW[27] ^ PW[25] ^ W0_4 ^ W0_5 ^ W0_5 ^ W0_3 ^ W0_4 W0_4 ^ W0_5 ^ W0_5 ^ W0_3 W0_4 ^ W0_5 ^ W0_5 ^ +1 W0_4 ^ W0_4 ^ W0_3 ^ W0_5 ^ W0_4 ^ W0_5 ^ W0_5 ^ W0_5 ^ W0_3 W0_5 ^ W0_5 ^ W0_5 ^ W0_5 ^ W0_6 ^ W0_3 ^ W0_6 ^ W0_3 ^ W0_6 ^ W0_4 W0_6 ^ W0_6 ^ W0_6 ^ W0_6 ^ W[41] = PW[41] W0_6 ^ W0_6 ^ Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012 W0_6
  • 13. Word-Expansion / XOR groups 13 … W[36] = PW[36] ^ W0_6 ^ W0_4 W[51] = PW[51] ^ W0_6 ^ W0_4 W[62] = PW[62] ^ W0_6 ^ W0_4 ^ W012 ^ W0_8 … const int W0_6___W0_4 = W0_6 ^ W0_4 … W[36] = PW[36] ^ W0_6___W0_4 W[51] = PW[51] ^ W0_6___W0_4 W[62] = PW[62] ^ W0_6___W0_4 ^ W012 ^ W0_8 … Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 14. Final optimized Word-Expansion 14 Reference Impl. Optimized Impl. W[16] = R((W[13] ^ W[ 8] ^ W[ 2] ^ W[ 0]), 1) W[16] = PW[16] ^ W0_1 W[17] = R((W[14] ^ W[ 9] ^ W[ 3] ^ W[ 1]), 1) W[17] = PW[17] W[18] = R((W[15] ^ W[10] ^ W[ 4] ^ W[ 2]), 1) W[18] = PW[18] W[19] = R((W[16] ^ W[11] ^ W[ 5] ^ W[ 3]), 1) W[19] = PW[19] ^ W0_2 W[20] = R((W[17] ^ W[12] ^ W[ 6] ^ W[ 4]), 1) W[20] = PW[20] W[21] = R((W[18] ^ W[13] ^ W[ 7] ^ W[ 5]), 1) W[21] = PW[21] W[22] = R((W[19] ^ W[14] ^ W[ 8] ^ W[ 6]), 1) W[22] = PW[22] ^ W0_3 W[23] = R((W[20] ^ W[15] ^ W[ 9] ^ W[ 7]), 1) W[23] = PW[23] W[24] = R((W[21] ^ W[16] ^ W[10] ^ W[ 8]), 1) W[24] = PW[24] ^ W0_2 W[25] = R((W[22] ^ W[17] ^ W[11] ^ W[ 9]), 1) W[25] = PW[25] ^ W0_4 W[26] = R((W[23] ^ W[18] ^ W[12] ^ W[10]), 1) W[26] = PW[26] W[27] = R((W[24] ^ W[19] ^ W[13] ^ W[11]), 1) W[27] = PW[27] W[28] = R((W[25] ^ W[20] ^ W[14] ^ W[12]), 1) W[28] = PW[28] ^ W0_5 W[29] = R((W[26] ^ W[21] ^ W[15] ^ W[13]), 1) W[29] = PW[29] W[30] = R((W[27] ^ W[22] ^ W[16] ^ W[14]), 1) W[30] = PW[30] ^ W0_4 ^ W0_2 Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 15. SHA1 instruction count; Unoptimized 15 Section Instruction count t Word-Expansion 256 16 – 79 SHA1 Step F1 140 0 – 19 SHA1 Step F2 160 20 – 39 SHA1 Step F3 160 40 – 59 SHA1 Step F4 160 60 – 79 Final Add 4 80 Total 880 Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 16. SHA1 instruction count; Known optimizations 16 Section Instruction count t Word-Expansion 240 16 – 75 SHA1 Step F1 140 0 – 19 SHA1 Step F2 160 20 – 39 SHA1 Step F3 160 40 – 59 SHA1 Step F4 128 60 – 75 Total 828 Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 17. SHA1 instruction count; Exploiting SHA1‘s XOR weakness 17 Section Instruction count t Word-Expansion 106 16 – 75 SHA1 Step F1 140 0 – 19 SHA1 Step F2 160 20 – 39 SHA1 Step F3 160 40 – 59 SHA1 Step F4 128 60 – 75 Total 694 Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 18. Final comparision 18 Section Instruction count Optimization Unoptimized 880 0% - Known optimizations 828 5.1 % - This weakness, exploited 694 21.1 % Je ns Steube - Ex ploiting a SHA1 we akness in password cra cking 4. De c 2012
  • 19. Files for download 19 Download here: https://hashcat.net/p12/  This presentation  XORzero generator Perl script  Full code results from slides
  • 20. Questions? 20 Feel free to contact me!  via Twitter: @hashcat  via Hashcat Forum: https://hashcat.net/forum/  via IRC: Freenode #hashcat  via Email: atom at hashcat.net